Permissions example scenario
The following scenario helps demonstrate how you can set up permissions to secure access to data in AWS Lake Formation.
Shirley is a data administrator. She wants to set up a data lake for her company,
AnyCompany. Currently, all data is stored in Amazon S3. John is a marketing manager and needs write
access to customer purchasing information (contained in
s3://customerPurchases
). A marketing analyst, Diego, joins John this
summer. John needs the ability to grant Diego access to perform queries on the data without
involving Shirley.
To summarize:
-
Shirley is the data lake administrator.
-
John requires
CREATE_DATABASE
andCREATE_TABLE
permission to create new databases and tables in the Data Catalog. -
John also requires
SELECT
,INSERT
, andDELETE
permissions on tables he creates. -
Diego requires
SELECT
permission on the table to run queries.
The employees of AnyCompany perform the following actions to set up permissions. The API operations shown in this scenario show a simplified syntax for clarity.
-
Shirley registers the Amazon S3 path containing customer purchasing information with Lake Formation.
RegisterResource(ResourcePath("s3://customerPurchases"), false, Role_ARN )
-
Shirley grants John access to the Amazon S3 path containing customer purchasing information.
GrantPermissions(John, S3Location("s3://customerPurchases"), [DATA_LOCATION_ACCESS]) )
-
Shirley grants John permission to create databases.
GrantPermissions(John, catalog, [CREATE_DATABASE])
-
John creates the database
John_DB
. John automatically hasCREATE_TABLE
permission on that database because he created it.CreateDatabase(John_DB)
-
John creates the table
John_Table
pointing tos3://customerPurchases
. Because he created the table, he has all permissions on it, and can grant permissions on it.CreateTable(John_DB, John_Table)
-
John allows his analyst, Diego, access to the table
John_Table
.GrantPermissions(Diego, John_Table, [SELECT])