# Lake Formation personas and IAM permissions reference This section lists some suggested Lake Formation personas and their suggested Amazon Identity and Access Management (IAM) permissions. For information about Lake Formation permissions, see [Lake Formation permissions reference](lf-permissions-reference.md). ## Amazon Lake Formation personas The following table lists the suggested Amazon Lake Formation personas. **Lake Formation Personas** | Persona | Description | | --- | --- | | IAM administrator (superuser) | (Required) User who can create IAM users and roles. Has the AdministratorAccess Amazon managed policy. Has all permissions on all Lake Formation resources. Can add data lake administrators. Cannot grant Lake Formation permissions if not also designated a data lake administrator. | | Data lake administrator | (Required) User who can register Amazon S3 locations, access the Data Catalog, create databases, create and run workflows, grant Lake Formation permissions to other users, and view Amazon CloudTrail logs. Has fewer IAM permissions than the IAM administrator, but enough to administer the data lake. Cannot add other data lake administrators. | | Read only administrator | (Optional) User who can view principals, Data Catalog resources, permissions, and Amazon CloudTrail logs, without the permissions to make updates. | | Data engineer | (Optional) User who can create databases, create and run crawlers and workflows, and grant Lake Formation permissions on the Data Catalog tables that the crawlers and workflows create. We recommend that you make all data engineers database creators. For more information, see [Creating a database](creating-database.md). | | Data analyst | (Optional) User who can run queries against the data lake using, for example, Amazon Athena. Has only enough permissions to run queries. | | Workflow role | (Required) Role that runs a workflow on behalf of a user. You specify this role when you create a workflow from a blueprint. | **Note** In Lake Formation, data lake administrators added after database creation can grant permissions but don't automatically have data access permissions such as SELECT or DESCRIBE. Administrators who create databases receive `SUPER` permissions on those databases. This behavior is intentional—while all administrators can grant themselves necessary permissions, these permissions aren't automatically applied to pre-existing resources. Therefore, administrators must explicitly grant themselves access to databases that existed before they were assigned admin privileges. ## Amazon managed policies for Lake Formation You can grant the Amazon Identity and Access Management (IAM) permissions that are required to work with Amazon Lake Formation by using Amazon managed policies and inline policies. The following Amazon managed policies are available for Lake Formation. ### Amazon managed policy:AWSLakeFormationDataAdmin [AWSLakeFormationDataAdmin](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AWSLakeFormationDataAdmin) policy grants administrative access to Amazon Lake Formation and related services such as Amazon Glue to manage data lakes. You can attach `AWSLakeFormationDataAdmin` to your users, groups, and roles. **Permission details** + `CloudTrail` – Allows principals to view Amazon CloudTrail logs. This is required to review any errors in the set up of the data lake. + `Glue` – Allows principals to view, create, and update metadata tables and databases in Data Catalog. This includes API operations that start with `Get`, `List`, `Create`, `Update`, `Delete`, and `Search`. This is required to manage the metadata of the data lake tables. + `IAM` – Allows principals to retrieve information about IAM users, roles, and policies attached to the roles. This is required for the data admin to review and list IAM users and roles to grant Lake Formation permissions. + `Lake Formation` – Grants data lake admins required Lake Formation permissions to manage data lakes. + `S3` – Allows principals to retrieve information about Amazon S3 buckets and their locations in order to set up the data location for data lakes. ``` "Statement": [ { "Sid": "AWSLakeFormationDataAdminAllow", "Effect": "Allow", "Action": [ "lakeformation:*", "cloudtrail:DescribeTrails", "cloudtrail:LookupEvents", "glue:CreateCatalog", "glue:UpdateCatalog", "glue:DeleteCatalog", "glue:GetCatalog", "glue:GetCatalogs", "glue:GetDatabase", "glue:GetDatabases", "glue:CreateDatabase", "glue:UpdateDatabase", "glue:DeleteDatabase", "glue:GetConnections", "glue:SearchTables", "glue:GetTable", "glue:CreateTable", "glue:UpdateTable", "glue:DeleteTable", "glue:GetTableVersions", "glue:GetPartitions", "glue:GetTables", "glue:ListWorkflows", "glue:BatchGetWorkflows", "glue:DeleteWorkflow", "glue:GetWorkflowRuns", "glue:StartWorkflowRun", "glue:GetWorkflow", "s3:ListBucket", "s3:GetBucketLocation", "s3:ListAllMyBuckets", "s3:GetBucketAcl", "iam:ListUsers", "iam:ListRoles", "iam:GetRole", "iam:GetRolePolicy" ], "Resource": "*" }, { "Sid": "AWSLakeFormationDataAdminDeny", "Effect": "Deny", "Action": [ "lakeformation:PutDataLakeSettings" ], "Resource": "*" } ] } ``` **Note** The `AWSLakeFormationDataAdmin` policy does not grant every required permission for data lake administrators. Additional permissions are needed to create and run workflows and register locations with the service linked role `AWSServiceRoleForLakeFormationDataAccess`. For more information, see [Create a data lake administrator](initial-lf-config.md#create-data-lake-admin) and [Using service-linked roles for Lake Formation](service-linked-roles.md). ### Amazon managed policy:AWSLakeFormationCrossAccountManager [AWSLakeFormationCrossAccountManager](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AWSLakeFormationCrossAccountManager) policy provides cross account access to Amazon Glue resources via Lake Formation, and grants read access to other required services such as Amazon Organizations and Amazon RAM. You can attach `AWSLakeFormationCrossAccountManager` to your users, groups, and roles. **Permission details** This policy includes the following permissions. + `Glue` – Allows principals to set or delete the Data Catalog resource policy for access control. + `Organizations` – Allows principals to retrieve account and organizational unit (OU) information for an organization. + `ram:CreateResourceShare` – Allows principals to create a resource share. + `ram:UpdateResourceShare` –Allows principals to modify some properties of the specified resource share. + `ram:DeleteResourceShare` – Allows principals to delete the specified resource share. + `ram:AssociateResourceShare` – Allows principals to add the specified list of principals and list of resources to a resource share. + `ram:DisassociateResourceShare` – Allows principals to remove the specified principals or resources from participating in the specified resource share. + `ram:GetResourceShares`– Allows principals to retrieve details about the resource shares that you own or that are shared with you. + `ram:RequestedResourceType` – Allows principals to retrieve the resource type (database, table or catalog). + `AssociateResourceSharePermission` – Allows principals to add or replace the Amazon RAM permission for a resource type included in a resource share. You can have exactly one permission associated with each resource type in the resource share. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [{ "Sid": "AllowCreateResourceShare", "Effect": "Allow", "Action": [ "ram:CreateResourceShare" ], "Resource": "*", "Condition": { "StringLikeIfExists": { "ram:RequestedResourceType": [ "glue:Table", "glue:Database", "glue:Catalog" ] } } }, { "Sid": "AllowManageResourceShare", "Effect": "Allow", "Action": [ "ram:UpdateResourceShare", "ram:DeleteResourceShare", "ram:AssociateResourceShare", "ram:DisassociateResourceShare", "ram:GetResourceShares" ], "Resource": "*", "Condition": { "StringLike": { "ram:ResourceShareName": [ "LakeFormation*" ] } } }, { "Sid": "AllowManageResourceSharePermissions", "Effect": "Allow", "Action": [ "ram:AssociateResourceSharePermission" ], "Resource": "*", "Condition": { "ArnLike": { "ram:PermissionArn": [ "arn:aws-cn:ram::aws:permission/AWSRAMLFEnabled*" ] } } }, { "Sid": "AllowXAcctManagerPermissions", "Effect": "Allow", "Action": [ "glue:PutResourcePolicy", "glue:DeleteResourcePolicy", "organizations:DescribeOrganization", "organizations:DescribeAccount", "ram:Get*", "ram:List*" ], "Resource": "*" }, { "Sid": "AllowOrganizationsPermissions", "Effect": "Allow", "Action": [ "organizations:ListRoots", "organizations:ListAccountsForParent", "organizations:ListOrganizationalUnitsForParent" ], "Resource": "*" } ] } ``` ------ ### Amazon managed policy:AWSGlueConsoleFullAccess [AWSGlueConsoleFullAccess](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AWSGlueConsoleFullAccess) policy grants full access to Amazon Glue resources when an identity that the policy is attached to uses the Amazon Web Services Management Console. If you follow the naming convention for resources specified in this policy, users have full console capabilities. This policy is typically attached to users of the Amazon Glue console. In addition, Amazon Glue and Lake Formation assume the service role `AWSGlueServiceRole` to allow access to related services, including Amazon Elastic Compute Cloud (Amazon EC2), Amazon Simple Storage Service (Amazon S3), and Amazon CloudWatch. ### Amazon managed policy:LakeFormationDataAccessServiceRolePolicy This policy is attached to a service-linked role named `ServiceRoleForLakeFormationDataAccess` that allows the service to perform actions on resources at your request. You can't attach this policy to your IAM identities. This policy allows the Lake Formation integrated Amazon services such as Amazon Athena or Amazon Redshift to use the service-linked role to discover Amazon S3 resources. For more information see, [Using service-linked roles for Lake Formation](service-linked-roles.md). **Permission details** This policy includes the following permission. + `s3:ListAllMyBuckets` – Returns a list of all buckets owned by the authenticated sender of the request. