Wednesday, July 1, 2026
HomeBig DataSecurely share your knowledge throughout AWS accounts utilizing AWS Lake Formation

Securely share your knowledge throughout AWS accounts utilizing AWS Lake Formation

[ad_1]

Information lakes have develop into very talked-about with organizations that desire a centralized repository that permits you to retailer all of your structured knowledge and unstructured knowledge at any scale. As a result of knowledge is saved as is, there isn’t any must convert it to a predefined schema upfront. When you could have new enterprise use instances, you may simply construct new varieties of analyses on prime of the information lake, at any time.

In real-world use instances, it’s frequent to have necessities to share knowledge saved throughout the knowledge lake with a number of corporations, organizations, or enterprise models. For instance, it’s possible you’ll wish to present your knowledge to stakeholders in one other firm for a co-marketing marketing campaign between the 2 corporations. For any of those use instances, the producer occasion needs to share knowledge in a safe and efficient method, with out having to repeat the whole database.

In August 2019, we introduced the overall availability of AWS Lake Formation, a totally managed service that makes it simple to arrange a safe knowledge lake in days. AWS Lake Formation permission administration capabilities simplify securing and managing distributed knowledge lakes throughout a number of AWS accounts by means of a centralized method, offering fine-grained entry management to the AWS Glue Information Catalog and Amazon Easy Storage Service (Amazon S3) places.

There are two choices to share your databases and tables with one other account through the use of Lake Formation cross-account entry management:

  • Lake Formation tag-based entry management (really useful)
  • Lake Formation named sources

On this submit, I clarify the variations between these two choices, and stroll you thru the steps to configure cross-account sharing.

Overview of tag-based entry management

Lake Formation tag-based entry management is an authorization technique that defines permissions based mostly on attributes. In Lake Formation, these attributes are known as LF-tags. You possibly can connect LF-tags to Information Catalog sources and Lake Formation principals. Information lake directors can assign and revoke permissions on Lake Formation sources utilizing these LF-tags. For extra particulars about tag-based entry management, consult with Simply handle your knowledge lake at scale utilizing AWS Lake Formation Tag-based entry management.

The next diagram illustrates the structure of this technique.
Securely share your knowledge throughout AWS accounts utilizing AWS Lake Formation

We advocate tag-based entry management for the next use instances:

  • You have got numerous tables and principals that the information lake administrator has to grant entry to
  • You wish to classify your knowledge based mostly on an ontology and grant permissions based mostly on classification
  • The information lake administrator needs to assign permissions dynamically, in a loosely coupled method

You may as well use tag-based entry management to share Information Catalog sources (databases, tables, and columns) with exterior AWS accounts.

Overview of named sources

The Lake Formation named useful resource technique is an authorization technique that defines permissions for sources. Sources embody databases, tables, and columns. Information lake directors can assign and revoke permissions on Lake Formation sources. See Cross-Account Entry: How It Works for particulars.

The next diagram illustrates the structure for this technique.

We advocate utilizing named sources if the information lake administrator prefers granting permissions explicitly to particular person sources.

If you use the named useful resource technique to grant Lake Formation permissions on a Information Catalog useful resource to an exterior account, Lake Formation makes use of AWS Useful resource Entry Supervisor (AWS RAM) to share the useful resource.

Now, let’s take a better take a look at learn how to configure cross-account entry with these two choices. We consult with the account that has the supply desk because the producer account, and consult with the account that wants entry to the supply desk as client account.

Configure Lake Formation Information Catalog settings within the producer account

Lake Formation gives its personal permission administration mannequin. To keep up backward compatibility with the AWS Id and Entry Administration (IAM) permission mannequin, the Tremendous permission is granted to the group IAMAllowedPrincipals on all current AWS Glue Information Catalog sources by default. Additionally, Use solely IAM entry management settings are enabled for brand spanking new knowledge catalog sources.

On this submit, we do wonderful grained entry management utilizing Lake Formation permissions and use IAM insurance policies for coarse grained entry management. See Strategies for Positive-Grained Entry Management for particulars. Due to this fact, earlier than you employ an AWS CloudFormation template for a fast setup, it’s essential to change Lake Formation Information Catalog settings within the producer account.

