Step 1: List users' and roles' existing permissions
To start using Amazon Lake Formation permissions with your existing Amazon Glue databases and tables, you must first determine your users’ existing permissions.
Important
Before you begin, ensure that you have completed the tasks in Getting started with Lake Formation.
Topics
Using the API operation
Use the Amazon Identity and Access Management (IAM) ListPoliciesGrantingServiceAccess API operation to determine the IAM policies attached to each principal (user or role). From the policies returned in the results, you can determine the IAM permissions that are granted to the principal. You must invoke the API for each principal separately.
The following Amazon CLI example returns the policies attached to user
glue_user1
.
aws iam list-policies-granting-service-access --arn arn:aws:iam::111122223333:user/glue_user1 --service-namespaces glue
The command returns results similar to the following.
{ "PoliciesGrantingServiceAccess": [ { "ServiceNamespace": "glue", "Policies": [ { "PolicyType": "INLINE", "PolicyName": "GlueUserBasic", "EntityName": "glue_user1", "EntityType": "USER" }, { "PolicyType": "MANAGED", "PolicyArn": "arn:aws:iam::aws:policy/AmazonAthenaFullAccess", "PolicyName": "AmazonAthenaFullAccess" } ] } ], "IsTruncated": false }
Using the Amazon Web Services Management Console
You can also see this information on the Amazon Identity and Access Management (IAM) console, in the Access Advisor tab on the user or role Summary page:
Open the IAM console at https://console.amazonaws.cn/iam/
. -
In the navigation pane, choose Users or Roles.
-
Choose a name in the list to open its Summary page, and choose the Access Advisor tab.
-
Inspect each of the policies to determine the combination of databases, tables, and actions that each user has permissions for.
Remember to inspect roles in addition to users during this process because your data processing jobs might be assuming roles to access data.
Using Amazon CloudTrail
Another way to determine your existing permissions is to look in Amazon CloudTrail for Amazon Glue API
calls where the additionaleventdata
field of the logs contains an
insufficientLakeFormationPermissions
entry. This entry lists the database and
table that the user needs Lake Formation permissions on to take the same action.
These are data access logs, so they are not guaranteed to produce a comprehensive list of users and their permissions. We recommend choosing a wide time range to capture most of your users’ data access patterns, for example, several weeks or months.
For more information, see Viewing Events with CloudTrail Event History in the Amazon CloudTrail User Guide.
Next, you can set up Lake Formation permissions to match the Amazon Glue permissions. See Step 2: Set up equivalent Lake Formation permissions.