Granting data location permissions (same account)
Follow these steps to grant data location permissions to principals in your Amazon account. You can grant permissions by using the Lake Formation console, the API, or the Amazon Command Line Interface (Amazon CLI).
To grant data location permissions (same account, console)
-
Open the Amazon Lake Formation console at https://console.amazonaws.cn/lakeformation/
. Sign in as a data lake administrator or as a principal who has grant permissions on the desired data location. -
In the navigation pane, under Permissions, choose Data locations.
-
Choose Grant.
-
In the Grant permissions dialog box, ensure that the My account tile is selected. Then provide the following information:
-
For IAM users and roles, choose one or more principals.
-
For SAML and Amazon QuickSight users and groups, enter one or more Amazon Resource Names (ARNs) for users or groups federated through SAML or ARNs for Amazon QuickSight users or groups.
Enter one ARN at a time, and press Enter after each ARN. For information about how to construct the ARNs, see Lake Formation grant and revoke Amazon CLI commands.
-
For Storage locations, choose Browse, and choose an Amazon Simple Storage Service (Amazon S3) storage location. The location must be registered with Lake Formation. Choose Browse again to add another location. You can also type the location, but ensure that you precede the location with
s3://
. -
For Registered account location, enter the Amazon account ID where the location is registered. This defaults to your account ID. In a cross-account scenario, data lake administrators in a recipient account can specify the owner account here when granting the data location permission to other principals in the recipient account.
-
(Optional) To enable the selected principals to grant data location permissions on the selected location, select Grantable.
-
-
Choose Grant.
To grant data location permissions (same account, Amazon CLI)
-
Run a
grant-permissions
command, and grantDATA_LOCATION_ACCESS
to the principal, specifying the Amazon S3 path as the resource.The following example grants data location permissions on
s3://retail
to userdatalake_user1
.aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=arn:aws:iam::
<account-id>
:user/datalake_user1 --permissions "DATA_LOCATION_ACCESS" --resource '{ "DataLocation": {"ResourceArn":"arn:aws:s3:::retail"}}'The following example grants data location permissions on
s3://retail
toALLIAMPrincipals
group.aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=111122223333:IAMPrincipals --permissions "DATA_LOCATION_ACCESS" --resource '{ "DataLocation": {"ResourceArn":"arn:aws:s3:::retail", "CatalogId": "111122223333"}}'