Granting Permissions on a Database or Table Shared with Your Account
After a Data Catalog resource is shared with your AWS account, as a data lake administrator, you can grant permissions on the resource to other principals in your account. You can't, however, grant permissions on the resource to other AWS accounts or organizations.
If you grant ALTER
on a shared table to a principal, you must also grant
data location permissions on the table's Amazon S3 registered location to the principal.
Likewise, if you grant CREATE_TABLE
or ALTER
on a shared
database and the database has a location property, you must also grant data location
permissions on the location.
You can use the AWS Lake Formation console, API, or AWS Command Line Interface (AWS CLI) to grant the permissions.
To grant permissions on a database shared with your account (console)
-
Follow the instructions in Granting Database Permissions (Same Account). Also, for the
CREATE_TABLE
andALTER
permissions, follow the instructions in Granting Data Location Permissions (Same Account), and be sure to enter the owning account ID in the Registered account location field.If you don't see the database in the list of databases, ensure that you have accepted the AWS Resource Access Manager (AWS RAM) resource share invitation for the database. For more information, see Accepting a Resource Share Invitation from AWS RAM.
To grant permissions on a table shared with your account (console)
-
Follow the instructions in Granting Table Permissions (Same Account). Also, for the
ALTER
permission, follow the instructions in Granting Data Location Permissions (Same Account), and be sure to enter the owning account ID in the Registered account location field.If you don't see the table in the list of tables, ensure that you have accepted the AWS RAM resource share invitation for the table. For more information, see Accepting a Resource Share Invitation from AWS RAM.
To grant permissions on a table shared with your account (AWS CLI)
-
Enter a command similar to the following. In this example:
-
Your AWS account ID is 1111-2222-3333.
-
The account that owns the table and that granted it to your account is 1234-5678-9012.
-
The
SELECT
permission is being granted on the shared tablepageviews
to userdatalake_user1
. That user is a principal in your account. -
The
pageviews
table is in theanalytics
database, which is owned by account 1234-5678-9012.
aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=arn:aws:iam::111122223333:user/datalake_user1 --permissions "SELECT" --resource '{ "Table": {"CatalogId":"123456789012", "DatabaseName":"analytics", "Name":"pageviews"}}'
Note that the owning account must be specified in the
CatalogId
property in theresource
argument. -