Step 5: Run a query in Amazon Athena to verify the permissions - Amazon Lake Formation
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Step 5: Run a query in Amazon Athena to verify the permissions

For this step, use Amazon Athena to run SELECT queries against the two tables (source_data and source_data_col_lvl). Use the Amazon S3 path as the query result location (s3://lf-tagbased-demo-Account-ID/athena-results/).

  1. Sign into the Athena console at https://console.amazonaws.cn/athena/ as lf-data-analyst.

  2. In the Athena query editor, choose tag_database in the left panel.

  3. Choose the additional menu options icon (three vertical dots) next to source_data and choose Preview table.

  4. Choose Run query.

    The query should take a few minutes to run. The query displays all the columns in the output because the LF-tag is associated at the database level and the source_data table automatically inherited the LF-tag from the database tag_database.

  5. Run another query using col_tag_database and source_data_col_lvl.

    The second query returns the two columns that were tagged as Non-Confidential and Sensitive.

  6. You can also check to see the Lake Formation tag-based access policy behavior on columns to which you do not have policy grants. When an untagged column is selected from the table source_data_col_lvl, Athena returns an error. For example, you can run the following query to choose untagged columns geolocationid:

    SELECT geolocationid FROM "col_tag_database"."source_data_col_lvl" limit 10;