Granting catalog permissions using the named resource method
The following steps explain how to grant catalog permissions by using the named resource method.
- Console
-
Use the Grant data lake permissions page on the Lake Formation console. The page is divided into the following sections:
-
Principals – The IAM users, roles, IAM Identity Center users and groups, SAML users and groups, Amazon accounts, organizations, or organizational units to grant permissions.
-
LF-Tags or catalog resources – The catalogs, databases, tables, views, or resource links to grant permissions on.
-
Permissions – The Lake Formation permissions to grant.
Note
To grant permissions on a database resource link, see Granting resource link permissions.
Open the Grant data lake permissions page.
Open the Amazon Lake Formation console at https://console.aws.amazon.com/lakeformation/
, and sign in as a data lake administrator, the database creator, or an IAM user who has Grantable permissions on the database. Do one of the following:
-
In the navigation pane, under Permissions, choose Data lake permissions. Then choose Grant.
-
In the navigation pane, choose Catalogs under Data Catalog. Then, on the Catalogs page, choose a catalog, and from the Actions menu, under Permissions, choose Grant.
Note
You can grant permissions on a catalog through its resource link. To do so, on the catalogs page, choose a catalog link container, and on the Actions menu, choose Grant on target. For more information, see How resource links work in Lake Formation.
-
-
Next, in the Principals section, choose a principal type and then specify principals to grant permissions.
- IAM users and roles
-
Choose one or more users or roles from the IAM users and roles list.
- IAM Identity Center
-
Choose one or more users or groups from the Users and groups list. Select Add to add more users or groups.
- SAML users and groups
-
For SAML and Amazon QuickSight users and groups, enter one or more Amazon Resource Names (ARNs) for users or groups federated through SAML, or ARNs for Amazon QuickSight users or groups. Press Enter after each ARN.
For information about how to construct the ARNs, see Lake Formation grant and revoke Amazon CLI commands.
Note
Lake Formation integration with Amazon QuickSight is supported only for Amazon QuickSight Enterprise Edition.
- External accounts
-
For Amazon Web Services account, Amazon organization, or IAM Principal enter one or more valid Amazon account IDs, organization IDs, organizational unit IDs, or ARN for the IAM user or role. Press Enter after each ID.
An organization ID consists of "o-" followed by 10–32 lower-case letters or digits.
An organizational unit ID starts with "ou-" followed by 4–32 lowercase letters or digits (the ID of the root that contains the OU). This string is followed by a second "-" dash and 8 to 32 additional lowercase letters or digits.
-
In the LF-Tags or catalog resources section, choose Named data catalog resources.
-
Choose one or more catalogs from the Catalogs list. You can also choose one or more Databases, Tables, and/or Data filters.
-
In the Catalog permissions section, select permissions and grantable permissions. Under Catalog permissions, select one or more permissions to grant.
Choose Super user to grant unrestricted administrative privileges to perform ny operation on all resources within the catalog (databases, tables, and views).
Note
After granting
Create database
orAlter
on a catalog that has a location property that points to a registered location, be sure to also grant data location permissions on the location to the principals. For more information, see Granting data location permissions. -
(Optional) Under Grantable permissions, select the permissions that the grant recipient can grant to other principals in their Amazon account. This option is not supported when you are granting permissions to an IAM principal from an external account.
-
Choose Grant.
-
- Amazon CLI
-
For granting catalog permissions using Amazon CLI, see Creating Amazon Redshift federated catalogs.