Step 3: Implement cross-account sharing using the tag-based access control method - Amazon Lake Formation
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Step 3: Implement cross-account sharing using the tag-based access control method

In this section, we walk you through the following high-level steps:

  1. Define an LF-Tag.

  2. Assign the LF-Tag to the target resource.

  3. Grant LF-Tag permissions to the consumer account.

  4. Grant data permissions to the consumer account.

  5. Optionally, revoke permissions for IAMAllowedPrincipals on the database, tables, and columns.

  6. Create a resource link to the shared table.

  7. Create an LF-Tag and assign it to the target database.

  8. Grant LF-Tag data permissions to the consumer account.

Define an LF-Tag
Note

If you are signed in to your producer account, sign out before completing the following steps.

  1. Sign into the producer account as the data lake administrator at https://console.amazonaws.cn/lakeformation/. Use the producer account number, IAM user name (the default is DatalakeAdminProducer), and password that you specified during Amazon CloudFormation stack creation.

  2. On the Lake Formation console (https://console.amazonaws.cn/lakeformation/), in the navigation pane, under Permissions, and under Administrative roles and tasks, choose LF-Tags.

  3. Choose Add LF-Tag.

Assign the LF-Tag to the target resource

Assign the LF-Tag to the target resource and grant data permissions to another account

As a data lake administrator, you can attach tags to resources. If you plan to use a separate role, you may have to grant describe and attach permissions to the separate role.

  1. In the navigation pane, under Data Catalog, select Databases.

  2. Select the target database (lakeformation_tutorial_cross_account_database_tbac) and on the Actions menu, choose Edit LF-Tags.

    For this tutorial, you assign an LF-Tag to a database, but you can also assign LF-Tags to tables and columns.

  3. Choose Assign new LF-Tag.

  4. Add the key Confidentiality and value public.

  5. Choose Save.

Grant LF-Tag permission to the consumer account

Still in the producer account, grant permissions to the consumer account to access the LF-Tag.

  1. In the navigation pane, under Permissions, Administrative roles and tasks, LF-Tag permissions, choose Grant.

  2. For Principals, choose External accounts.

  3. Enter the target Amazon Web Services account ID.

    Amazon Web Services accounts within the same organization appear automatically. Otherwise, you have to manually enter the Amazon Web Services account ID. As of this writing, Lake Formation tag-based access control does not support granting permission to organizations or organization units.

  4. For LF-tags, choose the key and values of the LF-tag that is being shared with the consumer account (key Confidentiality and value public).

  5. For Permissions, select Describe for LF-Tag permissions.

    LF-tag permissions are permissions given to the consumer account. Grantable permissions are permissions that the consumer account can grant to other principals.

  6. Choose Grant.

    At this point, the consumer data lake administrator should be able to find the policy tag being shared via the consumer account Lake Formation console, under Permissions, Administrative roles and tasks, LF-Tags.

Grant data permission to the consumer account

We will now provide data access to the consumer account by specifying an LF-Tag expression and granting the consumer account access to any table or database that matches the expression..

  1. In the navigation pane, under Permissions,Data lake permissions, choose Grant.

  2. For Principals, choose External accounts, and enter the target Amazon Web Services account ID.

  3. For LF-Tags or catalog resources, choose the key and values of the LF-Tag that is being shared with the consumer account (key Confidentiality and value public).

  4. For Permissions, under Resources matched by LF-Tags (recommended) choose Add LF-Tag.

  5. Select the key and value of the tag that is being shared with the consumer account (key Confidentiality and value public).

  6. For Database permissions, select Describe under Database permissions to grant access permissions at the database level.

  7. The consumer data lake administrator should be able to find the policy tag being shared via the consumer account on the Lake Formation console at https://console.amazonaws.cn/lakeformation/, under Permissions, Administrative roles and tasks, LF-Tags.

  8. Select Describe under Grantable permissions so the consumer account can grant database-level permissions to its users.

  9. For Table and column permissions, select Select and Describe under Table permissions.

  10. Select Select and Describe under Grantable permissions.

  11. Choose Grant.

Revoke permission for IAMAllowedPrincipals on the database, tables, and columns (Optional).

At the very beginning of this tutorial, you changed the Lake Formation Data Catalog settings. If you skipped that part, this step is required. If you changed your Lake Formation Data Catalog settings, you can skip this step.

In this step, we need to revoke the default Super permission from IAMAllowedPrincipals on the database or table. See Step 4: Switch your data stores to the Lake Formation permissions model for details.

