Step 4: Grant table permissions - Amazon Lake Formation
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Step 4: Grant table permissions

Grant permissions to data analysts for consumption of the databases tag_database and the table col_tag_database using LF-tags Confidential and Sensitive.

  1. Follow these steps to grant permissions to the lf-data-analyst user on the objects associated with the LF-Tag Confidential=True (Database:tag_database) to have Describe the database and Select permission on tables.

    1. Sign in to the Lake Formation console at https://console.amazonaws.cn/lakeformation/ as lf-data-engineer.

    2. Under Permissions, select Data lake permissions.

    3. Choose Grant.

    4. Under Principals, select IAM users and roles.

    5. For IAM users and roles, choose lf-data-analyst.

    6. Under LF-Tags or catalog resources, select Resources matched by LF-Tags.

    7. Choose Add LF-tag.

    8. For Key, choose Confidential.

    9. For Values, choose True.

    10. For Database permissions, select Describe.

    11. For Table permissions, choose Select and Describe.

    12. Choose Grant.

  2. Next, repeat the steps to grant permissions to data analysts for LF-Tag expression for Confidential=False. This LF-tag is used for describing the col_tag_database and the table source_data_col_lvl when logged in as lf-data-analyst from Amazon Athena.

    1. Sign in to the Lake Formation console at https://console.amazonaws.cn/lakeformation/ as lf-data-engineer.

    2. On the Databases page, select the database col_tag_database.

    3. Choose Action and Grant.

    4. Under Principals, select IAM users and roles.

    5. For IAM users and roles, choose lf-data-analyst.

    6. Select Resources matched by LF-Tags.

    7. Choose Add LF-Tag.

    8. For Key, choose Confidential.

    9. For Values¸ choose False.

    10. For Database permissions, select Describe.

    11. For Table permissions, do not select anything.

    12. Choose Grant.

  3. Next, repeat the steps to grant permissions to data analysts for LF-Tag expression for Confidential=False and Sensitive=True. This LF-tag is used for describing the col_tag_database and the table source_data_col_lvl (column-level) when logged in as lf-data-analyst from Amazon Athena.

    1. Sign into the Lake Formation console at https://console.amazonaws.cn/lakeformation/ as lf-data-engineer.

    2. On the Databases page, select the database col_tag_database.

    3. Choose Action and Grant.

    4. Under Principals, select IAM users and roles.

    5. For IAM users and roles, choose lf-data-analyst.

    6. Select Resources matched by LF-Tags.

    7. Choose Add LF-tag.

    8. For Key, choose Confidential.

    9. For Values¸ choose False.

    10. Choose Add LF-tag.

    11. For Key, choose Sensitive.

    12. For Values¸ choose True.

    13. For Database permissions, select Describe.

    14. For Table permissions, select Select and Describe.

    15. Choose Grant.