Configure Lake Formation Data Catalog settings in the producer account
Before you start this tutorial, you must have an Amazon Web Services account that you can use to sign in as an administrative user with correct permissions. For more information, see Complete initial Amazon configuration tasks.
The tutorial assumes that you are familiar with IAM. For information about IAM, see the IAM User Guide
Configure Lake Formation Data Catalog settings in the producer account
Note
In this tutorial, the account that has the source table is called the producer account, and the account that needs access to the source table is called a consumer account.
Lake Formation provides its own permission management model. To maintain backward compatibility
with the IAM permission model, the Super
permission is granted to the group
IAMAllowedPrincipals
on all existing Amazon Glue Data Catalog resources by default. Also,
Use only IAM access control settings are enabled for new Data Catalog
resources. This tutorial uses fine grained access control using Lake Formation permissions and use
IAM policies for coarse grained access control. See Methods for fine-grained access control for
details. Therefore, before you use an Amazon CloudFormation template for a quick setup, you need to
change Lake Formation Data Catalog settings in the producer account.
Important
This setting affects all newly created databases and tables, so we strongly recommend completing this tutorial in a non-production account or in a new account. Also, if you are
using a shared account (such as your company’s development account), make sure it does not affect others resources. If you prefer to keep the default security settings, you must
complete an extra step when sharing resources to other accounts, in which you revoke the default Super permission from IAMAllowedPrincipals
on
the database or table. We discuss the details later in this tutorial.
To configure Lake Formation Data Catalog settings in the producer account, complete the following steps:
Sign into the Amazon Web Services Management Console using the producer account as an admin user, or as a user with Lake Formation
PutDataLakeSettings
API permission.-
On the Lake Formation console, in the navigation pane, under Data Catalog, choose Settings.
-
Deselect Use only IAM access control for new databases and Use only IAM access control for new tables in new databases
Choose Save.
Additionally, you can remove
CREATE_DATABASE
permissions forIAMAllowedPrincipals
under Administrative roles and tasks, Database creators. Only then, you can govern who can create a new database through Lake Formation permissions.