Data sharing using tag-based access control
Set up required on the producer/grantor account
Define an LF tag. For instructions to create an LF-Tag, see Creating LF-Tags.
Assign the LF-Tag to the target resource. For more information, see Assigning LF-Tags to Data Catalog resources.
Grant LF-Tag permission to the external account. For more information, see Granting LF-Tag permissions using the console.
At this point, the consumer data lake administrator should be able to find the policy tag being shared via the grantee account Lake Formation console, under Permissions, Administrative roles and tasks, LF-Tags.
Grant data permission to the external/grantee account.
In the navigation pane, under Permissions,Data lake permissions, choose Grant.
For Principals, choose External accounts, and enter the target Amazon Web Services account ID or the IAM role of the principal or the Amazon Resource Name (ARN) for the principal (principal ARN).
For LF-Tags or catalog resources, choose the key and values of the LF-Tag that is being shared with the consumer account (key
Confidentiality
and valuepublic
).For Permissions, under Resources matched by LF-Tags (recommended) choose Add LF-Tag.
Select the key and value of the tag that is being shared with the grantee account (key
Confidentiality
and valuepublic
).For Database permissions, select Describe under Database permissions to grant access permissions at the database level.
The consumer data lake administrator should be able to find the policy tag being shared via the consumer account on the Lake Formation console at https://console.amazonaws.cn/lakeformation/
, under Permissions, Administrative roles and tasks, LF-Tags. Select Describe under Grantable permissions so the consumer account can grant database-level permissions to its users.
Because the data lake administrator must grant permissions on shared resources to the principals in the grantee account, cross-account permissions must always be granted with the grant option.
Note
Principals who receive direct cross-account grants will not have the Grantable permissions option.
For Table and column permissions, select Select and Describe under Table permissions.
Select Select and Describe under Grantable permissions.
Choose Grant.
Set up required on the receiving/grantee account
-
When you share a resource with another account, the resource still belongs to the producer account and is not visible within the Athena console. To make the resource visible in the Athena console, you need to create a resource link pointing to the shared resource. For instructions on creating a resource link, see Creating a resource link to a shared Data Catalog table and Creating a resource link to a shared Data Catalog database
You need to create a separate set of LF-Tags in the consumer account to use LF tag-based access control when sharing the resource links. Create and assign the required LF-Tags to the shared database/tables and the resource links.
Grant permissions on these LF-Tags to the IAM principals in the grantee account.