Step 5: Run a query in Amazon Athena to verify the permissions
For this step, use Amazon Athena to run SELECT
queries against the two tables (source_data and source_data_col_lvl)
.
Use the Amazon S3 path as the query result location (s3://lf-tagbased-demo-
.Account-ID
/athena-results/)
-
Sign into the Athena console at https://console.amazonaws.cn/athena/
as lf-data-analyst
. In the Athena query editor, choose
tag_database
in the left panel.Choose the additional menu options icon (three vertical dots) next to
source_data
and choose Preview table.Choose Run query.
The query should take a few minutes to run. The query displays all the columns in the output because the LF-tag is associated at the database level and the
source_data
table automatically inherited theLF-tag
from the databasetag_database
.Run another query using
col_tag_database
andsource_data_col_lvl
.The second query returns the two columns that were tagged as
Non-Confidential
andSensitive
.You can also check to see the Lake Formation tag-based access policy behavior on columns to which you do not have policy grants. When an untagged column is selected from the table
source_data_col_lvl
, Athena returns an error. For example, you can run the following query to choose untagged columnsgeolocationid
:SELECT geolocationid FROM "col_tag_database"."source_data_col_lvl" limit 10;