Step 2: Lake Formation cross-account sharing prerequisites
Before sharing resources with Lake Formation, there are prerequisites for both the tag-based access control method and named resource method.
Complete tag-based access control cross-account data sharing prerequisites
-
For more information on cross-account data sharing requirements, see the Prerequisites section in the Cross-account data sharing chapter.
To share Data Catalog resources with version 3 or above of the Cross account version settings, the grantor requires to have the IAM permissions defined in the Amazon managed policy
AWSLakeFormationCrossAccountManager
in your account.If you are using version 1 or version 2 of the Cross account version settings, before you can use the tag-based access control method to grant cross-account access to resources, you must add the following
JSON
permissions object to the Data Catalog resource policy in the producer account. This gives the consumer account permission to access the Data Catalog whenglue:EvaluatedByLakeFormationTags
is true. Also, this condition becomes true for resources on which you granted permission using Lake Formation permission tags to the consumer’s account. This policy is required for every Amazon Web Services account to which you are granting permissions.The following policy must be within a
Statement
element. We discuss the full IAM policy in the next section.{ "Effect": "Allow", "Action": [ "glue:*" ], "Principal": { "AWS": [ "
consumer-account-id
" ] }, "Resource": [ "arn:aws:glue:region:account-id
:table/*", "arn:aws:glue:region:account-id
:database/*", "arn:aws:glue:region:account-id
:catalog" ], "Condition": { "Bool": { "glue:EvaluatedByLakeFormationTags": true } } }
Complete named resource method cross-account sharing prerequisites
-
If there is no Data Catalog resource policy in your account, the Lake Formation cross-account grants that you make proceed as usual. However, if a Data Catalog resource policy exists, you must add the following statement to it to permit your cross-account grants to succeed if they’re made with the named resource method. If you plan to use only the named resource method, or only the tag-based access control method, you can skip this step. In this tutorial, we evaluate both methods, and we need to add the following policy.
The following policy must be within a
Statement
element. We discuss the full IAM policy in the next section.{ "Effect": "Allow", "Action": [ "glue:ShareResource" ], "Principal": { "Service":"ram.amazonaws.com" }, "Resource": [ "arn:aws:glue:
region:account-id
:table/*/*", "arn:aws:glue:region:account-id
:database/*", "arn:aws:glue:region:account-id
:catalog" ] } Next, add the Amazon Glue Data Catalog resource policy using the Amazon Command Line Interface (Amazon CLI).
If you grant cross-account permissions by using both the tag-based access control method and named resource method, you must set the
EnableHybrid
argument to ‘true’ when adding the preceding policies. Because this option is not currently supported on the console, and you must use theglue:PutResourcePolicy
API and Amazon CLI.First, create a policy document (such as policy.json) and add the preceding two policies. Replace
consumer-account-id
with theaccount ID
of the Amazon Web Services account receiving the grant,region
with the Region of the Data Catalog containing the databases and tables that you are granting permissions on, andaccount-id
with the producer Amazon Web Services account ID.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ram.amazonaws.com" }, "Action": "glue:ShareResource", "Resource": [ "arn:aws:glue:
region:account-id
:table/*/*", "arn:aws:glue:region:account-id
:database/*", "arn:aws:glue:region:account-id
:catalog" ] }, { "Effect": "Allow", "Principal": { "AWS": "region:account-id
" }, "Action": "glue:*", "Resource": [ "arn:aws:glue:region:account-id
:table/*/*", "arn:aws:glue:region:account-id
:database/*", "arn:aws:glue:region:account-id
:catalog" ], "Condition": { "Bool": { "glue:EvaluatedByLakeFormationTags": "true" } } } ] }Enter the following Amazon CLI command. Replace
glue-resource-policy
with the correct values (such as file://policy.json).aws glue put-resource-policy --policy-in-json
glue-resource-policy
--enable-hybrid TRUEFor more information, see put-resource-policy.