Amazon Lake Formation-managed datashares - Amazon Redshift
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon Redshift will no longer support the creation of new Python UDFs starting November 1, 2025. If you would like to use Python UDFs, create the UDFs prior to that date. Existing Python UDFs will continue to function as normal. For more information, see the blog post .

Amazon Lake Formation-managed datashares

With Amazon Redshift, you can access and share live data across Amazon accounts and Amazon Redshift clusters through Amazon Lake Formation-managed datashares. Amazon Lake Formation datashares enable data providers to securely share live data from their Amazon S3 data lake with any consumer, including other Amazon accounts and Amazon Redshift clusters.

Using Amazon Lake Formation, you can centrally define and enforce database, table, column, and row-level access permissions of Amazon Redshift datashares and restrict user access to objects within a datashare. By sharing data through Lake Formation, you can define permissions in Lake Formation and apply those permissions to any datashare and its objects. For example, if you have a table containing employee information, you can use Lake Formation's column-level filters to prevent employees who don't work in the HR department from seeing personally identifiable information (PII), such as a social security number. For more information about data filters, see Data filtering and cell-level security in Lake Formation in the Amazon Lake Formation Developer Guide.

You can also use tags in Lake Formation to configure permissions on Lake Formation resources. For more information, see Lake Formation Tag-based access control.

Amazon Redshift currently supports data sharing via Lake Formation when sharing within the same account or across accounts. Cross-Region sharing is currently not supported.

The following is a high-level overview of how to use Lake Formation to control datashare permissions:

  1. In Amazon Redshift, the producer cluster or workgroup administrator creates a datashare on the producer cluster or workgroup and grants usage to a Lake Formation account.

  2. The producer cluster or workgroup administrator authorizes the Lake Formation account to access the datashare.

  3. The Lake Formation administrator discovers and registers the datashares. They must also discover the Amazon Glue ARNs they have access to and associate the datashares with an Amazon Glue Data Catalog ARN. If you're using the Amazon CLI you can discover and accept datashares with the Redshift CLI operations describe-data-shares and associate-data-share-consumer. To register a datashare, use the Lake Formation CLI operation register-resource.

  4. The Lake Formation administrator creates a federated database in the Amazon Glue Data Catalog, and configures Lake Formation permissions to control user access to objects within the datashare. For more information about federated databases in Amazon Glue, see Managing permissions for data in an Amazon Redshift datashare.

  5. The Lake Formation administrator discovers the Amazon Glue databases they have access to and associates the datashare with an Amazon Glue Data Catalog ARN.

  6. The Redshift administrator discovers the Amazon Glue database ARNs they have access to, creates an external database in the Amazon Redshift consumer cluster using a Amazon Glue database ARN, and grants usage to database users authenticated with IAM credentials to start querying the Amazon Redshift database.

  7. Database users can use the views SVV_EXTERNAL_TABLES and SVV_EXTERNAL_COLUMNS to find all of the tables or columns within the Amazon Glue database that they have access to, and then they can query the Amazon Glue database’s tables.

  8. When the producer cluster or workgroup administrator decides to no longer share the data with the consumer cluster, the producer administrator can revoke usage, deauthorize, or delete the datashare from Redshift. The associated permissions and objects in Lake Formation are not automatically deleted.

For more information about sharing a datashare with Amazon Lake Formation as a producer cluster or workgroup administrator, see Working with Lake Formation-managed datashares as a producer. To consume the shared data from the producer cluster or workgroup, see Working with Lake Formation-managed datashares as a consumer.