This setting impacts all newly created databases and tables, so we strongly advocate finishing this tutorial in a non-production or new account. Additionally, in case you’re utilizing a shared account (resembling your organization’s dev account), be sure that it doesn’t have an effect on others sources. For those who choose to maintain the default safety settings, it’s essential to full an additional step when sharing sources to different accounts, wherein you revoke the default Tremendous permission from IAMAllowedPrincipals on the database or desk. We talk about the main points later on this submit.

To configure Lake Formation Information Catalog settings within the producer account, full the next steps:

  1. Sign up to the producer account as an admin consumer, or a consumer with Lake Formation PutDataLakeSettings API permission.
  2. On the Lake Formation console, within the navigation pane, underneath Information catalog, select Settings.
  3. Deselect Use solely IAM entry management for brand spanking new databases and Use solely IAM entry management for brand spanking new tables in new databases
  4. Select Save.

Moreover, you may take away CREATE_DATABASE permissions for IAMAllowedPrincipals underneath Administrative roles and duties > Database creators. Solely then, who can create a brand new database is ruled by means of Lake Formation permissions.

Arrange sources with AWS CloudFormation

We offer two CloudFormation templates on this submit: one for the producer account, and one for the buyer account.

The CloudFormation template for the producer account generates the next sources:

  • An S3 bucket to function our knowledge lake.
  • A Lambda perform (for Lambda-backed AWS CloudFormation customized sources). We use the perform to repeat pattern knowledge recordsdata from the general public S3 bucket to your S3 bucket.
  • IAM customers and insurance policies:
  • An AWS Glue Information Catalog database, desk, and partition. As a result of we introduce two choices for sharing sources throughout AWS accounts, this template creates two separate units of database and desk.
  • Lake Formation knowledge lake settings and permissions. This consists of:

The CloudFormation template for the buyer account generates the next sources:

  • IAM customers and insurance policies:
    • DataLakeAdminConsumer
    • DataAnalyst
  • An AWS Glue Information Catalog database. We use this database for creating useful resource hyperlinks to shared sources.

Launch the CloudFormation stack within the producer account

To launch the CloudFormation stack within the producer account, full the next steps:

  1. Sign up to the producer account’s AWS CloudFormation console within the goal Area.
  2. Select Launch Stack:
  3. Select Subsequent.
  4. For Stack title, enter a stack title, resembling stack-producer.
  5. For ProducerDatalakeAdminUserName and ProducerDatalakeAdminUserPassword, enter the consumer title and password you need for the information lake admin IAM consumer.
  6. For DataLakeBucketName, enter the title of your knowledge lake bucket. This title must be globally distinctive.
  7. For DatabaseName and TableName, go away the default values.
  8. Select Subsequent.
  9. On the following web page, select Subsequent.
  10. Evaluate the main points on the ultimate web page and choose I acknowledge that AWS CloudFormation would possibly create IAM sources.
  11. Select Create stack.

Launch the CloudFormation stack within the client account

To launch the CloudFormation stack within the client account, full the next steps:

  1. Sign up to the buyer account’s AWS CloudFormation console within the goal Area.
  2. Select Launch Stack:
  3. Select Subsequent.
  4. For Stack title, enter a stack title, resembling stack-consumer.
  5. For ConsumerDatalakeAdminUserName and ConsumerDatalakeAdminUserPassword, enter the consumer title and password you need for the information lake admin IAM consumer.
  6. For DataAnalystUserName and DataAnalystUserPassword, enter the consumer title and password you need for the information analyst IAM consumer.
  7. For DatabaseName, go away the default values.
  8. For AthenaQueryResultS3BucketName, enter the title of the S3 bucket that shops Amazon Athena question outcomes. For those who don’t have one, create an S3 bucket.
  9. Select Subsequent.
  10. On the following web page, select Subsequent.
  11. Evaluate the main points on the ultimate web page and choose I acknowledge that AWS CloudFormation would possibly create IAM sources.
  12. Select Create stack.

Stack creation can take about 1 minute.