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "LakeFormationDataAccessServiceRolePolicy", "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets" ], "Resource": [ "arn:aws-cn:s3:::*" ] } ] } ``` ------ **Lake Formation updates to Amazon managed policies** View details about updates to Amazon managed policies for Lake Formation since this service began tracking these changes. | Change | Description | Date | | --- | --- | --- | | Lake Formation updated AWSLakeFormationCrossAccountManager policy. | Lake Formation enhanced the [AWSLakeFormationCrossAccountManager](https://us-east-1.console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AWSLakeFormationCrossAccountManager) policy by replacing the StringLike condition operator with the ArnLike operator that allows IAM to perform the ARN format check. | January, 2025 | | Lake Formation updated AWSLakeFormationDataAdmin policy. | Lake Formation enhanced the [AWSLakeFormationDataAdmin](https://us-east-1.console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AWSLakeFormationDataAdmin) policy by adding the following Amazon Glue Data Catalog CRUD APIs as part of the multi-catalog feature. [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/lake-formation/latest/dg/permissions-reference.html)This managed policy change is to ensure that the Lake Formation administrator persona by default has IAM permission on these new operations. | December, 2024 | | Lake Formation updated AWSLakeFormationCrossAccountManager policy. | Lake Formation enhanced the [AWSLakeFormationCrossAccountManager](https://us-east-1.console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AWSLakeFormationCrossAccountManager) policy by adding Sid elements to the policy statement. | March, 2024 | | Lake Formation updated AWSLakeFormationDataAdmin policy. | Lake Formation enhanced the [AWSLakeFormationDataAdmin](https://us-east-1.console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AWSLakeFormationDataAdmin) policy by adding a Sid element to the policy statement and removing a redundant action. | March, 2024 | | Lake Formation updated LakeFormationDataAccessServiceRolePolicy policy. | Lake Formation enhanced the [LakeFormationDataAccessServiceRolePolicy](https://us-east-1.console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/LakeFormationDataAccessServiceRolePolicy) policy by adding a Sid element to the policy statement. | February, 2024 | | Lake Formation updated AWSLakeFormationCrossAccountManager policy. | Lake Formation enhanced the [AWSLakeFormationCrossAccountManager](https://us-east-1.console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AWSLakeFormationCrossAccountManager) policy by adding a new permission to enable cross-account data sharing in hybrid access mode. | October, 2023 | | Lake Formation updated AWSLakeFormationCrossAccountManager policy. | Lake Formation enhanced the [AWSLakeFormationCrossAccountManager](https://us-east-1.console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AWSLakeFormationCrossAccountManager) policy to create only one resource share per recipient account when the a resource is first shared. All resources shared thereafter with the same account are attached to the same resource share. | May 6, 2022 | | Lake Formation started tracking changes. | Lake Formation started tracking changes for its Amazon managed policies. | May 6, 2022 | ## Personas suggested permissions The following are the suggested permissions for each persona. The IAM administrator is not included because that user has all permissions on all resources. **Topics** + [Data lake administrator permissions](#persona-dl-admin) + [Read only administrator permissions](#persona-read-only-admin) + [Data engineer permissions](#persona-engineer) + [Data analyst permissions](#persona-user) + [Workflow role permissions](#persona-workflow-role) ### Data lake administrator permissions **Important** In the following policies, replace ** with a valid Amazon account number, and replace ** with the name of a role that has permissions to run a workflow, as defined in [Workflow role permissions](#persona-workflow-role). | Policy Type | Policy | | --- | --- | | Amazon managed policies | [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/lake-formation/latest/dg/permissions-reference.html) For information about the optional Amazon managed policies, see [Create a data lake administrator](initial-lf-config.md#create-data-lake-admin). | | Inline policy (for creating the Lake Formation service-linked role) | 
{
