Requirements for Roles Used to Register Locations - AWS Lake Formation

Requirements for Roles Used to Register Locations

You must specify an AWS Identity and Access Management (IAM) role when you register an Amazon Simple Storage Service (Amazon S3) location. AWS Lake Formation assumes that role when accessing the data in that location.

The simplest way to register the location is to use the Lake Formation service-linked role. This role grants the required permissions on the location. However, you might want to use a user-defined role to register the location.

Important

If you plan to access the location using Amazon EMR, you must use a user-defined role and not the Lake Formation service-linked role to register the location. If you already registered a location with the service-linked role and now want to begin accessing the location with Amazon EMR, you must deregister the location and reregister it with a user-defined role. For more information, see Deregistering an Amazon S3 Location.

The following are the requirements for a user-defined role:

  • When creating a new role, on the IAM console, on the Create role page, choose AWS service, and then under Choose a use case, choose Glue.

  • The role must have trust relationships with the following entities:

    • glue.amazonaws.com

    • lakeformation.amazonaws.com

    For more information, see Modifying a Role Trust Policy (Console).

  • The role must have an inline policy that grants Amazon S3 read/write permissions on the location. The following is a typical policy.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::awsexamplebucket/*" ] }, { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::awsexamplebucket" ] } ] }
  • The data lake administrator who registers the location must have the iam:PassRole permission on the role.

    The following is an inline policy that grants this permission. Replace <account-id> with a valid AWS account number, and replace <role-name> with the name of the role.

    { "Version": "2012-10-17", "Statement": [ { "Sid": "PassRolePermissions", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::<account-id>:role/<role-name>" ] } ] }

For more information about the Lake Formation service-linked role, see Using Service-Linked Roles for Lake Formation.