# Granting data location permissions (external account) Follow these steps to grant data location permissions to an external Amazon account or organization. You can grant permissions by using the Lake Formation console, the API, or the Amazon Command Line Interface (Amazon CLI). **Before you begin** Ensure that all cross-account access prerequisites are satisfied. For more information, see [Prerequisites](cross-account-prereqs.md). ------ #### [ Amazon Web Services Management Console ] **To grant data location permissions (external account, console)** 1. Open the Amazon Lake Formation console at [https://console.amazonaws.cn/lakeformation/](https://console.amazonaws.cn/lakeformation/). Sign in as a data lake administrator. 1. In the navigation pane, under **Permissions**, choose **Data locations**, and then choose **Grant**. 1. In the **Grant permissions** dialog box, choose the **External account** tile. 1. Provide the following information: + For **Amazon account ID or Amazon organization ID**, enter valid Amazon account numbers, organization IDs, or organizational unit IDs. Press **Enter** after each ID. An organization ID consists of "o-" followed by 10 to 32 lower-case letters or digits. An organizational unit ID consists of "ou-" followed by 4 to 32 lowercase letters or digits (the ID of the root that contains the OU). This string is followed by a second "-" (hyphen) and 8 to 32 additional lowercase letters or digits. + Under **Storage locations**, choose **Browse**, and choose an Amazon Simple Storage Service (Amazon S3) storage location. The location must be registered with Lake Formation. ![The Grant permission dialog has the External account radio button selected, an Amazon account specified, and a storage location specified.](http://docs.amazonaws.cn/en_us/lake-formation/latest/dg/images/grant-location-dialog-external.png) 1. Select **Grantable**. 1. Choose **Grant**. ------ #### [ Amazon CLI ] **To grant data location permissions (external account, Amazon CLI)** + To grant permissions to an external Amazon account, enter a command similar to the following. ``` aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=111122223333 --permissions "DATA_LOCATION_ACCESS" --permissions-with-grant-option "DATA_LOCATION_ACCESS" --resource '{ "DataLocation": {"CatalogId":"123456789012","ResourceArn":"arn:aws:s3::retail/transactions/2020q1"}}' ``` This command grants `DATA_LOCATION_ACCESS` with the grant option to account 1111-2222-3333 on the Amazon S3 location `s3://retail/transactions/2020q1`, which is owned by account 1234-5678-9012. To grant permissions to an organization, enter a command similar to the following. ``` aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=arn:aws:organizations::111122223333:organization/o-abcdefghijkl --permissions "DATA_LOCATION_ACCESS" --permissions-with-grant-option "DATA_LOCATION_ACCESS" --resource '{"DataLocation": {"CatalogId":"123456789012","ResourceArn":"arn:aws:s3::retail/transactions/2020q1"}}' ``` This command grants `DATA_LOCATION_ACCESS` with grant option to the organization `o-abcdefghijkl` on the Amazon S3 location `s3://retail/transactions/2020q1`, which is owned by account 1234-5678-9012. To grant permissions to a principal in an external Amazon account, enter a command similar to the following. ``` aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=arn:aws:iam::111122223333:user/datalake_user1 --permissions "DATA_LOCATION_ACCESS" --resource '{ "DataLocation": {"ResourceArn":"arn:aws:s3::retail/transactions/2020q1", "CatalogId": "123456789012"}}' ``` This command grants `DATA_LOCATION_ACCESS` to a principal in account 1111-2222-3333 on the Amazon S3 location `s3://retail/transactions/2020q1`, which is owned by account 1234-5678-9012. **Example** The following example grants data location permissions on `s3://retail` to `ALLIAMPrincipals` group in an external account. ``` aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=111122223333:IAMPrincipals --permissions "DATA_LOCATION_ACCESS" --resource '{ "DataLocation": {"ResourceArn":"arn:aws:s3:::retail", "CatalogId": "123456789012"}}' ``` ------ **See Also:** [Lake Formation permissions reference](lf-permissions-reference.md)