Step 6: Give users a new IAM policy for future data lake access
To grant your users access to additional Data Catalog databases or tables in the future, you
must give them the coarse-grained AWS Identity and Access Management (IAM) inline policy that follows. Name the
policy GlueFullReadAccess
.
Important
If you attach this policy to a user before revoking Super
from
IAMAllowedPrincipals
on every database and table in your Data Catalog, that user
can view all metadata for any resource on which Super
is granted to
IAMAllowedPrincipals
.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "GlueFullReadAccess", "Effect": "Allow", "Action": [ "lakeformation:GetDataAccess", "glue:GetTable", "glue:GetTables", "glue:SearchTables", "glue:GetDatabase", "glue:GetDatabases", "glue:GetPartitions" ], "Resource": "*" } ] }
Note
The inline policies designated in this step and previous steps contain minimal IAM permissions. For suggested policies for data lake administrators, data analysts, and other personas, see Lake Formation personas and IAM permissions reference.
Next, proceed to Step 7: Clean up existing IAM policies.