Sharing Data Catalog Tables and Databases Across AWS Accounts - AWS Lake Formation

Sharing Data Catalog Tables and Databases Across AWS Accounts

Sharing Data Catalog databases and tables (Data Catalog resources) with other AWS accounts enables users to run queries and jobs that can join and query tables across multiple accounts. With some restrictions, when you share a Data Catalog resource with another account, principals in that account can operate on that resource as if the resource were in their Data Catalog.

To share a Data Catalog resource, you grant one or more Lake Formation permissions with the grant option on the resource to an external account.

You don't share resources with specific principals in external AWS accounts—you share the resources with an AWS account or organization. When you share a resource with an AWS organization, you're sharing the resource with all accounts at all levels in that organization. The data lake administrator in each external account must then grant permissions on the shared resources to principals in their account.

Because Lake Formation integrates with AWS Resource Access Manager (AWS RAM) to share Data Catalog resources, you need permissions on AWS RAM to share resources across accounts. The required permissions are included in the AWS managed policy AWSLakeFormationCrossAccountManager.

Sharing Data Catalog Tables

You can share a Data Catalog table by granting one or more Lake Formation permissions with the grant option on that table to another AWS account, AWS organization, or AWS organizational unit. You can designate individual tables to share—or with a single grant operation, you can share all tables in a database. If you share all tables in a database, you automatically also share the database. For more information, see Sharing Data Catalog Databases.

You can grant all possible Lake Formation permissions (except Super) on tables to other AWS accounts. Use caution when granting the DROP permission.

After you share a table by granting permissions on it, the permissions appear on the Data Permissions page on the console in your account, and the external account is shown as the principal. In the following example, the data lake administrator granted SELECT on the table analytics.adviews to AWS account 1234-5678-9012.


    The Data permissions page shows that your account granted permissions on a table to an
     external account. The account ID appears under the Principal column.

Sharing Data Catalog Databases

You can share a Data Catalog database with another AWS account, AWS organization, or AWS organizational unit. You can do so by using one of two methods:

  • Grant one or more Lake Formation permissions on the database with the grant option. Permissions include CREATE_TABLE, ALTER, and DESCRIBE.

  • Grant a Lake Formation permission (for example, SELECT) on all tables in the database by using the * All Tables wildcard.

    This method does not grant any permissions on the database other than an implicit DESCRIBE permission. That is, the database appears on the Databases page on the console, and is returned by the GetDatabases API operation. However, the recipient account can view only the shared tables in the database and can perform no other operations on it.

After you share a database by explicitly granting permissions on it, the permissions appear on the Data Permissions page on the console in your account, and the external account is shown as the principal.