# IAM permissions required to grant or revoke Lake Formation permissions
<a name="required-permissions-for-grant"></a>

All principals, including the data lake administrator, need the following Amazon Identity and Access Management (IAM) permissions to grant or revoke Amazon Lake Formation Data Catalog permissions or data location permissions with the Lake Formation API or the Amazon CLI:
+ `lakeformation:GrantPermissions`
+ `lakeformation:BatchGrantPermissions`
+ `lakeformation:RevokePermissions`
+ `lakeformation:BatchRevokePermissions`
+ `glue:GetTable`, `glue:GetDatabase`, or `glue:GetCatalog` for a table, database, or catalog that you're granting permissions using the named resource method.

**Note**  
Data lake administrators have implicit Lake Formation permissions to grant and revoke Lake Formation permissions. But they still need the IAM permissions on the Lake Formation grant and revoke API operations.  
IAM roles with `AWSLakeFormationDataAdmin` Amazon managed policy cannot add new data lake administrators because this policy contains an explicit deny for the Lake Formation API operation, `PutDataLakeSetting`. 

The following IAM policy is recommended for principals who are not data lake administrators and who want to grant or revoke permissions using the Lake Formation console.

------
#### [ JSON ]

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "lakeformation:ListPermissions",
                "lakeformation:GrantPermissions",
                "lakeformation:BatchGrantPermissions",
                "lakeformation:RevokePermissions",
                "lakeformation:BatchRevokePermissions",
                "glue:GetCatalogs",
                "glue:GetDatabases",
                "glue:SearchTables",
                "glue:GetTables",
                "glue:GetCatalog",
                "glue:GetDatabase",
                "glue:GetTable",
                "iam:ListUsers",
                "iam:ListRoles",
                "sso-directory:DescribeUser",
                "sso-directory:DescribeGroup",
                "sso:DescribeInstance"
            ],
            "Resource": "*"
        }
    ]
}
```

------

All of the `glue:` and `iam:` permissions in this policy are available in the Amazon managed policy `AWSGlueConsoleFullAccess`.

To grant permissions by using Lake Formation tag-based access control (LF-TBAC), principals need additional IAM permissions. For more information, see [Lake Formation tag-based access control best practices and considerations](lf-tag-considerations.md) and [Lake Formation personas and IAM permissions reference](permissions-reference.md).

**Cross-account permissions**  
Users who want to grant cross-account Lake Formation permissions by using the named resource method must also have the permissions in the `AWSLakeFormationCrossAccountManager` Amazon managed policy.

Data lake administrators need those same permissions for granting cross-account permissions, plus the Amazon Resource Access Manager (Amazon RAM) permission to enable granting permissions to organizations. For more information, see [Data lake administrator permissions](permissions-reference.md#persona-dl-admin).

**The administrative user**  
A principal with administrative permissions—for example, with the `AdministratorAccess` Amazon managed policy—has permissions to grant Lake Formation permissions and create data lake administrators. To deny a user or role access to Lake Formation administrator operations, attach or add into its policy a `Deny` statement for administrator API operations.

------
#### [ JSON ]

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Action": [
                "lakeformation:GetDataLakeSettings",
                "lakeformation:PutDataLakeSettings"
            ],
            "Effect": "Deny",
            "Resource": [
                "*"
            ]
        }
    ]
}
```

------

**Important**  
To prevent users from adding themselves as an administrator with an extract, transform, and load (ETL) script, make sure that all non-administrator users and roles are denied access to these API operations. The `AWSLakeFormationDataAdmin` Amazon managed policy contains an explict deny for the Lake Formation API operation, `PutDataLakeSetting` that prevents users from adding new data lake administrators.