Step 1: List users' and roles' existing permissions - Amazon Lake Formation
Using the API operationUsing the Amazon Web Services Management ConsoleUsing Amazon CloudTrail
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Step 1: List users' and roles' existing permissions

To start using Amazon Lake Formation permissions with your existing Amazon Glue databases and tables, you must first determine your users’ existing permissions.

Important

Before you begin, ensure that you have completed the tasks in Getting started with Lake Formation.

Using the API operation

Use the Amazon Identity and Access Management (IAM) ListPoliciesGrantingServiceAccess API operation to determine the IAM policies attached to each principal (user or role). From the policies returned in the results, you can determine the IAM permissions that are granted to the principal. You must invoke the API for each principal separately.

The following Amazon CLI example returns the policies attached to user glue_user1.

aws iam list-policies-granting-service-access --arn arn:aws:iam::111122223333:user/glue_user1 --service-namespaces glue

The command returns results similar to the following.

{
    "PoliciesGrantingServiceAccess": [
        {
            "ServiceNamespace": "glue",
            "Policies": [
                {
                    "PolicyType": "INLINE",
                    "PolicyName": "GlueUserBasic",
                    "EntityName": "glue_user1",
                    "EntityType": "USER"
                },
                {
                    "PolicyType": "MANAGED",
                    "PolicyArn": "arn:aws:iam::aws:policy/AmazonAthenaFullAccess",
                    "PolicyName": "AmazonAthenaFullAccess"
                }
            ]
        }
    ],
    "IsTruncated": false
}

Using the Amazon Web Services Management Console

You can also see this information on the Amazon Identity and Access Management (IAM) console, in the Access Advisor tab on the user or role Summary page:

  1. Open the IAM console at https://console.amazonaws.cn/iam/.

  2. In the navigation pane, choose Users or Roles.

  3. Choose a name in the list to open its Summary page, and choose the Access Advisor tab.

  4. Inspect each of the policies to determine the combination of databases, tables, and actions that each user has permissions for.

    Remember to inspect roles in addition to users during this process because your data processing jobs might be assuming roles to access data.

Using Amazon CloudTrail

Another way to determine your existing permissions is to look in Amazon CloudTrail for Amazon Glue API calls where the additionaleventdata field of the logs contains an insufficientLakeFormationPermissions entry. This entry lists the database and table that the user needs Lake Formation permissions on to take the same action.

These are data access logs, so they are not guaranteed to produce a comprehensive list of users and their permissions. We recommend choosing a wide time range to capture most of your users’ data access patterns, for example, several weeks or months.

For more information, see Viewing Events with CloudTrail Event History in the Amazon CloudTrail User Guide.

Next, you can set up Lake Formation permissions to match the Amazon Glue permissions. See Step 2: Set up equivalent Lake Formation permissions.