Federate to Databricks Unity Catalog - Amazon Lake Formation
PrerequisitesCreate Federated CatalogConsiderations when integrating with Databricks
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Federate to Databricks Unity Catalog

Amazon Glue Data Catalog federates to Databricks using the OAuth2 credentials of a Databricks service principal. This authentication mechanism allows Amazon Glue Data Catalog to access the metadata of various objects (such as catalogs, databases, and tables) in Databricks Unity Catalog, based on the privileges associated with the service principal. To ensure access to the right objects, it is essential to grant the service principal with the necessary permissions in Databricks to read metadata of these objects.

Next, catalog federation enables discovery and query of Iceberg tables in your Databricks Unity Catalog. To read delta tables, please ensure Iceberg metadata is available for these tables using Uniform. Follow the Databricks tutorial and documentation to create the service principal and associated privileges in your Databricks workspace.

Prerequisites

Before you create a federated catalog in Data Catalog that is governed by Lake Formation, ensure you have the following permissions:

Your IAM principal (user or role) must have the following permissions:

  • Lake Formation permissionslakeformation:RegisterResource, lakeformation:DescribeResource

  • Amazon Glue permissionsglue:CreateConnection, glue:CreateCatalog, glue:GetConnection

  • Secrets Manager permissionssecretsmanager:CreateSecret, secretsmanager:GetSecretValue

  • IAM permissionsiam:CreateRole, iam:AttachRolePolicy, iam:PassRole

You must be a Lake Formation data lake administrator or have CREATE_CATALOG permission on the Data Catalog

Create Federated Catalog

  1. Sign in to the the console and open the Lake Formation console at https://console.amazonaws.cn/lakeformation/.

  2. Choose the preferred Amazon region in the top-right page section.

  3. In the left navigation pane, choose Catalogs.

  4. Choose Create Catalog to open the Create Catalog Workflow.

  5. In Choose data source step, select Databricks from the available options.

  6. In Set catalog details step, you provide three information - catalog details, connection details, and registration details.

  7. In catalog details container, provide a unique name to your Amazon Glue federated catalog and enter the name of the existing Databricks catalog.

  8. In connections details container, you can either choose from an existing connection that you have access or provide configuration to create a new connector.

  9. New connection configurations include:

    • Connection Name – A unique name of the Amazon Glue connection object.

    • Workspace URL – The endpoint URL of your existing Databricksworkspace.

    • Authentication – Specify the authentication configuration that Amazon Glue uses to connect to remote catalog server. Amazon Glue supports both OAuth2 and Custom authentication.

    • Token URL – Specify the URL of remote catalog's identity provider.

    • OAuth2 Client ID – Specify the Client ID of the OAuth2 credential associated with your remote catalog.

    • Secret – Store and use OAuth2 client secret using Amazon Secrets Manager or enter the secret value in textbox. When you enter the secret manually in console, Amazon Glue creates the secret on your behalf.

    • Token URL Scope – Specify the OAuth scope for authentication.

  10. Create an IAM role that Amazon Glue and Lake Formation service principals can use to access secret in and Amazon S3 locations of remote Iceberg tables respectively. Select the IAM role in the registration dropdown. Refer to step 2 and 3 in following CLI section for IAM policy details.

  11. Select Test Connection to test whether your connection properties and IAM role access are configured correctly. Test connection functionality is not available when connecting to Databricks using Amazon VPC.

  12. Select Next to review your settings.

  13. Select Create Catalog in review page.

  1. Create an Amazon Secrets Manager secret

    The Amazon Glue connector supports two authentication types - OAuth2 and Custom. When using OAuth2 option, use Amazon Secrets Manager to store client secret of the Databricks service principal. You will later use this secret when creating the Amazon Glue Connection. For Custom authentication, use Amazon Secrets Manager to store and retrieve the access token.

    In the following example, replace <databricks-secret>, <client_secret>, <region> with your own information.

    aws secretsmanager create-secret \
--name <databricks-secret> \
--description "Databricks secret" \
--secret-string '{
"USER_MANAGED_CLIENT_APPLICATION_CLIENT_SECRET": "<client_secret>"
}' \
--region <region>
    Note

    USER_MANAGED_CLIENT_APPLICATION_CLIENT_SECRET is a reserved keyword that Amazon Glue uses to refer to a client secret value in the secret. Use the same keyword when you are creating the secret in Lake Formation console too.

  2. Create an IAM role which gives Amazon Glue connection object access to secret created in previous step

    The Amazon Glue connection object requires access to the Amazon Secrets Manager secret when you use Amazon Secrets Manager to store, retrieve, and refresh your OAuth secret token. The Amazon Glue connection object also requires access to create, describe, and use the Amazon VPC network interfaces when you use a Amazon VPC endpoint to restrict connectivity to your Databricks workspace.

    Create an IAM policy and attach it to an IAM role. Add Amazon Glue service principal to the trust policy.

    In the following example, replace <your-secrets-manager-ARN>, <your-vpc-id>, and <your-subnet-id1> with your own information.

