Chia sẻ dữ liệu của bạn một cách an toàn trên các tài khoản AWS bằng AWS Lake Formation

Data lakes have become very popular with organizations that want a centralized repository that allows you to store all your structured data and unstructured data at any scale. Because data is stored as is, there is no need to convert it to a predefined schema in advance. When you have new business use cases, you can easily build new types of analyses on top of the data lake, at any time.

In real-world use cases, it’s common to have requirements to share data stored within the data lake with multiple companies, organizations, or business units. For example, you may want to provide your data to stakeholders in another company for a co-marketing campaign between the two companies. For any of these use cases, the producer party wants to share data in a secure and effective manner, without having to copy the entire database.

In August 2019, we announced the general availability of AWS Lake Formation, a fully managed service that makes it easy to set up a secure data lake in days. AWS Lake Formation permission management capabilities simplify securing and managing distributed data lakes across multiple AWS accounts through a centralized approach, providing fine-grained access control to the Keo AWS Data Catalog and Dịch vụ lưu trữ đơn giản của Amazon (Amazon S3) locations.

There are two options to share your databases and tables with another account by using Lake Formation cross-account access control:

• Lake Formation tag-based access control (recommended)
• Lake Formation named resources

In this post, I explain the differences between these two options, and walk you through the steps to configure cross-account sharing.

Overview of tag-based access control

Lake Formation tag-based access control is an authorization strategy that defines permissions based on attributes. In Lake Formation, these attributes are called LF-tags. You can attach LF-tags to Data Catalog resources and Lake Formation principals. Data lake administrators can assign and revoke permissions on Lake Formation resources using these LF-tags. For more details about tag-based access control, refer to Easily manage your data lake at scale using AWS Lake Formation Tag-based access control.

The following diagram illustrates the architecture of this method.

We recommend tag-based access control for the following use cases:

• You have a large number of tables and principals that the data lake administrator has to grant access to
• You want to classify your data based on an ontology and grant permissions based on classification
• The data lake administrator wants to assign permissions dynamically, in a loosely coupled way

You can also use tag-based access control to share Data Catalog resources (databases, tables, and columns) with external AWS accounts.

Overview of named resources

The Lake Formation named resource method is an authorization strategy that defines permissions for resources. Resources include databases, tables, and columns. Data lake administrators can assign and revoke permissions on Lake Formation resources. See Truy cập nhiều tài khoản: Cách hoạt động để biết thêm chi tiết.

The following diagram illustrates the architecture for this method.

We recommend using named resources if the data lake administrator prefers granting permissions explicitly to individual resources.

When you use the named resource method to grant Lake Formation permissions on a Data Catalog resource to an external account, Lake Formation uses Trình quản lý truy cập tài nguyên AWS (AWS RAM) to share the resource.

Now, let’s take a closer look at how to configure cross-account access with these two options. We refer to the account that has the source table as the producer account, and refer to the account that needs access to the source table as consumer account.

Configure Lake Formation Data Catalog settings in the producer account

Lake Formation provides its own permission management model. To maintain backward compatibility with the Quản lý truy cập và nhận dạng AWS (IAM) permission model, the Super permission is granted to the group IAMAllowedPrincipals on all existing AWS Glue Data Catalog resources by default. Also, Chỉ sử dụng kiểm soát truy cập IAM settings are enabled for new data catalog resources.

In this post, we do fine grained access control using Lake Formation permissions and use IAM policies for coarse grained access control. See Methods for Fine-Grained Access Control for details. Therefore, before you use an AWS CloudFormation template for a quick setup, you need to change Lake Formation Data Catalog settings in the producer account.

This setting affects all newly created databases and tables, so we strongly recommend completing this tutorial in a non-production or new account. Also, if you’re using a shared account (such as your company’s dev account), make sure it doesn’t affect others resources. If you prefer to keep the default security settings, you must complete an extra step when sharing resources to other accounts, in which you revoke the default Super permission from IAMAllowedPrincipals on the database or table. We discuss the details later in this post.