(Elective) AWS KMS server-side encryption

If the supply S3 bucket is encrypted utilizing server-side encryption with an AWS Key Administration Service (AWS KMS) buyer grasp key (CMK), be sure that the IAM function that Lake Formation makes use of to entry S3 knowledge is registered as the important thing consumer for the KMS CMK. By default, the IAM function AWSServiceRoleForLakeFormationDataAccess is used, however you may select different IAM roles when registering an S3 knowledge lake location. To register the Lake Formation function because the KMS key consumer, you should use the AWS KMS console, or straight add the permission to the important thing coverage utilizing the KMS PutKeyPolicy API and the AWS Command Line Interface (AWS CLI).

You don’t have so as to add particular person client accounts to the important thing coverage. Solely the function that Lake Formation makes use of is required. Additionally, this step isn’t vital if the supply S3 bucket is encrypted with server-side encryption with Amazon S3, or an AWS managed key.

So as to add a Lake Formation function because the KMS key consumer by way of the console, full the next steps:

  1. Sign up to the AWS KMS console as the important thing administrator.
  2. Within the navigation pane, underneath Buyer managed keys, select the important thing that’s used to encrypt the supply S3 bucket.
  3. Beneath Key customers, select Add.
  4. Choose AWSServiceRoleForLakeFormationDataAccess and select Add.

To make use of the AWS CLI, enter the next command (change <key-id>, <name-of-key-policy>, and <key-policy> with legitimate values):

aws kms put-key-policy --key-id <key-id> --policy-name <name-of-key-policy> --policy <key-policy>

For extra data, see put-key-policy.

Lake Formation cross-account sharing stipulations

Earlier than sharing sources with Lake Formation, there are stipulations for each the tag-based entry management technique and named useful resource technique.

Tag-based entry management cross-account sharing stipulations

As described in Lake Formation Tag-Based mostly Entry Management Cross-Account Stipulations, earlier than you should use the tag-based entry management technique to grant cross-account entry to sources, it’s essential to add the next JSON permissions object to the AWS Glue Information Catalog useful resource coverage within the producer account. This provides the buyer account permission to entry the Information Catalog when glue:EvaluatedByLakeFormationTags is true. Additionally, this situation turns into true for sources on which you granted permission utilizing Lake Formation permission Tags to the buyer’s account. This coverage is required for each AWS account that you just’re granting permissions to.

The next coverage have to be inside a Assertion component. We talk about the total IAM coverage later on this submit.

{
    "Impact": "Enable",
    "Motion": [
        "glue:*"
    ],
    "Principal": {
        "AWS": [
            "<consumer-account-id>"
        ]
    },
    "Useful resource": [
        "arn:aws:glue:<region>:<account-id>:table/*",
        "arn:aws:glue:<region>:<account-id>:database/*",
        "arn:aws:glue:<region>:<account-id>:catalog"
    ],
    "Situation": {
        "Bool": {
            "glue:EvaluatedByLakeFormationTags": true
        }
    }
}

Named useful resource technique cross-account sharing stipulations

As described in Managing Cross-Account Permissions Utilizing Each AWS Glue and Lake Formation, if there isn’t any Information Catalog useful resource coverage in your account, the Lake Formation cross-account grants that you just make proceed as typical. Nonetheless, if a Information Catalog useful resource coverage exists, it’s essential to add the next assertion to it to allow your cross-account grants to succeed in the event that they’re made with the named useful resource technique. For those who plan to make use of solely the named useful resource technique, or solely the tag-based entry management technique, you may skip this step. On this submit, we consider each strategies, so we have to add the next coverage.

The next coverage have to be inside a Assertion component. We talk about the total IAM coverage within the subsequent part.

{
    "Impact": "Enable",
    "Motion": [
        "glue:ShareResource"
    ],
    "Principal": {
        "Service": [
            "ram.amazonaws.com"
        ]
    },
    "Useful resource": [
        "arn:aws:glue:<region>:<account-id>:table/*/*",
        "arn:aws:glue:<region>:<account-id>:database/*",
        "arn:aws:glue:<region>:<account-id>:catalog"
    ]
}

Add the AWS Glue Information Catalog useful resource coverage utilizing the AWS CLI

If we grant cross-account permissions through the use of each the tag-based entry management technique and named useful resource technique, we should set the EnableHybrid argument to ‘true’ when including the previous insurance policies. As a result of this selection isn’t at the moment supported on the console, we should use the glue:PutResourcePolicy API and AWS CLI.

