Granting data location permissions (external account)

Follow these steps to grant data location permissions to an external Amazon account or organization.

You can grant permissions by using the Lake Formation console, the API, or the Amazon Command Line Interface (Amazon CLI).

Before you begin

Ensure that all cross-account access prerequisites are satisfied. For more information, see Prerequisites.

Amazon Web Services Management Console

To grant data location permissions (external account, console)

Open the Amazon Lake Formation console at https://console.amazonaws.cn/lakeformation/. Sign in as a data lake administrator.
In the navigation pane, under Permissions, choose Data locations, and then choose Grant.
In the Grant permissions dialog box, choose the External account tile.
Provide the following information:
- For Amazon account ID or Amazon organization ID, enter valid Amazon account numbers, organization IDs, or organizational unit IDs.
  
  Press Enter after each ID.
  
  An organization ID consists of "o-" followed by 10 to 32 lower-case letters or digits.
  
  An organizational unit ID consists of "ou-" followed by 4 to 32 lowercase letters or digits (the ID of the root that contains the OU). This string is followed by a second "-" (hyphen) and 8 to 32 additional lowercase letters or digits.
- Under Storage locations, choose Browse, and choose an Amazon Simple Storage Service (Amazon S3) storage location. The location must be registered with Lake Formation.
Select Grantable.
Choose Grant.

Amazon CLI

To grant data location permissions (external account, Amazon CLI)

To grant permissions to an external Amazon account, enter a command similar to the following.


aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=111122223333  --permissions "DATA_LOCATION_ACCESS" --permissions-with-grant-option "DATA_LOCATION_ACCESS" --resource '{ "DataLocation": {"CatalogId":"123456789012","ResourceArn":"arn:aws:s3::retail/transactions/2020q1"}}'

This command grants DATA_LOCATION_ACCESS with the grant option to account 1111-2222-3333 on the Amazon S3 location s3://retail/transactions/2020q1, which is owned by account 1234-5678-9012.

To grant permissions to an organization, enter a command similar to the following.


aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=arn:aws:organizations::111122223333:organization/o-abcdefghijkl --permissions "DATA_LOCATION_ACCESS" --permissions-with-grant-option "DATA_LOCATION_ACCESS" --resource '{"DataLocation": {"CatalogId":"123456789012","ResourceArn":"arn:aws:s3::retail/transactions/2020q1"}}'

This command grants DATA_LOCATION_ACCESS with grant option to the organization o-abcdefghijkl on the Amazon S3 location s3://retail/transactions/2020q1, which is owned by account 1234-5678-9012.

To grant permissions to a principal in an external Amazon account, enter a command similar to the following.


aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=arn:aws:iam::111122223333:user/datalake_user1 --permissions "DATA_LOCATION_ACCESS" --resource '{ "DataLocation": {"ResourceArn":"arn:aws:s3::retail/transactions/2020q1", "CatalogId": "123456789012"}}'

This command grants DATA_LOCATION_ACCESS to a principal in account 1111-2222-3333 on the Amazon S3 location s3://retail/transactions/2020q1, which is owned by account 1234-5678-9012.

The following example grants data location permissions on s3://retail to ALLIAMPrincipals group in an external account.


aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=111122223333:IAMPrincipals --permissions "DATA_LOCATION_ACCESS" --resource '{ "DataLocation": {"ResourceArn":"arn:aws:s3:::retail", "CatalogId": "123456789012"}}'

Granting data location permissions (external account)

Before you begin

To grant data location permissions (external account, console)

To grant data location permissions (external account, Amazon CLI)

See Also: