Viewing all cross-account grants using the GetResourceShares API operation
If your enterprise grants cross-account permissions using both an Amazon Glue Data Catalog resource
policy and Lake Formation grants, the only way to view all cross-account grants in one place is to
use the glue:GetResourceShares API operation.
When you grant Lake Formation permissions across
accounts by using the
named resource method, Amazon Resource Access Manager (Amazon RAM) creates an Amazon Identity and Access Management (IAM)
resource policy and stores it in your Amazon account. The policy grants the permissions
required to access the resource. Amazon RAM creates a separate resource policy for each
cross-account grant. You can view all of these policies by using the
glue:GetResourceShares API operation.
Note
This operation also returns the Data Catalog resource policy. However, if you enabled meta data encryption in Data Catalog settings, and you don't have permission on the Amazon KMS key, the operation won't return the Data Catalog resource policy.
To view all cross-account grants
-
Enter the following Amazon CLI command.
aws glue get-resource-policies
The following is an example resource policy that Amazon RAM creates and stores when you
grant permissions on table t in database db1 to Amazon account
1111-2222-3333.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "glue:GetTable", "glue:GetTables", "glue:GetTableVersion", "glue:GetTableVersions", "glue:GetPartition", "glue:GetPartitions", "glue:BatchGetPartition", "glue:SearchTables" ], "Principal": {"AWS": [ "111122223333" ]}, "Resource": [ "arn:aws:glue:<region>:111122223333:table/db1/t" ] } ] }
See also:
-
GetResourceShares Action (Python: get_resource_policies) in the Amazon Glue Developer Guide