Lake Formation Personas and IAM Permissions Reference - AWS Lake Formation

Lake Formation Personas and IAM Permissions Reference

This chapter lists some suggested AWS Lake Formation personas and their suggested AWS Identity and Access Management (IAM) permissions. For information about Lake Formation permissions, see Lake Formation Permissions Reference.

AWS Lake Formation Personas

The following table lists the suggested AWS Lake Formation personas.

Lake Formation Personas
Persona Description
IAM administrator (superuser) (Required) User who can create IAM users and roles. Has the AdministratorAccess AWS managed policy. Has all permissions on all Lake Formation resources. Can add data lake administrators. Cannot grant Lake Formation permissions if not also designated a data lake administrator.
Data lake administrator (Required) User who can register Amazon S3 locations, access the Data Catalog, create databases, create and run workflows, grant Lake Formation permissions to other users, and view AWS CloudTrail logs. Has fewer IAM permissions than the IAM administrator, but enough to administer the data lake. Cannot add other data lake administrators.
Data engineer (Optional) User who can create and run crawlers and workflows and grant Lake Formation permissions on the Data Catalog tables that the crawlers and workflows create.
Data analyst (Optional) User who can run queries against the data lake using, for example, Amazon Athena. Has only enough permissions to run queries.
Workflow role (Required) Role that runs a workflow on behalf of a user. You specify this role when you create a workflow from a blueprint.

Personas Suggested Permissions

The following are the suggested permissions for each persona. The IAM administrator is not included because that user has all permissions on all resources.

Data Lake Administrator Permissions

Important

In the following policies, replace <account-id> with a valid AWS account number, and replace <workflow_role> with the name of a role that has permissions to run a workflow, as defined in Workflow Role Permissions.

Policy Type Policy
AWS managed policies
  • AWSLakeFormationDataAdmin

  • AWSGlueConsoleFullAccess (Optional)

  • CloudWatchLogsReadOnlyAccess (Optional)

  • AWSLakeFormationCrossAccountManager (Optional)

  • AmazonAthenaFullAccess (Optional)

For information about the optional AWS managed policies, see Create a Data Lake Administrator.

Inline policy (for creating the Lake Formation service-linked role)
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": "lakeformation.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "iam:PutRolePolicy" ], "Resource": "arn:aws:iam::<account-id>:role/aws-service-role/lakeformation.amazonaws.com/AWSServiceRoleForLakeFormationDataAccess" } ] }
(Optional) Inline policy (passrole policy for the workflow role). This is required only if the data lake administrator creates and runs workflows.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "PassRolePermissions", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::<account-id>:role/<workflow_role>" ] } ] }
(Optional) Inline policy (if your account is granting or receiving cross-account Lake Formation permissions). This policy is for accepting or rejecting AWS RAM resource share invitations, and for enabling the granting of cross-account permissions to organizations. ram:EnableSharingWithAwsOrganization is required only for data lake administrators in the AWS Organizations management account.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ram:AcceptResourceShareInvitation", "ram:RejectResourceShareInvitation", "ec2:DescribeAvailabilityZones", "ram:EnableSharingWithAwsOrganization" ], "Resource": "*" } ] }

Data Engineer Permissions

Important

In the following policies, replace <account-id> with a valid AWS account number, and replace <workflow_role> with the name of the workflow role.

Policy Type Policy
AWS managed policy AWSGlueConsoleFullAccess
Inline policy (basic)
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "lakeformation:GetDataAccess", "lakeformation:GrantPermissions", "lakeformation:RevokePermissions", "lakeformation:BatchGrantPermissions", "lakeformation:BatchRevokePermissions", "lakeformation:ListPermissions", "iam:CreateRole", "iam:CreatePolicy", "iam:AttachRolePolicy" ], "Resource": "*" } ] }
Inline policy (passrole policy for the workflow role)
{ "Version": "2012-10-17", "Statement": [ { "Sid": "PassRolePermissions", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::<account-id>:role/<workflow_role>" ] } ] }

Data Analyst Permissions

Policy Type Policy
AWS managed policy AmazonAthenaFullAccess
Inline policy (basic)
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "lakeformation:GetDataAccess", "glue:GetTable", "glue:GetTables", "glue:SearchTables", "glue:GetDatabase", "glue:GetDatabases", "glue:GetPartitions" ], "Resource": "*" } ] }

Workflow Role Permissions

This role has the permissions required to run a workflow. You specify a role with these permissions when you create a workflow.

Important

In the following policies, replace <region> with a valid AWS Region identifier (for example us-east-1), <account-id> with a valid AWS account number, <workflow_role> with the name of the workflow role, and <your-s3-cloudtrail-bucket> with the Amazon S3 path to your AWS CloudTrail logs.

Policy Type Policy
AWS managed policy AWSGlueServiceRole
Inline policy (data access)
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Lakeformation", "Effect": "Allow", "Action": [ "lakeformation:GetDataAccess", "lakeformation:GrantPermissions" ], "Resource": "*" } ] }
Inline policy (passrole policy for the workflow role)
{ "Version": "2012-10-17", "Statement": [ { "Sid": "PassRolePermissions", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::<account-id>:role/<workflow_role>" ] } ] }
Inline policy (for ingesting data outside the data lake, for example, AWS CloudTrail logs)
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["s3:GetObject", "s3:ListBucket"], "Resource": ["arn:aws:s3:::<your-s3-cloudtrail-bucket>/*"] } ] }