IAM Identity Center integration limitations

With Amazon IAM Identity Center, you can connect to identity providers (IdPs) and centrally manage access for users and groups across Amazon analytics services. You can configure Amazon Lake Formation as an enabled application in IAM Identity Center, and data lake administrators can grant fine-grained permissions to authorized users and groups on Amazon Glue Data Catalog resources.

The following limitations apply to Lake Formation integration with IAM Identity Center:

You can't assign IAM Identity Center users and groups as data lake administrators or read-only administrators in Lake Formation.
IAM Identity Center users and groups can query encrypted Data Catalog resources if you are using an IAM role that Amazon Glue can assume on your behalf for encrypting and decrypting the Data Catalog. Amazon managed keys don't support trusted identity propagation.
IAM Identity Center users and groups can only invoke API operations listed in the AWSIAMIdentityCenterAllowListForIdentityContext policy provided by IAM Identity Center.
Lake Formation permits IAM roles from external accounts to act as carrier roles on behalf of IAM Identity Center users and groups for accessing Data Catalog resources, but permissions can only be granted on Data Catalog resources within the owning account. If you try to grant permissions to IAM Identity Centerusers and groups on Data Catalog resources in an external account, Lake Formation throws the following error - "Cross-account grants are not supported for the principal."

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Amazon Redshift data sharing limitations

Lake Formation tag-based access control best practices and considerations