First, create a coverage doc (resembling coverage.json) and add the previous two insurance policies. Change <consumer-account-id> with the account ID of the AWS account receiving the grant, <area> with the Area of the Information Catalog containing the databases and tables that you’re granting permissions on, and <account-id> with the producer AWS account ID.

{
    "Model": "2012-10-17",
    "Assertion": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "ram.amazonaws.com"
            },
            "Action": "glue:ShareResource",
            "Resource": [
                "arn:aws:glue:<region>:<account-id>:table/*/*",
                "arn:aws:glue:<region>:<account-id>:database/*",
                "arn:aws:glue:<region>:<account-id>:catalog"
            ]
        },
        {
            "Impact": "Enable",
            "Principal": {
                "AWS": "<consumer-account-id>"
            },
            "Motion": "glue:*",
            "Useful resource": [
                "arn:aws:glue:<region>:<account-id>:table/*/*",
                "arn:aws:glue:<region>:<account-id>:database/*",
                "arn:aws:glue:<region>:<account-id>:catalog"
            ],
            "Situation": {
                "Bool": {
                    "glue:EvaluatedByLakeFormationTags": "true"
                }
            }
        }
    ]
}

Enter the next AWS CLI command. Change <glue-resource-policy> with the right values (resembling file://coverage.json).

aws glue put-resource-policy --policy-in-json <glue-resource-policy> --enable-hybrid TRUE

For extra data, see put-resource-policy.

Implement the Lake Formation tag-based entry management technique

On this part, we stroll by means of the next high-level steps:

  1. Outline an LF-tag.
  2. Assign the LF-tag to the goal useful resource.
  3. Grant LF-tag permissions to the buyer account.
  4. Grant knowledge permissions to the buyer account.
  5. Optionally, revoke permissions for IAMAllowedPrincipals on the database, tables, and columns.
  6. Create a useful resource hyperlink to the shared desk.
  7. Create an LF-tag and assign it to the goal database.
  8. Grant LF-tag knowledge permissions to the buyer account.

Outline an LF-tag

For those who’re signed in to your producer account, signal out earlier than finishing the next steps.

  1. Sign up because the producer account knowledge lake administrator. Use the producer account ID, IAM consumer title (the default is DatalakeAdminProducer), and password that you just specified throughout CloudFormation stack creation.
  2. On the Lake Formation console, within the navigation pane, underneath Permissions, and underneath Administrative roles and duties, select LF-tags.
  3. Select Add LF-tag.
  4. Specify the important thing and values. On this submit, we create an LF-tag the place the secret is Confidentiality and the values are non-public, delicate, and public.
  5. Select Add LF-tag.

Assign the LF-tag to the goal useful resource

As an information lake administrator, you may connect tags to sources. For those who plan to make use of a separate function, you could have to grant describe and fasten permissions to the separate function.

  1. Within the navigation pane, underneath Information catalog, choose Databases.
  2. Choose the goal database (lakeformation_tutorial_cross_account_database_tbac) and on the Actions menu, select Edit LF-tags.

For this submit, we assign an LF-tag to a database, however you can even assign LF-tags to tables and columns.

  1. Select Assign new LF-Tag.
  2. Add the important thing Confidentiality and worth public.
  3. Select Save.

Grant LF-tag permission to the buyer account

Nonetheless within the producer account, we grant permissions to the buyer account to entry the LF-tag.

  1. Within the navigation pane, underneath Permissions, Administrative roles and duties, LF-tag permissions, select Grant.
  2. For Principals, select Exterior accounts.
  3. Enter the goal AWS account ID.

AWS accounts throughout the identical group seem mechanically. In any other case, it’s important to manually enter the AWS account ID. As of this writing, Lake Formation tag-based entry management doesn’t assist granting permission to organizations or group models.

  1. For LF-Tags, select the important thing and values of the LF-tag that’s being shared with the buyer account (key Confidentiality and worth public).
  2. For Permissions, choose Describe for LF-tag permissions.

LF-tag permissions are permissions given to the buyer account. Grantable permissions are permissions that the buyer account can grant to different principals.

  1. Select Grant.

At this level, the buyer knowledge lake administrator ought to have the ability to discover the coverage tag being shared by way of the buyer account Lake Formation console, underneath Permissions, Administrative roles and duties, LF-tags.

