Step 1: Provide fine-grained access to another account - Amazon Lake Formation
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Step 1: Provide fine-grained access to another account

Learn how a data lake administrator of Account A provides fine-grained access for Account B.

Grant fine-grained access to another account

  1. Sign into Amazon Web Services Management Console at https://console.amazonaws.cn/connect/ in Account A as a data lake administrator.

  2. Open the Lake Formation console (https://console.amazonaws.cn/lakeformation/), and choose Get started.

  3. in the navigation pane, choose Databases.

  4. Choose Create database.

  5. In the Database details section, select Database.

  6. For Name, enter a name (for this tutorial, we use sampledb01).

  7. Make sure that Use only IAM access control for new tables in this database is not selected. Leaving this unselected allows us to control access from Lake Formation.

  8. Choose Create database.

  9. On the Databases page, choose your database sampledb01.

  10. On the Actions menu, choose Grant.

  11. In the Grant permissions section, select External account.

  12. For Amazon Web Services account ID or Amazon organization ID, enter the account ID for Account B in OU2.

  13. For Table, choose the table you want Account B to have access to (for this post, we use table acc_a_area). Optionally, you can grant access to columns within the table, which we do in this post.

  14. For Include columns¸ choose the columns you want Account B to have access to (for this post, we grant permissions to type, name, and identifiers).

  15. For Columns, choose Include columns.

  16. For Table permissions, select Select.

  17. For Grantable permissions, select Select. Grantable permissions are required so admin users in Account B can grant permissions to other users in Account B.

  18. Choose Grant.

  19. In the navigation pane, choose Tables.

  20. You could see one active connection in the Amazon Web Services accounts and Amazon organizations with access section.

Create a resource link

Integrated services like Amazon Athena can not directly access databases or tables across accounts. Hence, you need to create a resource link so that Athena can access resource links in your account to databases and tables in other accounts. Create a resource link to the table (acc_a_area) so Account B users can query its data with Athena.

  1. Sign into the Amazon console at https://console.amazonaws.cn/connect/ in Account B as testuser1.

  2. On the Lake Formation console (https://console.amazonaws.cn/lakeformation/), in the navigation pane, choose Tables. You should see the tables that Account A has provided access.

  3. Choose the table acc_a_area.

  4. On the Actions menu, choose Create resource link.

  5. For Resource link name, enter a name (for this tutorial, acc_a_area_rl).

  6. For Database, choose your database (testdb).

  7. Choose Create.

  8. In the navigation pane, choose Tables.

  9. Choose the table acc_b_area_rl.

  10. On the Actions menu, choose View data.

    You are redirected to the Athena console, where you should see the database and table.

    You can now run a query on the table to see the column value for which access was provided to testuser1 from Account B.