AWS Lake Formation
Developer Guide

Step 6: Give Users a New IAM Policy for Future Data Lake Access

To grant your users access to additional Data Catalog databases or tables in the future, you must give them the forward-looking AWS Identity and Access Management (IAM) inline policy that follows. Name the policy GlueFullReadAccess.

Important

If you attach this policy to a user before revoking Super from IAMAllowedPrincipals on every database and table in your Data Catalog, that user can view all metadata for any resource on which Super is granted to IAMAllowedPrincipals.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "GlueFullReadAccess", "Effect": "Allow", "Action": [ "glue:GetTable", "glue:GetTables", "glue:SearchTables", "glue:GetDatabase", "glue:GetDatabases", "glue:GetPartitions" ], "Resource": "*" } ] }

Note

The inline policies designated in this step and previous steps contain minimal IAM permissions. For suggested policies for data lake administrators, data analysts, and other personas, see Lake Formation Personas and IAM Permissions Reference.

Next, proceed to Step 7: Clean Up Existing IAM Policies.