Working with other AWS services
AWS services such as Amazon Athena, AWS Glue, Amazon Redshift Spectrum, and Amazon EMR can use AWS Lake Formation to securely access data in Amazon S3 locations registered with Lake Formation. With Lake Formation, you can define and manage fine-grained access control (FGAC) permissions for your tables in the AWS Glue Data Catalog. Each of these AWS services is a trusted caller to Lake Formation, and Lake Formation provides access to data stored in Amazon S3 through temporary credentials. For more information, see How Lake Formation application integration works.
To avail these capabilities, Lake Formation requires you to first register the Amazon S3 location, and assign appropriate permissions to the IAM principal for accessing the table, the database, and the Amazon S3 location. For more information see, Managing Lake Formation permissions.
The following tables lists the types of Lake Formation permissions supported by Amazon Athena, AWS Glue,
Amazon EMR, and Amazon Redshift Spectrum to access data from AWS Glue standard tables and transactional tables (Apache Iceberg
AWS services and supported permission types for AWS Glue standard tables and
views | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
AWS service | Table-level permissions | Column-level permissions | Row and cell-level permissions | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Athena SQL |
Read/write access |
Read access | Read access | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Athena Spark |
Not supported |
Not supported |
Not supported |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Redshift Spectrum on a provisioned cluster or Amazon Redshift serverless |
Read/write access | Read access | Read access | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Read/write access | Read access | Read access | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Apache Hive on Amazon EMR (EC2) | Read/write access | Read access | Not supported | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Apache Spark on EMR Serverless | Read/write access | Read access | Read access | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Apache Hive on EMR Serverless | Not supported | Not supported | Not supported | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Amazon EMR on EKS | Not supported | Not supported | Not supported | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
AWS Glue ETL | Read/write access | Not supported | Not supported |
Considerations and limitations
Athena Spark doesn't support querying Data Catalog tables with Lake Formation permissions.
-
Athena SAML-based users can read data sources secured using Lake Formation permissions by enabling SAML 2.0-based federation. SAML users can insert data into Parquet tables.
Apache Spark on EMR Serverless doesn't support querying Data Catalog views.
-
Apache Hive on EMR Serverless doesn't support querying tables with Lake Formation permissions.
-
AWS Glue ETL requires full access to the entire table while fetching data from underlying Amazon S3 location. AWS Glue ETL job fails if you apply column-level permissions on a table.
AWS services and supported permission types for transactional table formats | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
AWS service | Iceberg | Hudi | Delta Lake (native) | Delta Lake (symlink tables) | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Supports reading tables with table, column, row, and cell-level permissions. Write operations require full table access. |
Supports read and create operations on tables with table, column, row, and cell-level permissions. Write operations are not supported. |
Athena (engine version 3) supports reading native Delta Lake tables with table, column, row, and cell-level permissions. Write operations are not supported. |
Athena (engine version 3) supports reading symlink Delta Lake tables with table, column, row, and cell-level permissions. Write operations are not supported. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Redshift Spectrum on a provisioned cluster |
Supports reading tables with table, column, row, and cell-level permissions. Write operations are not supported. |
Supports reading tables with table, column, row, and cell-level permissions. Write operations are not supported. |
No supported | Supports reading Delta Lake tables via symlink manifest with table, column, row, and cell-level permissions. Write operations are not supported. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Apache Spark on Amazon EMR (EC2) | Supports reading tables with table, column, row, and cell-level permissions. Write operations require full table access. | Supports reading tables with table, column, row, and cell-level permissions. Write operations require full table access. |
Supports reading tables with table, column, row, and cell-level permissions. Write operations are not supported. |
Supports reading tables with table, column, row, and cell-level permissions. Write operations require full table access. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
AWS Glue ETL | Supports read/write on tables with table-level permissions. | Supports read/write on tables with table-level permissions. | Supports read/write on tables with table-level permissions. | Supports read/write on tables with table-level permissions. |