To configure Lake Formation Data Catalog settings in the producer account, complete the following steps:

1. Sign in to the producer account as an admin user, or a user with Lake Formation PutDataLakeSettings API permission.
2. On the Lake Formation console, in the navigation pane, under Danh mục dữ liệu, chọn Cài đặt.
3. Bỏ chọn Chỉ sử dụng kiểm soát truy cập IAM cho cơ sở dữ liệu mới và Chỉ sử dụng kiểm soát truy cập IAM cho các bảng mới trong cơ sở dữ liệu mới
4. Chọn Lưu.
   

Additionally, you can remove CREATE_DATABASE quyền cho IAMAllowedPrincipals Dưới Vai trò và nhiệm vụ quản trị > Database creators. Only then, who can create a new database is governed through Lake Formation permissions.

Thiết lập tài nguyên với AWS CloudFormation

We provide two CloudFormation templates in this post: one for the producer account, and one for the consumer account.

The CloudFormation template for the producer account generates the following resources:

• Một thùng S3 dùng làm hồ dữ liệu của chúng tôi.
• A Lambda function (for Lambda-backed AWS CloudFormation custom resources). We use the function to copy sample data files from the public S3 bucket to your S3 bucket.
• Chính sách và người dùng IAM:
  • DataLakeAdminProducer
• An AWS Glue Data Catalog database, table, and partition. Because we introduce two options for sharing resources across AWS accounts, this template creates two separate sets of database and table.
• Lake Formation data lake settings and permissions. This includes:

The CloudFormation template for the consumer account generates the following resources:

• Chính sách và người dùng IAM:
  • DataLakeAdminConsumer
  • DataAnalyst
• An AWS Glue Data Catalog database. We use this database for creating resource links to shared resources.

Launch the CloudFormation stack in the producer account

To launch the CloudFormation stack in the producer account, complete the following steps:

1. Sign in to the producer account’s AWS CloudFormation console in the target Region.
2. Chọn Khởi chạy ngăn xếp:
3. Chọn Sau.
4. Trong Tên ngăn xếp, nhập tên ngăn xếp, chẳng hạn như stack-producer.
5. Trong ProducerDatalakeAdminUserName và ProducerDatalakeAdminUserPassword, nhập tên người dùng và mật khẩu bạn muốn cho người dùng IAM quản trị hồ dữ liệu.
6. Trong DataLakeBucketName, enter the name of your data lake bucket. This name needs to be globally unique.
7. Trong Tên cơ sở dữ liệu và TableName, leave the default values.
8. Chọn Sau.
9. Trên trang tiếp theo, hãy chọn Sau.
10. Xem lại chi tiết trên trang cuối cùng và chọn Tôi xác nhận rằng AWS CloudFormation có thể tạo tài nguyên IAM.
11. Chọn Tạo ngăn xếp.

Launch the CloudFormation stack in the consumer account

To launch the CloudFormation stack in the consumer account, complete the following steps:

1. Sign in to the consumer account’s AWS CloudFormation console in the target Region.
2. Chọn Khởi chạy Stack:
3. Chọn Sau.
4. Trong Tên ngăn xếp, nhập tên ngăn xếp, chẳng hạn như stack-consumer.
5. Trong ConsumerDatalakeAdminUserName và ConsumerDatalakeAdminUserPassword, nhập tên người dùng và mật khẩu bạn muốn cho người dùng IAM quản trị hồ dữ liệu.
6. Trong DataAnalystUserName và DataAnalystUserPassword, enter the user name and password you want for the data analyst IAM user.
7. Trong Tên cơ sở dữ liệu, leave the default values.
8. Trong AthenaQueryResultS3BucketName, enter the name of the S3 bucket that stores Amazon Athena query results. If you don’t have one, tạo một nhóm S3.
9. Chọn Sau.
10. Trên trang tiếp theo, hãy chọn Sau.
11. Xem lại chi tiết trên trang cuối cùng và chọn Tôi xác nhận rằng AWS CloudFormation có thể tạo tài nguyên IAM.
12. Chọn Tạo ngăn xếp.

Quá trình tạo ngăn xếp có thể mất khoảng 1 phút.