Grant knowledge permission to the buyer account

We are going to now present knowledge entry to the buyer account by specifying an LF-Tag expression and granting the buyer account entry to any desk or database that matches the expression.

  1. Within the navigation pane, underneath Permissions, Information lake permissions, select Grant.
  2. For Principals, select Exterior accounts, and enter the buyer AWS account ID.
  3. For LF-tags or catalog sources, underneath Sources matched by LF-Tags (really useful), select Add LF-Tag.
  4. Choose the important thing and values of the tag that’s being shared with the buyer account (key Confidentiality and worth public).
  5. For Database permissions, choose Describe underneath Database permissions to grant entry permissions on the database degree.
  6. Choose Describe underneath Grantable permissions so the buyer account can grant database-level permissions to its customers.
  7. For Desk and column permissions, choose Choose and Describe underneath Desk permissions.
  8. Choose Choose and Describe underneath Grantable permissions.
  9. Select Grant.

Revoke permission for IAMAllowedPrincipals on the database, tables, and columns (Elective)

On the very starting of this tutorial, we modified the Lake Formation Information Catalog settings. For those who skipped that half, this step is required. For those who modified your Lake Formation Information Catalog settings, you may skip this step.

On this step, we now have to revoke the default Tremendous permission from IAMAllowedPrincipals on the database or desk. See Safe Present Information Catalog Sources for particulars.

Earlier than revoking permission for IAMAllowedPrincipals, just remember to granted current IAM principals with vital permission by means of Lake Formation. This consists of two steps:

  1. Add IAM permission to the goal IAM consumer or function with the Lake Formation GetDataAccess motion (with IAM coverage).
  2. Grant the goal IAM consumer or function with Lake Formation knowledge permissions (alter, choose, and so forth)

Then, revoke permissions for IAMAllowedPrincipals. In any other case, after revoking permissions for IAMAllowedPrincipals, current IAM principals might not have the ability to entry the goal database or catalog.

Revoking Tremendous permission for IAMAllowedPrincipals is required while you wish to apply the Lake Formation permission mannequin (as a substitute of the IAM coverage mannequin) to handle consumer entry inside a single account or amongst a number of accounts utilizing the Lake Formation permission mannequin. You don’t must revoke permission of IAMAllowedPrincipals for different tables the place you wish to maintain the normal IAM coverage mannequin.

At this level, the buyer account knowledge lake administrator ought to have the ability to discover the database and desk being shared by way of the buyer account Lake Formation console, underneath Information catalog, Databases. If not, verify if the next are correctly configured:

  • Be certain the right coverage tag and values are assigned to the goal databases and tables
  • Be certain the right tag permission and knowledge permission are assigned to the buyer account
  • Revoke the default tremendous permission from IAMAllowedPrincipals on the database or desk

Create a useful resource hyperlink to the shared desk

When a useful resource is shared between accounts, the shared sources are usually not put within the client accounts’ catalog. To make them obtainable, and question the underlying knowledge of a shared desk utilizing companies like Athena, we have to create a useful resource hyperlink to the shared desk. A useful resource hyperlink is a Information Catalog object that could be a hyperlink to a neighborhood or shared database or desk. By making a useful resource hyperlink, you may:

  • Assign a distinct title to a database or desk that aligns along with your Information Catalog useful resource naming insurance policies
  • Use companies resembling Athena and Amazon Redshift Spectrum to question shared databases or tables

To create a useful resource hyperlink, full the next steps:

  1. For those who’re signed in to your client account, signal out.
  2. Sign up as the buyer account knowledge lake administrator. Use the buyer account ID, IAM consumer title (default DatalakeAdminConsumer) and password that you just specified throughout CloudFormation stack creation.
  3. On the Lake Formation console, within the navigation pane, underneath Information catalog, Databases, select the shared database lakeformation_tutorial_cross_account_database_tbac.

For those who don’t see the database, revisit the earlier steps to see if all the things is correctly configured.

  1. Select View tables.
  2. Select the shared desk amazon_reviews_table_tbac.
  3. On the Actions menu, select Create useful resource hyperlink.
  4. For Useful resource hyperlink title, enter a reputation (for this submit, amazon_reviews_table_tbac_resource_link).
  5. Beneath Database, choose the database that the useful resource hyperlink is created in (for this submit, the CloudFormation stack created the database lakeformation_tutorial_cross_account_database_consumer).
  6. Select Create.

