Register your connection as a Glue Data Catalog
After you create your data source, you can use the Athena console to register your connection as a Glue Data Catalog. Once registered, you can manage your federated data catalog and enable fine-grained access control using Lake Formation. For more information, see Creating a federated catalog.
You can register the following connectors to integrate with Amazon Glue for fine-grained access control.
Redshift
BigQuery
DynamoDB (Preview)
Snowflake (Preview)
MySQL
PostgreSQL
Amazon CMDB
-
Timestream
Prerequisites
Before you begin, you must complete the following prerequisites.
Ensure that you have the roles and permissions needed to register locations. For more information, see the Requirements for roles in the Amazon Lake Formation Developer Guide.
-
Ensure that you have the required Lake Formation roles. For more information, see Prerequisites for connecting the Data Catalog to external data sources in the Amazon Lake Formation Developer Guide.
-
The role that you register in Glue must have the permissions as listed in the following example.
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetObject" ], "Resource": [ "s3://
amzn-s3-demo-bucket
/<Your_Spill_Prefix>
/*", "s3://amzn-s3-demo-bucket
/<Your_Spill_Prefix>
" ] }, { "Sid": "lambdainvoke", "Effect": "Allow", "Action": "lambda:InvokeFunction", "Resource": "<Lambda_function_arn>
" }, { "Sid": "gluepolicy", "Effect": "Allow", "Action": "glue:*", "Resource": [ "arn:aws:glue:<region>
:<account_id>
:connection/<connection_name>
", "arn:aws:glue:<region>
:<account_id>
:catalog" ] } ] } You are responsible to determine and manage the appropriate data access. With fine-grain access controls on federated queries, it is recommended that you use the AmazonAthenaFullAccess managed policy. If you want to use your own policy, you must ensure that the users executing federated queries do not have access to the following resources.
-
lambda:InvokeFunction
on the Lambda connector that is specified in Glue connection -
Spill bucket location access in IAM
-
Access to the Glue connection associated with your federated catalog
-
Lake Formation Role in IAM
-
Register your connection using console
To register your connection as a Glue Data Catalog
Open the Athena console at https://console.amazonaws.cn/athena/
. -
In the navigation pane, choose Data sources and catalogs.
-
From the Data sources list, choose the data source that you created to open the Data source details page.
-
Choose Get started with Amazon Lake Formation.
Note
After you choose this option, you must manage your Lambda function on your own. Athena will not delete your Lambda function.
-
For Data catalog name provide a unique name for your catalog.
-
Choose the Lake Formation IAM role that grants permission to Lake Formation to invoke the Lambda function. Make sure the role has the permissions as shown in the example.
-
In the text box, type confirm to delete the Athena data source, replace it with a Glue data catalog registration.
Note
This action will delete your Athena data source and create a new Glue Data Catalog in its place. After this process is completed, you may need to update queries that access the data source to refer to the newly created Glue data catalog instead.
-
Choose Create catalog and go to Lake Formation. This opens the Lake Formation console where you can manage the catalog and grant permissions to users on catalogs, databases and tables.