(Optional) AWS KMS server-side encryption

If the source S3 bucket is encrypted using server-side encryption with an Dịch vụ quản lý khóa AWS (AWS KMS) customer master key (CMK), make sure the IAM role that Lake Formation uses to access S3 data is registered as the key user for the KMS CMK. By default, the IAM role AWSServiceRoleForLakeFormationDataAccess is used, but you can choose other IAM roles when registering an S3 data lake location. To register the Lake Formation role as the KMS key user, you can use the AWS KMS console, or directly add the permission to the key policy using the KMS PutKeyPolicy API and the Giao diện dòng lệnh AWS (AWS CLI).

You don’t have to add individual consumer accounts to the key policy. Only the role that Lake Formation uses is required. Also, this step isn’t necessary if the source S3 bucket is encrypted with server-side encryption with Amazon S3, or an AWS managed key.

To add a Lake Formation role as the KMS key user via the console, complete the following steps:

1. Sign in to the AWS KMS console as the key administrator.
2. Trong ngăn dẫn hướng, dưới Customer managed keys, choose the key that is used to encrypt the source S3 bucket.
3. Theo Key users, chọn Thêm.
4. Chọn AWSServiceRoleForLakeFormationDataAccess Và chọn Thêm.

To use the AWS CLI, enter the following command (replace <key-id>, <name-of-key-policy>và <key-policy> with valid values):

aws kms put-key-policy --key-id <key-id> --policy-name <name-of-key-policy> --policy <key-policy>

Để biết thêm thông tin, xem put-key-policy.

Lake Formation cross-account sharing prerequisites

Before sharing resources with Lake Formation, there are prerequisites for both the tag-based access control method and named resource method.

Tag-based access control cross-account sharing prerequisites

Như mô tả trong Lake Formation Tag-Based Access Control Cross-Account Prerequisites, before you can use the tag-based access control method to grant cross-account access to resources, you must add the following JSON permissions object to the AWS Glue Data Catalog resource policy in the producer account. This gives the consumer account permission to access the Data Catalog when glue:EvaluatedByLakeFormationTags is true. Also, this condition becomes true for resources on which you granted permission using Lake Formation permission Tags to the consumer’s account. This policy is required for every AWS account that you’re granting permissions to.

The following policy must be within a Statement element. We discuss the full IAM policy later in this post.

{ "Effect": "Allow", "Action": [ "glue:*" ], "Principal": { "AWS": [ "<consumer-account-id>" ] }, "Resource": [ "arn:aws:glue:<region>:<account-id>:table/*", "arn:aws:glue:<region>:<account-id>:database/*", "arn:aws:glue:<region>:<account-id>:catalog" ], "Condition": { "Bool": { "glue:EvaluatedByLakeFormationTags": true } }
}

Named resource method cross-account sharing prerequisites

Như mô tả trong Managing Cross-Account Permissions Using Both AWS Glue and Lake Formation, if there is no Data Catalog resource policy in your account, the Lake Formation cross-account grants that you make proceed as usual. However, if a Data Catalog resource policy exists, you must add the following statement to it to permit your cross-account grants to succeed if they’re made with the named resource method. If you plan to use only the named resource method, or only the tag-based access control method, you can skip this step. In this post, we evaluate both methods, so we need to add the following policy.

The following policy must be within a Statement element. We discuss the full IAM policy in the next section.

{ "Effect": "Allow", "Action": [ "glue:ShareResource" ], "Principal": { "Service": [ "ram.amazonaws.com" ] }, "Resource": [ "arn:aws:glue:<region>:<account-id>:table/*/*", "arn:aws:glue:<region>:<account-id>:database/*", "arn:aws:glue:<region>:<account-id>:catalog" ]
}

Add the AWS Glue Data Catalog resource policy using the AWS CLI

If we grant cross-account permissions by using both the tag-based access control method and named resource method, we must set the EnableHybrid argument to ‘true’ when adding the preceding policies. Because this option isn’t currently supported on the console, we must use the glue:PutResourcePolicy API and AWS CLI.

