Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions,
see Getting Started with Amazon Web Services in China
(PDF).
Converting an Amazon Glue resource to a hybrid resource
Follow these steps to register an Amazon S3 location in hybrid access mode and on-board new
Lake Formation users without interrupting the existing Data Catalog users' data access.
Scenario description - The data location is not registered with Lake Formation, and users' access
to the Data Catalog database and tables is determined by IAM permissions policies for Amazon S3 and
Amazon Glue actions.
The IAMAllowedPrincipals
group by default has Super
permissions on all tables in the database.
To enable hybrid access mode for a data location that is not registered with Lake Formation
Register an Amazon S3 location enabling hybrid access mode.
- Console
-
-
Sign in to the Lake Formation
console as a data lake administrator.
In the navigation pane, choose Data lake locations under Administration.
Choose Register location.
-
On the Register location window, choose the Amazon S3 path that you want to register with Lake Formation.
-
For IAM role, choose either the AWSServiceRoleForLakeFormationDataAccess
service-linked role (the default) or a custom IAM
role that meets the requirements in Requirements for roles used to register
locations.
-
Choose Hybrid access mode to apply fine-grained Lake Formation access
control policies to opt-in principals and Data Catalog databases and tables
pointing to the registered location.
Choose Lake Formation to allow Lake Formation to authorize access requests to the registered location.
Choose Register location.
- Amazon CLI
-
Following is an example for registering a data location with Lake Formation with
HybridAccessEnabled:true/false. Default value for the
HybridAccessEnabled
parameter is false. Replace Amazon S3 path, role name, and Amazon account id with valid values.
aws lakeformation register-resource --cli-input-json file:file path
json:
{
"ResourceArn": "arn:aws:s3:::s3-path
",
"UseServiceLinkedRole": false,
"RoleArn": "arn:aws:iam::<123456789012>
:role/<role-name>
",
"HybridAccessEnabled": true
}
-
Grant permissions and opt in principals to use Lake Formation permissions for
resources in hybrid access mode
Before you opt in principals and resources in hybrid access mode, verify that grant
Super
or All
permissions to
IAMAllowedPrincipals
group exists on the databases and tables that have
location registered with Lake Formation in hybrid access mode.
You can't grant the IAMAllowedPrincipals
group permission on All
tables
within a database. You need to select each table separately from the
drop-down menu, and grant permissions. Also, when you create new tables in the
database, you can choose to use the Use only IAM access control for new tables
in new databases
in the Data Catalog Settings. This
option grants Super
permission to the IAMAllowedPrincipals
group automatically when you create new tables within the database.
- Console
-
-
On the Lake Formation console, under Data Catalog, choose
Databases or Tables.
Select a database or a table from the list, and choose Grant from the
Actions menu.
Choose principals to grant permissions on the database, tables, and columns using named resource method or LF-Tags.
Alternatively, choose Data lake permissions, select the principals to grant permissions from the list, and choose Grant.
For more details on granting data permissions, see Granting permissions on Data Catalog resources.
If you’re granting a principal Create table permission, you also need to grant data location
permissions (DATA_LOCATION_ACCESS
) to the principal. This permission is not needed to update tables.
For more information, see Granting data location permissions.
-
When you use Named resource method to grant permissions, the option to opt in principals and resources is available on the lower section of the Grant data permission page.
Choose Make Lake Formation permissions effective immediately to enable Lake Formation permissions for the principals and resources.
Choose Grant.
When you opt in principal A on table A that is pointing to a data location,
it allows principal A to have access to this table’s location using Lake Formation
permissions if the data location is registered in hybrid mode.
- Amazon CLI
-
Following is an example for opting in a principal and a table in hybrid access mode. Replace the role name, Amazon account id, database name, and table name with valid values.
aws lakeformation create-lake-formation-opt-in --cli-input-json file://file path
json:
{
"Principal": {
"DataLakePrincipalIdentifier": "arn:aws:iam::<123456789012>
:role/<hybrid-access-role>
"
},
"Resource": {
"Table": {
"CatalogId": "<123456789012>
",
"DatabaseName": "<hybrid_test>
",
"Name": "<hybrid_test_table>
"
}
}
}
-
If you choose LF-Tags to grant permissions, you can opt in principals to
use Lake Formation permissions in a separate step. You can do this by
choosing Hybrid access mode under
Permissions from the left navigation bar.
-
On the lower section of the Hybrid access mode page, choose Add to add resources and principals to hybrid access mode.
-
On the Add resources and principals page, choose the databases and tables registered in hybrid access mode. Choose principals to opt in to use Lake Formation permissions in hybrid access mode.
You can choose All tables
under a database to grant access.