Step 4: Implement the named resource method - Amazon Lake Formation
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Step 4: Implement the named resource method

To use the named resource method, we walk you through the following high-level steps:

  1. Optionally, revoke permission for IAMAllowedPrincipals on the database, tables, and columns.

  2. Grant data permission to the consumer account.

  3. Accept a resource share from Amazon Resource Access Manager.

  4. Create a resource link for the shared table.

  5. Grant data permission for the shared table to the consumer.

  6. Grant data permission for the resource link to the consumer.

Revoke permission for IAMAllowedPrincipals on the database, tables, and columns (Optional)

  • At the very beginning of this tutorial, we changed Lake Formation Data Catalog settings. If you skipped that part, this step is required. For instructions, see the optional step in the previous section.

Grant data permission to the consumer account
  1. Note

    If you’re signed in to producer account as another user, sign out first.

    Sign into the Lake Formation console at https://console.amazonaws.cn/lakeformation/ using the producer account data lake administrator using the Amazon Web Services account ID, IAM user name (default is DatalakeAdminProducer), and password specified during Amazon CloudFormation stack creation.

  2. On the Permissions page, under Data lake Permissions choose Grant.

  3. Under Principals, choose External accounts, and enter one or more Amazon Web Services account IDs or Amazon organizations IDs. For more information see: Amazon Organizations.

    Organizations that the producer account belongs to and Amazon Web Services accounts within the same organization appear automatically. Otherwise, manually enter the account ID or organization ID.

  4. For LF-Tags or catalog resources, choose Named data catalog resources.

  5. Under Databases, choose the database lakeformation_tutorial_cross_account_database_named_resource.

  6. Choose Add LF-Tag.

  7. Under Tables, choose All tables.

  8. For Table column permissions¸ choose Select, and Describe under Table permissions.

  9. SelectSelect and Describe, under Grantable Permissions.

  10. Optionally, for Data permissions, choose Simple column-based access if column-level permission management is required.

  11. Choose Grant.

If you have not revoked permission for IAMAllowedPrincipals, you get a Grant permissions failed error. At this point, you should see the target table being shared via Amazon RAM with the consumer account under Permissions, Data permissions.

Accept a resource share from Amazon RAM
Note

This step is required only for Amazon Web Services account-based sharing, not for organization-based sharing.

  1. Sign into the Amazon console at https://console.amazonaws.cn/connect/ using the consumer account data lake administrator using the IAM user name (default is DatalakeAdminConsumer) and password specified during Amazon CloudFormation stack creation.

  2. On the Amazon RAM console, in the navigation pane, under Shared with me, Resource shares, choose the shared Lake Formation resource. The Status should be Pending.

  3. Choose Action and Grant.

  4. Confirm the resource details, and choose Accept resource share.

    At this point, the consumer account data lake administrator should be able to find the shared resource on the Lake Formation console (https://console.amazonaws.cn/lakeformation/) under Data Catalog, Databases.

Create a resource link for the shared table
Grant data permission for the shared table to the consumer

To grant data permission for the shared table to the consumer, complete the following steps:

  1. On the Lake Formationconsole (https://console.amazonaws.cn/lakeformation/), under Permissions, Data lake permissions, choose Grant.

  2. For Principals, choose IAM users and roles, and choose the user DataAnalyst.

  3. For LF-Tags or catalog resources, choose Named data catalog resources.

  4. Under Databases, choose the database lakeformation_tutorial_cross_account_database_named_resource. If you don’t see the database on the drop-down list, choose Load more.

  5. Under Tables, choose the table amazon_reviews_table_named_resource.

  6. For Table and column permissions, select Select and Describe under Table permissions.

  7. Choose Grant.

Grant data permission for the resource link to the consumer

In addition to granting the data lake user permission to access the shared table, you also need to grant the data lake user permission to access the resource link.

  1. On the Lake Formation console (https://console.amazonaws.cn/lakeformation/), under Permissions, Data lake permissions, choose Grant.

  2. For Principals, choose IAM users and roles, and choose the user DataAnalyst.

  3. For LF-Tags or catalog resources, choose Named data catalog resources.

  4. Under Databases, choose the database lakeformation_tutorial_cross_account_database_consumer. If you don’t see the database on the drop-down list, choose Load more.

  5. Under Tables, choose the table amazon_reviews_table_named_resource_resource_link.

  6. For Resource link permissions, select Describe under Resource link permissions.

  7. Choose Grant.

    At this point, the data analyst user in the consumer account should be able to find the database and resource link, and query the shared table via the Athena console.

    If not, confirm if the following are properly configured:

    • The resource link is created for the shared table

    • You granted the user access to the table shared by the producer account

    • You granted the user access to the resource link and database for which the resource link is created