The useful resource hyperlink seems underneath Information catalog, Tables.

Create an LF-tag and assign it to the goal database

Lake Formation tags reside in the identical catalog because the sources. Because of this tags created within the producer account aren’t obtainable to make use of when granting entry to the useful resource hyperlinks within the client account. That you must create a separate set of LF-tags within the client account to make use of LF tag-based entry management when sharing the useful resource hyperlinks within the client account. Let’s first create the LF-tag. Consult with the earlier sections for full directions.

  1. Outline the LF-tag within the client account. For this submit, we use key Division and values gross sales, advertising and marketing, and analyst.
  2. Assign the LF-tag key Division and worth analyst to the database lakeformation_tutorial_cross_account_database_consumer, the place the useful resource hyperlink is created in.

Grant LF-tag knowledge permission to the buyer

As a closing step, we grant LF-tag knowledge permission to the buyer.

  1. Within the navigation pane, underneath Permissions, Information lake permissions, select Grant.
  2. For Principals, select IAM customers and roles, and select the consumer DataAnalyst.
  3. For LF-tags or catalog sources, select Sources matched by LF-tags (really useful).
  4. Select key Division and worth analyst.
  5. For Database permissions, choose Describe underneath Database permissions.
  6. For Desk and column permissions, choose Choose and Describe underneath Desk permissions.
  7. Select Grant.
  8. Repeat these steps for consumer DataAnalyst, the place the LF-tag secret is Confidentiality and worth is public.

At this level, the information analyst consumer within the client account ought to have the ability to discover the database and useful resource hyperlink, and question the shared desk by way of the Athena console.

If not, verify if the next are correctly configured:

  • Be certain the useful resource hyperlink is created for the shared desk
  • Be sure you granted the consumer entry to the LF-tag shared by the producer account
  • Be sure you granted the consumer entry to the LF-tag related to the useful resource hyperlink and database that the useful resource hyperlink is created in
  • Test in case you assigned the right LF-tag to the useful resource hyperlink, and to the database that the useful resource hyperlink is created in

Implement the Lake Formation named useful resource technique

To make use of the named useful resource technique, we stroll by means of the next high-level steps:

  1. Optionally, revoke permission for IAMAllowedPrincipals on the database, tables, and columns.
  2. Grant knowledge permission to the buyer account.
  3. Settle for a useful resource share from AWS RAM.
  4. Create a useful resource hyperlink for the shared desk.
  5. Grant knowledge permission for the shared desk to the buyer.
  6. Grant knowledge permission for the useful resource hyperlink to the buyer.

Revoke permission for IAMAllowedPrincipals on the database, tables, and columns (Elective)

On the very starting of this tutorial, we modified Lake Formation Information Catalog settings. For those who skipped that half, this step is required. For directions, see the elective step within the earlier part.

Grant knowledge permission to the buyer account

For those who’re signed in to producer account as one other consumer, signal out first.

  1. Sign up because the producer account knowledge lake administrator utilizing the AWS account ID, IAM consumer title (default is DatalakeAdminProducer), and password specified throughout CloudFormation stack creation.
  2. Within the navigation pane, underneath Permissions, Information lake permissions, select Grant.
  3. For Principals, select Exterior accounts, and enter a number of AWS account IDs or AWS Organizations IDs.

Organizations that the producer account belongs to and AWS accounts throughout the identical group seem mechanically. In any other case, manually enter the account ID or group ID.

  1. For LF-tags or catalog sources, select Named knowledge catalog sources.
  2. Beneath Databases, select the database lakeformation_tutorial_cross_account_database_named_resource.
  3. Beneath Tables, select All tables.
  4. For Desk and column permissions, choose Choose and Describe underneath Desk permissions.
  5. Choose Choose and Describe underneath Grantable permissions.
  6. Optionally, for Information permissions, choose Easy column-based entry if column-level permission administration is required.
  7. Select Grant.

For those who haven’t revoked permission for IAMAllowedPrincipals, you get a Grant permissions failed error.

