Managing cross-account permissions using both Amazon Glue and Lake Formation - Amazon Lake Formation
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Managing cross-account permissions using both Amazon Glue and Lake Formation

It's possible to grant cross-account access to Data Catalog resources and underlying data by using either Amazon Glue or Amazon Lake Formation.

In Amazon Glue, you grant cross-account permissions by creating or updating a Data Catalog resource policy. In Lake Formation, you grant cross-account permissions by using the Lake Formation GRANT/REVOKE permissions model and the Grant Permissions API operation.

Tip

We recommend that rely solely on Lake Formation permissions to secure your data lake.

You can view Lake Formation cross-account grants by using the Lake Formation console or the Amazon Resource Access Manager (Amazon RAM) console. However, those console pages don't show cross-account permissions granted by the Amazon Glue Data Catalog resource policy. Similarly, you can view the cross-account grants in the Data Catalog resource policy using the Settings page of the Amazon Glue console, but that page doesn't show the cross-account permissions granted using Lake Formation.

To ensure that you don't miss any grants when viewing and managing cross-account permissions, Lake Formation and Amazon Glue require you to perform the following actions to indicate that you are aware of and are permitting cross-account grants by both Lake Formation and Amazon Glue.

When granting cross-account permissions using the Amazon Glue Data Catalog resource policy

If your account (grantor account or producer account) has made no cross-account grants that uses Amazon RAM to share the resources, you can save a Data Catalog resource policy as usual in Amazon Glue. However, if grants that involve Amazon RAM resource shares have already been made, you must do one of the following to ensure that saving the resource policy succeeds:

  • When you save the resource policy on the Settings page of the Amazon Glue console, the console issues an alert stating that the permissions in the policy will be in addition to any permissions granted using the Lake Formation console. You must choose Proceed to save the policy.

  • When you save the resource policy using the glue:PutResourcePolicy API operation, you must set the EnableHybrid field to 'TRUE' (type = string). The following code example shows how to do this in Python.

    import boto3
import json

REGION = 'us-east-2'
PRODUCER_ACCOUNT_ID = '123456789012'
CONSUMER_ACCOUNT_IDs = ['111122223333']

glue = glue_client = boto3.client('glue')

policy = {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Cataloguers",
            "Effect": "Allow",
            "Action": [
                "glue:*"
            ],
            "Principal": {
                "AWS": CONSUMER_ACCOUNT_IDs
            },
            "Resource": [
                f"arn:aws:glue:{REGION}:{PRODUCER_ACCOUNT_ID}:catalog",
                f"arn:aws:glue:{REGION}:{PRODUCER_ACCOUNT_ID}:database/*",
                f"arn:aws:glue:{REGION}:{PRODUCER_ACCOUNT_ID}:table/*/*"
            ]
        }
    ]
}

policy = json.dumps(policy)
glue.put_resource_policy(PolicyInJson=policy, EnableHybrid='TRUE')

    For more information, see PutResourcePolicy Action (Python: put_resource_policy) in the Amazon Glue Developer Guide.

When granting cross-account permissions using the Lake Formation named resources method

If there is no Data Catalog resource policy in your account (producer account), Lake Formation cross-account grants that you make proceed as usual. However, if a Data Catalog resource policy exists, you must add the following statement to it to permit your cross-account grants to succeed if they are made with the named resource method. Replace <region> with a valid Region name and <account-id> with your Amazon account ID (producer account ID).

    {
      "Effect": "Allow",
      "Action": [
        "glue:ShareResource"
      ],
      "Principal": {"Service": [
        "ram.amazonaws.com"
      ]},
      "Resource": [
        "arn:aws:glue:<region>:<account-id>:table/*/*",
        "arn:aws:glue:<region>:<account-id>:database/*",
        "arn:aws:glue:<region>:<account-id>:catalog"
      ]
    }

Without this additional statement, the Lake Formation grant succeeds, but becomes blocked in Amazon RAM, and the recipient account can't access the granted resource.

Important

When using the Lake Formation tag-based access control (LF-TBAC) method to make cross-account grants, you must have a Data Catalog resource policy with at least the permissions specified in Prerequisites.

See Also: