Using service-linked roles for Lake Formation - AWS Lake Formation

Using service-linked roles for Lake Formation

AWS Lake Formation uses an AWS Identity and Access Management (IAM) service-linked role. A service-linked role is a unique type of IAM role that is linked directly to Lake Formation. The service-linked role is predefined by Lake Formation and includes all the permissions that the service requires to call other AWS services on your behalf.

A service-linked role makes setting up Lake Formation easier because you don’t have to create a role and manually add the necessary permissions. Lake Formation defines the permissions of its service-linked role, and unless defined otherwise, only Lake Formation can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy can't be attached to any other IAM entity.

This service-linked role trusts the following services to assume the role:


Service-linked role permissions for Lake Formation

Lake Formation uses the service-linked role named AWSServiceRoleForLakeFormationDataAccess. This role provides a set of Amazon Simple Storage Service (Amazon S3) permissions that enable the Lake Formation integrated service (such as Amazon Athena) to access registered locations. When you register a data lake location, you must provide a role that has the required Amazon S3 read/write permissions on that location. Instead of creating a role with the required Amazon S3 permissions, you can use this service-linked role.

The first time that you name the service-linked role as the role with which to register a path, the service-linked role and a new IAM policy are created on your behalf. Lake Formation adds the path to the inline policy and attaches it to the service-linked role. When you register subsequent paths with the service-linked role, Lake Formation adds the path to the existing policy.

While signed in as a data lake administrator, register a data lake location. Then, in the IAM console, search for the role AWSServiceRoleForLakeFormationDataAccess and view its attached policies.

For example, after you register the location s3://my-kinesis-test/logs, Lake Formation creates the following inline policy and attaches it to AWSServiceRoleForLakeFormationDataAccess.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "LakeFormationDataAccessPermissionsForS3", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject", "s3:AbortMultipartUpload", "s3:ListMultipartUploadParts" ], "Resource": [ "arn:aws:s3:::my-kinesis-test/logs/*" ] }, { "Sid": "LakeFormationDataAccessPermissionsForS3ListBucket", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:ListBucketMultipartUploads" ], "Resource": [ "arn:aws:s3:::my-kinesis-test" ] } ] }

The following permissions are required to be able to register locations with this service-linked role:

  • iam:CreateServiceLinkedRole

  • iam:PutRolePolicy

The data lake administrator typically has these permissions.