Converting a Lake Formation resource to a hybrid resource
In cases where you're currently using Lake Formation permissions for your Data Catalog databases and tables, you can edit the location registration properties to enable hybrid access mode. This allows you to provide new principals access to the same resources using IAM permission policies for Amazon S3 and Amazon Glue actions without interrupting existing Lake Formation permissions.
Scenario description - The following steps assume that you’ve a data location
registered with Lake Formation, and you've set up permissions for principals on databases, tables, or
columns pointing to that location. If the location was registered with a service linked
role, you can’t update the location parameters and enable hybrid access mode.
The IAMAllowedPrincipals
group by default has Super permissions on the database and all its tables.
Important
Don’t update a location registration to hybrid access mode without opting in the principals that are accessing data in this location.
Enabling hybrid access mode for a data location registered with Lake Formation
-
Warning
We don't recommend converting a Lake Formation managed data location to hybrid access mode to avoid interrupting the permission policies of other existing users or workloads.
Opt in the existing principals who have Lake Formation permissions.
-
List and review the permissions you’ve granted to principals on databases and tables. For more information, see Viewing database and table permissions in Lake Formation.
-
Choose Hybrid access mode under Permissions from the left navigation bar, and choose Add.
-
On the Add principals and resources page, choose the databases and tables from the Amazon S3 data location that you want to use in hybrid access mode. Choose the principals that already have Lake Formation permissions.
-
Choose Add to opt in the principals to use Lake Formation permissions in hybrid access mode.
-
-
Update the Amazon S3 bucket/prefix registration by choosing Hybrid access mode option.