Step 2: Provide fine-grained access to a user in the same account
This section shows how a user in Account B (testuser1
), acting as a data steward, provides fine-grained access to another user in the same account (testuser2
) to the column name in the shared table aac_b_area_rl
.
Grant fine-grained access to a user in the same account
Sign into the Amazon console at https://console.amazonaws.cn/connect/
in Account B as testuser1
.On the Lake Formation console, in the navigation pane, choose Tables.
You can grant permissions on a table through its resource link. To do so, on the Tables page, select the resource link
acc_b_area_rl
, and on the Actions menu, choose Grant on target.In the Grant permissions section, select My account.
For IAM users and roles¸ choose the user
testuser2
.For Column, choose the column name.
For Table permissions, select Select.
Choose Grant.
When you create a resource link, only you can view and access it. To permit other users in your account to access the resource link, you need to grant permissions on the resource link itself. You need to grant DESCRIBE or DROP permissions. On the Tables page, select your table again and on the Actions menu, choose Grant.
In the Grant permissions section, select My account.
For IAM users and roles, select the user
testuser2
.For Resource link permissions¸ select Describe.
Choose Grant.
Sign into the Amazon console in Account B as
testuser2
.On the Athena console (https://console.amazonaws.cn/athena/
), you should see the database and table acc_b_area_rl
. You can now run a query on the table to see the column value thattestuser2
has access to.