Step 2: Lake Formation cross-account sharing prerequisites

Before sharing resources with Lake Formation, there are prerequisites for both the tag-based access control method and named resource method.

Complete tag-based access control cross-account data sharing prerequisites

For more information on cross-account data sharing requirements, see the Prerequisites section in the Cross-account data sharing chapter.

To share Data Catalog resources with version 3 or above of the Cross account version settings, the grantor requires to have the IAM permissions defined in the Amazon managed policy AWSLakeFormationCrossAccountManager in your account.

If you are using version 1 or version 2 of the Cross account version settings, before you can use the tag-based access control method to grant cross-account access to resources, you must add the following JSON permissions object to the Data Catalog resource policy in the producer account. This gives the consumer account permission to access the Data Catalog when glue:EvaluatedByLakeFormationTags is true. Also, this condition becomes true for resources on which you granted permission using Lake Formation permission tags to the consumer’s account. This policy is required for every Amazon Web Services account to which you are granting permissions.

The following policy must be within a Statement element. We discuss the full IAM policy in the next section.
```
{
    "Effect": "Allow",
    "Action": [
        "glue:*"
    ],
    "Principal": {
        "AWS": [
            "consumer-account-id"
        ]
    },
    "Resource": [
        "arn:aws:glue:region:account-id:table/*",
        "arn:aws:glue:region:account-id:database/*",
        "arn:aws:glue:region:account-id:catalog"
    ],
    "Condition": {
        "Bool": {
            "glue:EvaluatedByLakeFormationTags": true
        }
    }
}
        
```

Complete named resource method cross-account sharing prerequisites

If there is no Data Catalog resource policy in your account, the Lake Formation cross-account grants that you make proceed as usual. However, if a Data Catalog resource policy exists, you must add the following statement to it to permit your cross-account grants to succeed if they’re made with the named resource method. If you plan to use only the named resource method, or only the tag-based access control method, you can skip this step. In this tutorial, we evaluate both methods, and we need to add the following policy.

The following policy must be within a Statement element. We discuss the full IAM policy in the next section.
```
{
          "Effect": "Allow",
          "Action": [
          "glue:ShareResource"
          ],
          "Principal": {
            "Service":"ram.amazonaws.com"
          },
          "Resource": [
              "arn:aws:glue:region:account-id:table/*/*",
              "arn:aws:glue:region:account-id:database/*",
              "arn:aws:glue:region:account-id:catalog"
          ]
}
        
```

Next, add the Amazon Glue Data Catalog resource policy using the Amazon Command Line Interface (Amazon CLI).

If you grant cross-account permissions by using both the tag-based access control method and named resource method, you must set the EnableHybrid argument to ‘true’ when adding the preceding policies. Because this option is not currently supported on the console, and you must use the glue:PutResourcePolicy API and Amazon CLI.

First, create a policy document (such as policy.json) and add the preceding two policies. Replace consumer-account-id with the account ID of the Amazon Web Services account receiving the grant, region with the Region of the Data Catalog containing the databases and tables that you are granting permissions on, and account-id with the producer Amazon Web Services account ID.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "ram.amazonaws.com"
            },
            "Action": "glue:ShareResource",
            "Resource": [
                "arn:aws:glue:region:account-id:table/*/*",
                "arn:aws:glue:region:account-id:database/*",
                "arn:aws:glue:region:account-id:catalog"
            ]
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "region:account-id"
            },
            "Action": "glue:*",
            "Resource": [
                "arn:aws:glue:region:account-id:table/*/*",
                "arn:aws:glue:region:account-id:database/*",
                "arn:aws:glue:region:account-id:catalog"
            ],
            "Condition": {
                "Bool": {
                    "glue:EvaluatedByLakeFormationTags": "true"
                }
            }
        }
    ]
}

Enter the following Amazon CLI command. Replace glue-resource-policy with the correct values (such as file://policy.json).


aws glue put-resource-policy --policy-in-json glue-resource-policy --enable-hybrid TRUE

For more information, see put-resource-policy.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Step 1: Provision your resources using Amazon CloudFormation templates

Step 3: Implement cross-account sharing using the tag-based access control method