    Example IAM Policy
    {
    "Version": "2012-10-17",		 	 	 
    "Statement": [{
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue",
                "secretsmanager:DescribeSecret",
                "secretsmanager:PutSecretValue"
            ],
            "Resource": [
                "<your-secrets-manager-ARN>"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:CreateNetworkInterface",
                "ec2:DeleteNetworkInterface",
                "ec2:DescribeNetworkInterfaces"
            ],
            "Resource": "*",
            "Condition": {
                "ArnEquals": {
                    "ec2:Vpc": "arn:aws:ec2:region:account-id:vpc/<your-vpc-id>",
                    "ec2:Subnet": ["arn:aws:ec2:region:account-id:subnet/<your-subnet-id1>"]
                }
            }
        }
    ]
}
    Example Trust Policy
    {
    "Version": "2012-10-17",		 	 	 
    "Statement": [{
        "Effect": "Allow",
        "Principal": {
            "Service": "glue.amazonaws.com"
        },
        "Action": "sts:AssumeRole"
    }]
}

  3. Create an IAM policy that gives Lake Formation read access to catalog's Amazon S3 location

    As the catalog owner of a federated catalog in Data Catalog, you use Lake Formation to grant coarse-grained table access, fine-grained - column-level, row-level, and cell-level - access, and tag-based access to your data teams. Lake Formation uses an IAM role that gives it access to the underlying Amazon S3 locations of your remote Iceberg tables. This access allows Lake Formation to vend scoped access credentials to analytics engines querying remote tables.

    Create IAM policy and attach to an IAM role. Add Lake Formation service principal to the IAM role trust policy.

    In the following example, replace <your-s3-bucket-N> and <your-kms-key> with your own information.

    Example IAM Policy
    {
    "Version": "2012-10-17",		 	 	 
    "Statement": [{
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::<your-s3-bucket-1>/*",
                "arn:aws:s3:::<your-s3-bucket-2>/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::<your-s3-bucket-1>",
                "arn:aws:s3:::<your-s3-bucket-2>"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:Encrypt"
            ],
            "Resource": [
                "<your-kms-key>"
            ]
        }
    ]
}
    Example Trust Policy
    {
    "Version": "2012-10-17",		 	 	 
    "Statement": [{
        "Sid": "",
        "Effect": "Allow",
        "Principal": {
            "Service": "lakeformation.amazonaws.com"
        },
        "Action": "sts:AssumeRole"
    }]
}
    Note

    When you use Lake Formation console to create a federated catalog, the console uses a single IAM role with both policies attached to complete setup.

  4. Create an Amazon Glue connection object

    Data Catalog supports connectionType: DATABRICKSICEBERGRESTCATALOG for connecting Data Catalog to Databricks. This Amazon Glue connector supports OAuth2 and Custom authentication methods.

    The following example uses OAuth2 authentication configuration to create an Amazon Glue connection. Replace highlighed sections with your information.

    aws glue create-connection \
    --connection-input '{
"Name": "<your-glue-connection-to-databricks-unity-account>",
"ConnectionType": "DATABRICKSICEBERGRESTCATALOG",
"ConnectionProperties": {
    "INSTANCE_URL": "<your-databricks-workspace-catalog-URL>",
    "ROLE_ARN": "<your-IAM-role-for-secrets-and-VPC-access>"
},
"AuthenticationConfiguration": {
    "AuthenticationType": "OAUTH2",
    "OAuth2Properties": {
        "OAuth2GrantType": "CLIENT_CREDENTIALS",
        "TokenUrl": "<your-internal-or-external-token-server-url>",
        "OAuth2ClientApplication": {
            "UserManagedClientApplicationClientId": "<your-client-id>"
        },
        "TokenUrlParametersMap": {
            "Scope": "all-apis"
        }
    },
    "SecretArn": "arn:aws:secretsmanager:<aws-region>:<your-aws-account-id>:secret:<databricks-secret>"
}
}'

  5. Register Amazon Glue connection as a Lake Formation resource

    Using the Amazon Glue connection object (created in Step 4) and IAM role (created in Step 3), you can now register the Amazon Glue connection object as a Lake Formation managed resource.

    Replace <your-glue-connector-arn> and <your-IAM-role-ARN-having-LF-access> with your information.

    aws lakeformation register-resource \
    --resource-arn <your-glue-connector-arn> \
    --role-arn <your-IAM-role-ARN-having-LF-access> \
    --with-federation \
    --with-privileged-access

  6. Create a federated catalog in Data Catalog

    After creating an Amazon Glue connection object and registering it with Lake Formation, you can create a federated catalog in the Data Catalog:

    Provide the federated catalog a unique name at <your-federated-catalog-name>, reference the catalog in Databricks at "<catalog-name-in-Databricks>, and input connection name created earlier at "<your-glue-connection-name>.

    aws glue create-catalog \
    --name <your-federated-catalog-name> \
    --catalog-input '{
    "FederatedCatalog": {
        "Identifier": "<catalog-name-in-Databricks>",
        "ConnectionName": "<your-glue-connection-name>"
    },
    "CreateTableDefaultPermissions": [],
    "CreateDatabaseDefaultPermissions": []
}'

Considerations when integrating with Databricks

  • When you drop resources (like databases and tables) in the Databricks, Lake Formation does not automatically revoke the permissions granted on that federated resource. To remove the access permissions, you need to explicitly revoke the permissions that were previously granted on the federated resource using Lake Formation.

  • You can query Iceberg tables stored in Amazon S3 using this integration. When using any other table format or object storage, you can federate metadata in remote catalogs to Amazon Glue and list its databases and tables but query operations like SELECT ColumnFoo from TableBar will fail during query with error 'Failed to read Apache Iceberg table. Object storage location is not supported.'

  • You can reuse the same Amazon Glue connection to create multiple federated catalogs. Deleting a catalog will not delete the associated connection object. To delete a connection object, please use Amazon CLI aws glue delete-connection command and ensure all associated catalogs are deleted first.