Granting permissions to users and groups - Amazon Lake Formation
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Granting permissions to users and groups

Your data lake administrator can grant permissions to IAM Identity Center users and groups on Data Catalog resources (databases, tables, and views) to allow easy data access. To grant or revoke data lake permissions, the grantor requires permissions for the following IAM Identity Center actions.

You can grant permissions by using the Lake Formation console, the API, or the Amazon CLI.

For more information on granting permissions, see Granting and revoking permissions on Data Catalog resources.

Note

You can only grant permissions on resources in your account. To cascade permissions to users and groups on resources shared with you, you must use Amazon RAM resources shares.

Amazon Web Services Management Console
To grant permissions to users and groups

  1. Sign in to the Amazon Web Services Management Console, and open the Lake Formation console at https://console.amazonaws.cn/lakeformation/.

  2. Select Data lake permissions under Permissions in the Lake Formation console.

  3. Select Grant.

  4. On the Grant data lake permissions page, choose, SSM users and groups.

  5. Select Add to choose the users and groups to grant permissions.

    Grant data lake permissions screen with IAM Identity Center users and groups selected.

  6. On the Assign users and groups screen, choose the users and/or groups to grant permissions.

    Select Assign.

    Grant data lake permissions screen with IAM Identity Center users and groups selected.

  7. Next, choose the method to grant permissions.

    For instructions on granting permissions using named resources method, see Granting data lake permissions using the named resource method.

    For instructions on granting permission using LF-Tags, see Granting data lake permissions using the LF-TBAC method.

  8. Choose the Data Catalog resources on which you want to grant permissions.

  9. Choose the Data Catalog permissions to grant.

  10. Select Grant.

Amazon CLI

The following example shows how to grant IAM Identity Center user SELECT permission on a table.

aws lakeformation grant-permissions \
--principal DataLakePrincipalIdentifier=arn:aws:identitystore:::user/<UserId> \
--permissions "SELECT" \
--resource '{ "Table": { "DatabaseName": "retail", "TableWildcard": {} } }'

To retrieve UserId from IAM Identity Center, see GetUserId operation in the IAM Identity Center API Reference.