Permissions example scenario
The following scenario helps demonstrate how you can set up permissions to secure access to data in AWS Lake Formation.
Shirley is a data administrator. She wants to set up a data lake for her company,
AnyCompany. Currently, all data is stored in Amazon S3. John is a marketing manager and needs write
access to customer purchasing information (contained in
s3://customerPurchases
). A marketing analyst, Diego, joins John this
summer. John needs the ability to grant Diego access to perform queries on the data without
involving Shirley.
Mateo, from finance, needs access to query accounting data (for example, s3://transactions
).
He wants to query the transactions data in tables in a database (Finance_DB
) that the finance team uses.
His manager, Arnav, can give him access to the Finance_DB
.
Although he shouldn’t be able to modify accounting data, he needs the ability to convert data into a format (schema) suitable for forecasting.
This data will be stored in a separate bucket (s3://financeForecasts
) that he can modify.
To summarize:
-
Shirley is the data lake administrator.
-
John requires
CREATE_DATABASE
andCREATE_TABLE
permission to create new databases and tables in the Data Catalog. -
John also requires
SELECT
,INSERT
, andDELETE
permissions on tables he creates. -
Diego requires
SELECT
permission on the table to run queries.
The employees of AnyCompany perform the following actions to set up permissions. The API operations shown in this scenario show a simplified syntax for clarity.
-
Shirley registers the Amazon S3 path containing customer purchasing information with Lake Formation.
RegisterResource(ResourcePath("s3://customerPurchases"), false, Role_ARN )
-
Shirley grants John access to the Amazon S3 path containing customer purchasing information.
GrantPermissions(John, S3Location("s3://customerPurchases"), [DATA_LOCATION_ACCESS]) )
-
Shirley grants John permission to create databases.
GrantPermissions(John, catalog, [CREATE_DATABASE])
-
John creates the database
John_DB
. John automatically hasCREATE_TABLE
permission on that database because he created it.CreateDatabase(John_DB)
-
John creates the table
John_Table
pointing tos3://customerPurchases
. Because he created the table, he has all permissions on it, and can grant permissions on it.CreateTable(John_DB, John_Table)
-
John allows his analyst, Diego, access to the table
John_Table
.GrantPermissions(Diego, John_Table, [SELECT])
John allows his analyst, Diego, access to the
s3://customerPurchases/London/
. Because Shirley already registereds3://customerPurchases
, its subfolders are registered with Lake Formation.GrantDataLakePrivileges( 123456789012/datalake, Diego, [DATA_LOCATION_ACCESS], [], S3Location("s3://customerPurchases/London/") )
John allows his analyst, Diego, to create tables in database
John_DB
.GrantDataLakePrivileges( 123456789012/datalake, Diego, John_DB, [CREATE_TABLE], [] )
Diego creates a table in
John_DB
ats3://customerPurchases/London/
and automatically getsALTER
,DROP
,SELECT
,INSERT
, andDELETE
permissions.CreateTable( 123456789012/datalake, John_DB, Diego_Table )