Before revoking permission for IAMAllowedPrincipals, make sure that you granted existing IAM principals with necessary permission through Lake Formation. This includes three steps:

  1. Add IAM permission to the target IAM user or role with the Lake Formation GetDataAccess action (with IAM policy).

  2. Grant the target IAM user or role with Lake Formation data permissions (alter, select, and so on).

  3. Then, revoke permissions for IAMAllowedPrincipals. Otherwise, after revoking permissions for IAMAllowedPrincipals, existing IAM principals may no longer be able to access the target database or Data Catalog.

    Revoking Super permission for IAMAllowedPrincipals is required when you want to apply the Lake Formation permission model (instead of the IAM policy model) to manage user access within a single account or among multiple accounts using the Lake Formation permission model. You do not have to revoke permission of IAMAllowedPrincipals for other tables where you want to keep the traditional IAM policy model.

    At this point, the consumer account data lake administrator should be able to find the database and table being shared via the consumer account on the Lake Formation console at https://console.amazonaws.cn/lakeformation/, under Data Catalog, databases. If not, confirm if the following are properly configured:

    1. The correct policy tag and values are assigned to the target databases and tables.

    2. The correct tag permission and data permission are assigned to the consumer account.

    3. Revoke the default super permission from IAMAllowedPrincipals on the database or table.

Create a resource link to the shared table

When a resource is shared between accounts, and the shared resources are not put in the consumer accounts’ Data Catalog. To make them available, and query the underlying data of a shared table using services like Athena, we need to create a resource link to the shared table. A resource link is a Data Catalog object that is a link to a local or shared database or table. For details, see Creating resource links. By creating a resource link, you can:

  • Assign a different name to a database or table that aligns with your Data Catalog resource naming policies.

  • Use services such as Athena and Redshift Spectrum to query shared databases or tables.

To create a resource link, complete the following steps:

  1. If you are signed into your consumer account, sign out.

  2. Sign in as the consumer account data lake administrator. Use the consumer account ID, IAM user name (default DatalakeAdminConsumer) and password that you specified during Amazon CloudFormation stack creation.

  3. On the Lake Formation console (https://console.amazonaws.cn/lakeformation/), in the navigation pane, under Data Catalog, Databases, choose the shared database lakeformation_tutorial_cross_account_database_tbac.

    If you don’t see the database, revisit the previous steps to see if everything is properly configured.

  4. Choose View Tables.

  5. Choose the shared table amazon_reviews_table_tbac.

  6. On the Actions menu, choose Create resource link.

  7. For Resource link name, enter a name (for this tutorial, amazon_reviews_table_tbac_resource_link).

  8. Under Database, select the database that the resource link is created in (for this post, the Amazon CloudFormationn stack created the database lakeformation_tutorial_cross_account_database_consumer).

  9. Choose Create.

    The resource link appears under Data catalog, Tables.

Create an LF-tag and assign it to the target database

Lake Formation tags reside in the same Data Catalog as the resources. This means that tags created in the producer account are not available to use when granting access to the resource links in the consumer account. You need to create a separate set of LF-tags in the consumer account to use LF tag-based access control when sharing the resource links in the consumer account.

  1. Define the LF-tag in the consumer account. For this tutorial, we use key Division and values sales, marketing, and analyst.

  2. Assign the LF-tag key Division and value analyst to the database lakeformation_tutorial_cross_account_database_consumer, where the resource link is created.

Grant LF-tag data permission to the consumer

As a final step, grant LF-tag data permission to the consumer.

  1. In the navigation pane, under Permissions, Data lake permissions, choose Grant.

  2. For Principals, choose IAM users and roles, and choose the user DataAnalyst.

  3. For LF-tags or catalog resources, choose Resources matched by LF-Tags (recommended).

  4. Choose key Division and value analyst.

  5. For Database permissions, select Describe under Database permissions.

  6. For Table and column permissions, select Select and Describe under Table permissions.

  7. Choose Grant.

  8. Repeat these steps for user DataAnalyst, where the LF-Tag key is Confidentiality and value is public.

    At this point, the data analyst user in the consumer account should be able to find the database and resource link, and query the shared table via the Athena console at https://console.amazonaws.cn/athena/. If not, confirm if the following are properly configured:

    • The resource link is created for the shared table

    • You granted the user access to the LF-Tag shared by the producer account

    • You granted the user access to the LF-Tag associated to the resource link and database that the resource link is created in

    • Check if you assigned the correct LF-Tag to the resource link, and to the database that the resource link is created in