Managing cross-account permissions using both Amazon Glue and Lake Formation
It's possible to grant cross-account access to Data Catalog resources and underlying data by using either Amazon Glue or Amazon Lake Formation.
In Amazon Glue, you grant cross-account permissions by creating or updating a
Data Catalog resource policy. In Lake Formation, you grant cross-account permissions by using the Lake Formation
GRANT/REVOKE
permissions model and the Grant Permissions
API
operation.
Tip
We recommend that rely solely on Lake Formation permissions to secure your data lake.
You can view Lake Formation cross-account grants by using the Lake Formation console or the Amazon Resource Access Manager (Amazon RAM) console. However, those console pages don't show cross-account permissions granted by the Amazon Glue Data Catalog resource policy. Similarly, you can view the cross-account grants in the Data Catalog resource policy using the Settings page of the Amazon Glue console, but that page doesn't show the cross-account permissions granted using Lake Formation.
To ensure that you don't miss any grants when viewing and managing cross-account permissions, Lake Formation and Amazon Glue require you to perform the following actions to indicate that you are aware of and are permitting cross-account grants by both Lake Formation and Amazon Glue.
When granting cross-account permissions using the Amazon Glue Data Catalog resource policy
If your account (grantor account or producer account) has made no cross-account grants that uses Amazon RAM to share the resources, you can save a Data Catalog resource policy as usual in Amazon Glue. However, if grants that involve Amazon RAM resource shares have already been made, you must do one of the following to ensure that saving the resource policy succeeds:
-
When you save the resource policy on the Settings page of the Amazon Glue console, the console issues an alert stating that the permissions in the policy will be in addition to any permissions granted using the Lake Formation console. You must choose Proceed to save the policy.
-
When you save the resource policy using the
glue:PutResourcePolicy
API operation, you must set theEnableHybrid
field to 'TRUE
' (type = string). The following code example shows how to do this in Python.import boto3 import json REGION = 'us-east-2' PRODUCER_ACCOUNT_ID = '123456789012' CONSUMER_ACCOUNT_IDs = ['111122223333'] glue = glue_client = boto3.client('glue') policy = { "Version": "2012-10-17", "Statement": [ { "Sid": "Cataloguers", "Effect": "Allow", "Action": [ "glue:*" ], "Principal": { "AWS": CONSUMER_ACCOUNT_IDs }, "Resource": [ f"arn:aws:glue:{REGION}:{PRODUCER_ACCOUNT_ID}:catalog", f"arn:aws:glue:{REGION}:{PRODUCER_ACCOUNT_ID}:database/*", f"arn:aws:glue:{REGION}:{PRODUCER_ACCOUNT_ID}:table/*/*" ] } ] } policy = json.dumps(policy) glue.put_resource_policy(PolicyInJson=policy, EnableHybrid='TRUE')
For more information, see PutResourcePolicy Action (Python: put_resource_policy) in the Amazon Glue Developer Guide.
When granting cross-account permissions using the Lake Formation named resources method
If there is no Data Catalog resource policy in your account (producer account), Lake Formation cross-account grants that
you make proceed as usual. However, if a Data Catalog resource policy exists, you must add the
following statement to it to permit your cross-account grants to succeed if they are made
with the named resource method. Replace <region>
with a valid
Region name and <account-id>
with your Amazon account
ID (producer account ID).
{ "Effect": "Allow", "Action": [ "glue:ShareResource" ], "Principal": {"Service": [ "ram.amazonaws.com" ]}, "Resource": [ "arn:aws:glue:
<region>
:<account-id>
:table/*/*", "arn:aws:glue:<region>
:<account-id>
:database/*", "arn:aws:glue:<region>
:<account-id>
:catalog" ] }
Without this additional statement, the Lake Formation grant succeeds, but becomes blocked in Amazon RAM, and the recipient account can't access the granted resource.
Important
When using the Lake Formation tag-based access control (LF-TBAC) method to make cross-account grants, you must have a Data Catalog resource policy with at least the permissions specified in Prerequisites.
See Also:
-
Metadata access control (for a discussion of the named resource method versus the Lake Formation tag-based access control (LF-TBAC) method).
-
Working with Data Catalog Settings on the Amazon Glue Console in the Amazon Glue Developer Guide
-
Granting Cross-Account Access in the Amazon Glue Developer Guide (for sample Data Catalog resource policies)