Granting Permissions on a Database or Table Shared with Your Account - AWS Lake Formation

Granting Permissions on a Database or Table Shared with Your Account

After a Data Catalog resource belonging to another AWS account is shared with your AWS account, as a data lake administrator, you can grant permissions on the shared resource to other principals in your account. You can't, however, grant permissions on the resource to other AWS accounts or organizations.

You can use the AWS Lake Formation console, the API, or the AWS Command Line Interface (AWS CLI) to grant the permissions.

To grant permissions on a shared database (named resource method, console)

To grant permissions on a shared table (named resource method, console)

To grant permissions on shared resources (TBAC method, console)

  • Follow the instructions in Granting Data Catalog Permissions Using the Lake Formation Console and the TBAC Method. In the Policy tags or catalog resources section, grant the exact tag expression that the external account granted to your account, or a subset of that expression.

    For example, if an external account granted the tag expression module=customers AND environment=production to your account with the grant option, as a data lake administrator, you can grant that same expression, or module=customers or environment=production to a principal in your account. You can grant only the same or a subset of the Lake Formation permissions (e.g. SELECT, ALTER, etc.) that were granted on resources through the tag expression

To grant permissions on a shared table (named resource method, AWS CLI)

  • Enter a command similar to the following. In this example:

    • Your AWS account ID is 1111-2222-3333.

    • The account that owns the table and that granted it to your account is 1234-5678-9012.

    • The SELECT permission is being granted on the shared table pageviews to user datalake_user1. That user is a principal in your account.

    • The pageviews table is in the analytics database, which is owned by account 1234-5678-9012.

    aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=arn:aws:iam::111122223333:user/datalake_user1 --permissions "SELECT" --resource '{ "Table": {"CatalogId":"123456789012", "DatabaseName":"analytics", "Name":"pageviews"}}'

    Note that the owning account must be specified in the CatalogId property in the resource argument.