Amazon Lake Formation-managed datashares
Using Amazon Lake Formation, you can centrally define and enforce database, table, column, and row-level access permissions of Amazon Redshift datashares and restrict user access to objects within a datashare. By sharing data through Lake Formation, you can define permissions in Lake Formation and apply those permissions to any datashare and its objects. For example, if you have a table containing employee information, you can use Lake Formation's column-level filters to prevent employees who don't work in the HR department from seeing personally identifiable information (PII), such as a social security number. For more information about data filters, see Data filtering and cell-level security in Lake Formation in the Amazon Lake Formation Developer Guide.
You can also use tags in Lake Formation to configure permissions on Lake Formation resources. For more information, see Lake Formation Tag-based access control.
Amazon Redshift currently supports data sharing via Lake Formation when sharing within the same account or across accounts. Cross-Region sharing is currently not supported.
The following is a high-level overview of how to use Lake Formation to control datashare permissions:
In Amazon Redshift, the producer cluster or workgroup administrator creates a datashare on the producer cluster or workgroup and grants usage to a Lake Formation account.
The producer cluster or workgroup administrator authorizes the Lake Formation account to access the datashare.
The Lake Formation administrator discovers and registers the datashares. They must also discover the Amazon Glue ARNs they have access to and associate the datashares with an Amazon Glue Data Catalog ARN. If you're using the Amazon CLI you can discover and accept datashares with the Redshift CLI operations
describe-data-sharesandassociate-data-share-consumer. To register a datashare, use the Lake Formation CLI operationregister-resource.The Lake Formation administrator creates a federated database in the Amazon Glue Data Catalog, and configures Lake Formation permissions to control user access to objects within the datashare. For more information about federated databases in Amazon Glue, see Managing permissions for data in an Amazon Redshift datashare.
The Lake Formation administrator discovers the Amazon Glue databases they have access to and associates the datashare with an Amazon Glue Data Catalog ARN.
The Redshift administrator discovers the Amazon Glue database ARNs they have access to, creates an external database in the Amazon Redshift consumer cluster using a Amazon Glue database ARN, and grants usage to database users authenticated with IAM credentials to start querying the Amazon Redshift database.
Database users can use the views SVV_EXTERNAL_TABLES and SVV_EXTERNAL_COLUMNS to find all of the tables or columns within the Amazon Glue database that they have access to, and then they can query the Amazon Glue database’s tables.
When the producer cluster or workgroup administrator decides to no longer share the data with the consumer cluster, the producer cluster administrator can revoke usage, deauthorize, or delete the datashare from Redshift. The associated permissions and objects in Lake Formation are not automatically deleted.
For more information about sharing a datashare with Amazon Lake Formation as a producer cluster or workgroup administrator, see Working with Lake Formation-managed datashares as a producer. To consume the shared data from the producer cluster or workgroup, see Working with Lake Formation-managed datashares as a consumer.
Considerations and limitations when using Amazon Lake Formation with Amazon Redshift
The following are considerations and limitations for sharing Amazon Redshift data via Lake Formation. For information on data sharing considerations and limitations, see Considerations when using data sharing in Amazon Redshift. For information about Lake Formation limitations, see Notes on working with Amazon Redshift datashares in Lake Formation.
-
Sharing a datashare to Lake Formation across Regions is currently unsupported.
-
If column-level filters are defined for a user on a shared relation, performing a
SELECT *operation returns only the columns the user has access to. -
Cell-level filters from Lake Formation are unsupported.
-
If you created and shared a view and its tables to Lake Formation, you can configure filters to manage access of the tables, Amazon Redshift enforces Lake Formation defined policies when consumer cluster users access shared objects. When a user accesses a view shared with Lake Formation, Redshift enforces only the Lake Formation policies defined on the view and not the tables contained within the view. However, when users directly access the table, Redshift enforces the defined Lake Formation policies on the table.
-
You can't create materialized views on the consumer based on a shared table if the table has Lake Formation filters configured.
-
The Lake Formation administrator must have data lake administrator permissions and the required permissions to accept a datashare.
-
The producer consumer cluster must be an RA3 cluster with the latest Amazon Redshift cluster version or a serverless workgroup to share datashares via Lake Formation.
-
Both the producer and consumer clusters must be encrypted.
-
Redshift row-level and column-level access control policies implemented in the producer cluster or workgroup are ignored when the datashare is shared to Lake Formation. The Lake Formation administrator must configure these policies in Lake Formation. The producer cluster or workgroup administrator can turn off RLS for a table by using the ALTER TABLE command.
-
Sharing datashares via Lake Formation is only available to users who have access to both Redshift and Lake Formation.