At this level, it is best to see the goal desk being shared by way of AWS RAM with the buyer account underneath Permissions, Information permissions.

Settle for a useful resource share from AWS RAM

This step is required just for account ID-based sharing, not for organization-based sharing.

  1. Sign up as the buyer account knowledge lake administrator utilizing the IAM consumer title (default is DatalakeAdminConsumer) and password specified throughout CloudFormation stack creation.
  2. On the AWS RAM console, within the navigation pane, underneath Shared with me, Useful resource shares, select the shared Lake Formation useful resource.

The Standing ought to be Pending.

  1. Affirm the useful resource particulars, and select Settle for useful resource share.

At this level, the buyer account knowledge lake administrator ought to have the ability to discover the shared useful resource on the Lake Formation console underneath Information catalog, Databases.

Create a useful resource hyperlink for the shared desk

Comply with the directions detailed earlier to create a useful resource hyperlink for a shared desk. Title the useful resource hyperlink amazon_reviews_table_named_resource_resource_link. Create the useful resource hyperlink within the database lakeformation_tutorial_cross_account_database_consumer.

Grant knowledge permission for the shared desk to the buyer

To grant knowledge permission for the shared desk to the buyer, full the next steps:

  1. Within the navigation pane, underneath Permissions, Information lake permissions, select Grant.
  2. For Principals, select IAM customers and roles, and select the consumer DataAnalyst.
  3. For LF-tags or catalog sources, select Named knowledge catalog sources.
  4. Beneath Databases, select the database lakeformation_tutorial_cross_account_database_named_resource.

For those who don’t see the database on the drop-down record, select Load extra.

  1. Beneath Tables, select the desk amazon_reviews_table_named_resource.
  2. For Desk and column permissions, choose Choose and Describe underneath Desk permissions.
  3. Select Grant.

Grant knowledge permission for the useful resource hyperlink to the buyer

Along with granting the information lake consumer permission to entry the shared desk, you additionally must grant the information lake consumer permission to entry the useful resource hyperlink.

  1. Within the navigation pane, underneath Permissions, Information lake permissions, select Grant.
  2. For Principals, select IAM customers and roles, and select the consumer DataAnalyst.
  3. For LF-tags or catalog sources, select Named knowledge catalog sources.
  4. Beneath Databases, select the database lakeformation_tutorial_cross_account_database_consumer.
  5. Beneath Tables, select the desk amazon_reviews_table_named_resource_resource_link.
  6. For Useful resource hyperlink permissions, choose Describe underneath Useful resource hyperlink permissions.
  7. Select Grant.

At this level, the information analyst consumer within the client account ought to have the ability to discover the database and useful resource hyperlink, and question the shared desk by way of the Athena console.

If not, verify if the next are correctly configured:

  • Be certain the useful resource hyperlink is created for the shared desk
  • Be sure you granted the consumer entry to the desk shared by the producer account
  • Be sure you granted the consumer entry to the useful resource hyperlink and database that the useful resource hyperlink is created in

Clear up

To wash up the sources created inside this tutorial, delete or change the next sources:

  • Producer account:
    • AWS RAM useful resource share
    • Lake Formation tags
    • CloudFormation stack
    • Lake Formation settings
    • AWS Glue Information Catalog settings
  • Client account:
    • Lake Formation tags
    • CloudFormation stack

Abstract

Lake Formation cross-account sharing lets you share knowledge throughout AWS accounts with out copying the precise knowledge. Additionally, it gives each the producer and client with management over knowledge permissions in a versatile method. On this submit, we launched two completely different choices to reference catalog knowledge from one other account through the use of the cross-account entry options supplied by Lake Formation:

  • Tag-based entry management
  • Named useful resource

The tag-based entry management technique is really useful when many sources and entities are concerned. Though it looks like this selection requires extra steps, tag-based entry management helps knowledge lake directors management relationships between every consumer and desk by way of tags dynamically. The named useful resource technique gives the information lake administrator with a extra simple technique to handle catalog permissions. You possibly can select the tactic that most closely fits your requirement.


Concerning the creator

Yumiko Kanasugi is a Options Architect with Amazon Internet Providers Japan, supporting digital native enterprise clients to make the most of AWS.

[ad_2]

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Recent Comments