    "Version": "2012-10-17",		 	 	 
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "iam:CreateServiceLinkedRole",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "iam:AWSServiceName": "lakeformation.amazonaws.com"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:PutRolePolicy"
            ],
            "Resource": "arn:aws:iam:::role/aws-service-role/lakeformation.amazonaws.com/AWSServiceRoleForLakeFormationDataAccess"
        }
    ]
}
| | (Optional) Inline policy (passrole policy for the workflow role). This is required only if the data lake administrator creates and runs workflows. | [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/lake-formation/latest/dg/permissions-reference.html) | | (Optional) Inline policy (if your account is granting or receiving cross-account Lake Formation permissions). This policy is for accepting or rejecting Amazon RAM resource share invitations, and for enabling the granting of cross-account permissions to organizations. ram:EnableSharingWithAwsOrganization is required only for data lake administrators in the Amazon Organizations management account. | [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/lake-formation/latest/dg/permissions-reference.html) | ### Read only administrator permissions | Policy type | Policy | | --- | --- | | Inline policy (basic) | [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/lake-formation/latest/dg/permissions-reference.html) | ### Data engineer permissions **Important** In the following policies, replace ** with a valid Amazon account number, and replace ** with the name of the workflow role. | Policy Type | Policy | | --- | --- | | Amazon managed policy | AWSGlueConsoleFullAccess | | Inline policy (basic) | [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/lake-formation/latest/dg/permissions-reference.html) | | Inline policy (for operations on governed tables, including operations within transactions) | [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/lake-formation/latest/dg/permissions-reference.html) | | Inline policy (for metadata access control using the Lake Formation tag-based access control (LF-TBAC) method) | [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/lake-formation/latest/dg/permissions-reference.html) | | Inline policy (passrole policy for the workflow role) | [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/lake-formation/latest/dg/permissions-reference.html) | ### Data analyst permissions | Policy Type | Policy | | --- | --- | | Amazon managed policy | AmazonAthenaFullAccess | | Inline policy (basic) | 
{
    "Version": "2012-10-17",		 	 	 
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "lakeformation:GetDataAccess",
                "glue:GetTable",
                "glue:GetTables",
                "glue:SearchTables",
                "glue:GetDatabase",
                "glue:GetDatabases",
                "glue:GetPartitions",
                "lakeformation:GetResourceLFTags",
                "lakeformation:ListLFTags",
                "lakeformation:GetLFTag",
                "lakeformation:SearchTablesByLFTags",
                "lakeformation:SearchDatabasesByLFTags"                
           ],
            "Resource": "*"
        }
    ]
}
| | (Optional) Inline policy (for operations on governed tables, including operations within transactions) | [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/lake-formation/latest/dg/permissions-reference.html) | ### Workflow role permissions This role has the permissions required to run a workflow. You specify a role with these permissions when you create a workflow. **Important** In the following policies, replace ** with a valid Amazon Region identifier (for example `us-east-1`), ** with a valid Amazon account number, ** with the name of the workflow role, and ** with the Amazon S3 path to your Amazon CloudTrail logs. | Policy Type | Policy | | --- | --- | | Amazon managed policy | AWSGlueServiceRole | | Inline policy (data access) | 
{
    "Version": "2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "Lakeformation",
            "Effect": "Allow",
            "Action": [
                 "lakeformation:GetDataAccess",
                 "lakeformation:GrantPermissions"
             ],
            "Resource": "*"
        }
    ]
}
| | Inline policy (passrole policy for the workflow role) | [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/lake-formation/latest/dg/permissions-reference.html) | | Inline policy (for ingesting data outside the data lake, for example, Amazon CloudTrail logs) | [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/lake-formation/latest/dg/permissions-reference.html) |