Prerequisites for setting up hybrid access mode
The following are the prerequisites for setting up hybrid access mode:
Note
We recommend that a Lake Formation administrator registers the Amazon S3 location in hybrid access mode, and opt in principals and resources.
-
Grant data location permission (
DATA_LOCATION_ACCESS
) to create Data Catalog resources that point to the Amazon S3 locations. Data location permissions control the ability to create Data Catalog databases and tables that point to particular Amazon S3 locations. -
To share Data Catalog resources with another account in hybrid access mode (without removing
IAMAllowedPrincipals
group permissions from the resource), you need to update the Cross account version settings to Version 4. To update the version using Lake Formation console, choose Version 4 under Cross account version settings on the Data Catalog settings page.You can also use the
put-data-lake-settings
Amazon CLI command to set theCROSS_ACCOUNT_VERSION
parameter to version 4:aws lakeformation put-data-lake-settings --region us-east-1 --data-lake-settings file://settings { "DataLakeAdmins": [ { "DataLakePrincipalIdentifier": "arn:aws:iam::
<111122223333>
:user/<user-name>
" } ], "CreateDatabaseDefaultPermissions": [], "CreateTableDefaultPermissions": [], "Parameters": { "CROSS_ACCOUNT_VERSION": "4" } } To grant cross-account permissions in hybrid access mode, the grantor must have the required IAM permissions for Amazon Glue and Amazon RAM services. The Amazon managed policy
AWSLakeFormationCrossAccountManager
grants the required permissions. To enable cross-account data sharing in hybrid access mode, we’ve updated theAWSLakeFormationCrossAccountManager
managed policy by adding two new IAM permissions:ram:ListResourceSharePermissions
ram:AssociateResourceSharePermission
Note
If you are not using the Amazon managed policy for the grantor role, add the above policies to your custom policies.