Prerequisites Creating views Granting permissions

Working with views

This feature is in preview release and is subject to change. For more information, see the Betas and Previews section in the Amazon Service Terms

document.

In Amazon Glue Data Catalog, a view is a virtual table in which the contents are defined by a query that references one or more tables. You can create a view that references up to 10 tables using SQL editors for Amazon Athena, Amazon Redshift, or Amazon EMR. Underlying reference tables for a view can belong to the same database or different databases within the same Amazon Web Services account.

SQL is a programming language used for querying tables, and each Amazon analytical engine uses its own variation of SQL, or SQL dialect. The Data Catalog supports creating views using different SQL dialects as long as each dialect references the same set of tables, columns, and data types. By defining a common view schema and metadata object that you can query from multiple engines, Data Catalog views enable you to use uniform views across your data lake.

When you manage views in the Data Catalog, you can use Amazon Lake Formation to grant fine-grained permissions through the named resource method or using LF-Tags, and share them across Amazon Web Services accounts, Amazon organizations, and organizational units. You can also share Data Catalog views across Amazon Web Services Regions. This allows users to provide data access across Amazon Web Services Regions without duplicating the data source.

For more information on cross-account data sharing and cross-Region data access, see:

You can use Data Catalog views to:

Create and manage permissions on a single view schema. This helps you avoid the risk of inconsistent permissions on duplicate views created in multiple engines.
Grant permissions to users on a view that references multiple tables without granting permissions directly on the underlying reference tables.

For limitations, see Data Catalog views considerations and limitations

Topics

Prerequisites for creating views
Creating views
Granting permissions on Data Catalog views

Prerequisites for creating views

To create views in Data Catalog, you must register the underlying Amazon S3 data locations of the reference tables with Lake Formation.

For details on registering data with Lake Formation, see Adding an Amazon S3 location to your data lake.
The view definer must be an IAM role. Other IAM identities can't create Data Catalog views.

The IAM role that defines the view must have the following permissions:

Full Lake Formation SELECT permission with Grantable option on all reference tables.

A trust policy for Lake Formation and Amazon Glue services to assume the role.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DataCatalogViewDefinerAssumeRole1",
            "Effect": "Allow",
            "Principal": {
               "Service": [
                    "glue.amazonaws.com",
                    "lakeformation.amazonaws.com"
                 ]
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

The iam:PassRole permission for Amazon Glue and Lake Formation.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DataCatalogViewDefinerPassRole1",
            "Action": [
                "iam:PassRole"
            ],
            "Effect": "Allow",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": [ 
                        "glue.amazonaws.com",
                        "lakeformation.amazonaws.com"
                      ]
                }
            }
        }
    ]
}

Amazon Glue and Lake Formation permissions.


{
    "Version": "2012-10-17",
                 "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "Glue:GetDatabase",
                "Glue:GetDatabases",
                "Glue:CreateTable",
                "Glue:GetTable",
                "Glue:UpdateTable",
                "Glue:DeleteTable",
                "Glue:GetTables",
                "Glue:SearchTables",
                "Glue:BatchGetPartition",
                "Glue:GetPartitions",
                "Glue:GetPartition",
                "Glue:GetTableVersion",
                "Glue:GetTableVersions",
                "lakeFormation:GetDataAccess",
                "lakeFormation:GetTemporaryTableCredentials",
                "lakeFormation:GetTemporaryGlueTableCredentials",
                "lakeFormation:GetTemporaryUserCredentialsWithSAML"
            ],
            "Resource": "*"
        }
    ]   
}

You can't create views if the database under which the view is being created has Super or ALL permission granted to the IAMAllowedPrincipals group. To revoke the Super permission from IAMAllowedPrincipals group on a database, see Step 4: Switch your data stores to the Lake Formation permissions model.

If your existing data lake settings don't allow you to set CreateTableDefaultPermissions empty for IAMAllowedPrincipals group, you can create a new database and code the data lake setting using the following structure.


{
    "DataLakeSettings": {
        "DataLakeAdmins": [
            {
                "DataLakePrincipalIdentifier": "arn:aws:iam::<AccountId>:user/<Username>"
            }
        ],
        CreateTableDefaultPermissions": [
            {
                "Principal": {
                    "DataLakePrincipalIdentifier": "IAM_ALLOWED_PRINCIPALS"
                },
                "Permissions": []
            }
        ]
 }

Creating views

You can use SQL editors for Athena, Amazon Redshift, or Amazon EMR to create views in the Amazon Glue Data Catalog.

For more information about the syntax for creating and managing Data Catalog views, see:

Using Amazon Glue Data Catalog views in the Amazon Athena User Guide.
Creating views in the Amazon Glue Data Catalog in the Amazon Redshift Database Developer Guide.
Working with Amazon Glue Data Catalog views in the Amazon EMR Management Guide.

After you create a Data Catalog view, the details of the view in the Lake Formation console.

Choose Views under Data Catalog in the Lake Formation console.
A list of available views appears on the views page.
Choose a view from the list and the details page shows the attributes of the view.

The lower section contains five tabs arranged horizontally where each tab includes corresponding information .

Schema: Choose a Column row, and select Edit LF-Tags to update tag values or assigning new LF-Tags.
SQL definitions: You can see a list of available SQL definitions. Select Add SQL definition, and choose a query engine to add a SQL definition. Choose a query engine (Athena or Amazon Redshift) under Edit definition column to update a SQL definitions.
LF-Tags: Choose Edit LF-Tags to edit values for a tag or assign new tags. You can use LF-Tags to grant permissions on views.
Cross-account access: You can see a list of Amazon Web Services accounts, organizations and organizational units (OUs) that you've shared the Data Catalog view.
Underlying tables: The underlying tables referenced in the SQL definition used to create the view are shown under this tab.

Granting permissions on Data Catalog views

After creating views, you can grant data lake permissions on views to principals across Amazon Web Services accounts, organizations and organizational units. For more information on granting permissions, see Granting permissions on views using the named resource method .

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Sharing Data Catalog tables and databases across accounts

Importing data using workflows