Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions,
see Getting Started with Amazon Web Services in China
(PDF).
Granting data filter permissions
You can grant the SELECT
, DESCRIBE
and DROP
Lake Formation
permissions on data filters to principals.
At first, only you can view the data filters that you create for a table. To enable another
principal to view a data filter and grant Data Catalog permissions with the data filter, you must
either:
-
Grant SELECT
on a table to the principal with the grant option, and apply
the data filter to the grant.
-
Grant the DESCRIBE
or DROP
permission on the data filter to the
principal.
You can grant the SELECT
permission to an external Amazon account. A data
lake administrator in that account can then grant that permission to other principals in the
account. When granting to an external account, you must include the grant option so that
administrator of the external account can further cascade the permission to other users in
his/her account. When granting to a principal in your account, granting with the grant option
is optional.
You can grant and revoke permissions on data filters by using the Amazon Lake Formation console, the API,
or the Amazon Command Line Interface (Amazon CLI).
- Console
-
Sign in to the Amazon Web Services Management Console and open the Lake Formation console at
https://console.amazonaws.cn/lakeformation/.
-
In the navigation pane, under Permissions, choose
Data lake permissions.
-
On the Permissions page, in the Data
permissions section, choose Grant.
-
On the Grant data permissions page, choose the principals
to grant the permissions to.
-
In the LF-Tags or catalog resources section, choose Named data catalog
resources. Then choose the database, table, and data filter for which
you want to grant permissions.
-
In the Data filter permissions section, choose the
permissions you want to grant to the selected principals.
- Amazon CLI
-
-
Enter a grant-permissions
command. Specify DataCellsFilter
for the resource
argument, and specify DESCRIBE
or
DROP
for the Permissions
argument and, optionally, for the
PermissionsWithGrantOption
argument.
The following example grants DESCRIBE
with the grant option to
user datalake_user1
on the data filter restrict-pharma
,
which belongs to the orders
table in the sales
database in
Amazon account 1111-2222-3333.
aws lakeformation grant-permissions --cli-input-json file://grant-params.json
The following are the contents of file grant-params.json
.
{
"Principal": {"DataLakePrincipalIdentifier": "arn:aws:iam::111122223333:user/datalake_user1"},
"Resource": {
"DataCellsFilter": {
"TableCatalogId": "111122223333",
"DatabaseName": "sales",
"TableName": "orders",
"Name": "restrict-pharma"
}
},
"Permissions": ["DESCRIBE"],
"PermissionsWithGrantOption": ["DESCRIBE"]
}