Step 1: List users' and roles' existing permissions - AWS Lake Formation

Step 1: List users' and roles' existing permissions

To start using AWS Lake Formation permissions with your existing AWS Glue databases and tables, you must first determine your users’ existing permissions.


Before you begin, ensure that you have completed the tasks in Setting up AWS Lake Formation.

Using the API operation

Use the AWS Identity and Access Management (IAM) ListPoliciesGrantingServiceAccess API operation to determine the IAM policies attached to each principal (user or role). From the policies returned in the results, you can determine the IAM permissions that are granted to the principal. You must invoke the API for each principal separately.

The following AWS CLI example returns the policies attached to user glue_user1.

aws iam list-policies-granting-service-access --arn arn:aws:iam::111122223333:user/glue_user1 --service-namespaces glue

The command returns results similar to the following.

{ "PoliciesGrantingServiceAccess": [ { "ServiceNamespace": "glue", "Policies": [ { "PolicyType": "INLINE", "PolicyName": "GlueUserBasic", "EntityName": "glue_user1", "EntityType": "USER" }, { "PolicyType": "MANAGED", "PolicyArn": "arn:aws:iam::aws:policy/AmazonAthenaFullAccess", "PolicyName": "AmazonAthenaFullAccess" } ] } ], "IsTruncated": false }

Using the AWS Management Console

You can also see this information on the AWS Identity and Access Management (IAM) console, in the Access Advisor tab on the user or role Summary page:

  1. Open the IAM console at

  2. In the navigation pane, choose Users or Roles.

  3. Choose a name in the list to open its Summary page, and choose the Access Advisor tab.

  4. Inspect each of the policies to determine the combination of databases, tables, and actions that each user has permissions for.

    Remember to inspect roles in addition to users during this process because your data processing jobs might be assuming roles to access data.

Using AWS CloudTrail

Another way to determine your existing permissions is to look in AWS CloudTrail for AWS Glue API calls where the additionaleventdata field of the logs contains an insufficientLakeFormationPermissions entry. This entry lists the database and table that the user needs Lake Formation permissions on to take the same action.

These are data access logs, so they are not guaranteed to produce a comprehensive list of users and their permissions. We recommend choosing a wide time range to capture most of your users’ data access patterns, for example, several weeks or months.

For more information, see Viewing Events with CloudTrail Event History in the AWS CloudTrail User Guide.

Next, you can set up Lake Formation permissions to match the AWS Glue permissions. See Step 2: Set up equivalent Lake Formation permissions.