Registering an Amazon S3 Location - AWS Lake Formation

Registering an Amazon S3 Location

You must specify an AWS Identity and Access Management (IAM) role when you register an Amazon Simple Storage Service (Amazon S3) location. Lake Formation assumes that role when it grants temporary credentials to integrated AWS services that access the data in that location.

Important

Avoid registering an Amazon S3 bucket that has Requester pays enabled. For buckets registered with Lake Formation, the role used to register the bucket is always viewed as the requester. If the bucket is accessed by another AWS account, the bucket owner is charged for data access if the role belongs to the same account as the bucket owner.

The simplest way to register the location is to use the Lake Formation service-linked role. This role grants the required permissions on the location. You may also use a custom role to register the location, provided that it meets the requirements in Requirements for Roles Used to Register Locations. For more information about the service-linked role, see Service-Linked Role Permissions for Lake Formation.

You can use the AWS Lake Formation console, Lake Formation API, or AWS Command Line Interface (AWS CLI) to register an Amazon S3 location.

To register a location (console)

Important

The following procedures assume that the Amazon S3 location is in the same AWS account as the Data Catalog and that the data in the location is not encrypted. Other sections in this chapter cover cross-account registration and registration of encrypted locations.

  1. Open the AWS Lake Formation console at https://console.aws.amazon.com/lakeformation/. Sign in as the data lake administrator or as a user with the lakeformation:RegisterResource IAM permission.

  2. In the navigation pane, under Register and Ingest, choose Data lake locations.

  3. Choose Register location, and then choose Browse to select an Amazon Simple Storage Service (Amazon S3) path.

  4. (Optional, but strongly recommended) Choose Review location permissions to view a list of all existing resources in the selected Amazon S3 location and their permissions.

    Registering the selected location might result in your Lake Formation users gaining access to data already at that location. Viewing this list helps you ensure that existing data remains secure.

  5. For IAM role, choose either the AWSServiceRoleForLakeFormationDataAccess service-linked role (the default) or a custom IAM role that meets the requirements in Requirements for Roles Used to Register Locations.

  6. Choose Register location.

To register a location (AWS CLI)

  • Enter the following CLI command. Replace <s3-path> with a valid Amazon S3 path.

    aws lakeformation register-resource --resource-arn arn:aws:s3:::<s3-path> --use-service-linked-role

    This command uses the service-linked role to register the location. You can use the --role-arn argument instead to supply your own role.

    For more information, see RegisterResource Action (Python: register_resource).