First, create a policy document (such as policy.json) and add the preceding two policies. Replace <consumer-account-id> with the account ID of the AWS account receiving the grant, with the Region of the Data Catalog containing the databases and tables that you are granting permissions on, and with the producer AWS account ID.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ram.amazonaws.com" }, "Action": "glue:ShareResource", "Resource": [ "arn:aws:glue:<region>:<account-id>:table/*/*", "arn:aws:glue:<region>:<account-id>:database/*", "arn:aws:glue:<region>:<account-id>:catalog" ] }, { "Effect": "Allow", "Principal": { "AWS": "<consumer-account-id>" }, "Action": "glue:*", "Resource": [ "arn:aws:glue:<region>:<account-id>:table/*/*", "arn:aws:glue:<region>:<account-id>:database/*", "arn:aws:glue:<region>:<account-id>:catalog" ], "Condition": { "Bool": { "glue:EvaluatedByLakeFormationTags": "true" } } } ]
}

Enter the following AWS CLI command. Replace <glue-resource-policy> with the correct values (such as file://policy.json).

aws glue put-resource-policy --policy-in-json <glue-resource-policy> --enable-hybrid TRUE

Để biết thêm thông tin, xem put-resource-policy.

Implement the Lake Formation tag-based access control method

In this section, we walk through the following high-level steps:

1. Define an LF-tag.
2. Assign the LF-tag to the target resource.
3. Grant LF-tag permissions to the consumer account.
4. Grant data permissions to the consumer account.
5. Optionally, revoke permissions for IAMAllowedPrincipals on the database, tables, and columns.
6. Create a resource link to the shared table.
7. Create an LF-tag and assign it to the target database.
8. Grant LF-tag data permissions to the consumer account.

Define an LF-tag

If you’re signed in to your producer account, sign out before completing the following steps.

1. Sign in as the producer account data lake administrator. Use the producer account ID, IAM user name (the default is DatalakeAdminProducer), and password that you specified during CloudFormation stack creation.
2. On the Lake Formation console, in the navigation pane, under Quyền, và dưới Vai trò và nhiệm vụ quản trị, chọn LF-tags.
3. Chọn Add LF-tag.
4. Specify the key and values. In this post, we create an LF-tag where the key is Confidentiality and the values are private, sensitivevà public.
5. Chọn Add LF-tag.
   

Assign the LF-tag to the target resource

As a data lake administrator, you can attach tags to resources. If you plan to use a separate role, you may have to grant describe and attach permissions to the separate role.

1. Trong ngăn dẫn hướng, dưới Danh mục dữ liệu, lựa chọn Cơ sở dữ liệu.
2. Select the target database (lakeformation_tutorial_cross_account_database_tbac) và trên Hoạt động menu, chọn Edit LF-tags.

For this post, we assign an LF-tag to a database, but you can also assign LF-tags to tables and columns.

3. Chọn Assign new LF-Tag.
4. Thêm chìa khóa Confidentiality và giá trị public.
5. Chọn Lưu.
   

Grant LF-tag permission to the consumer account

Still in the producer account, we grant permissions to the consumer account to access the LF-tag.

1. Trong ngăn dẫn hướng, dưới Quyền, Vai trò và nhiệm vụ quản trị, LF-tag permissions, chọn Cấp.
2. Trong Hiệu trưởng, chọn External accounts.
3. Enter the target AWS account ID.

AWS accounts within the same organization appear automatically. Otherwise, you have to manually enter the AWS account ID. As of this writing, Lake Formation tag-based access control doesn’t support granting permission to organizations or organization units.

4. Trong LF-Tags, choose the key and values of the LF-tag that is being shared with the consumer account (key Confidentiality và giá trị public).
5. Trong Quyền, lựa chọn Mô tả cho LF-tag permissions.

LF-tag permissions are permissions given to the consumer account. Grantable permissions are permissions that the consumer account can grant to other principals.

6. Chọn Cấp.
   

At this point, the consumer data lake administrator should be able to find the policy tag being shared via the consumer account Lake Formation console, under Quyền, Vai trò và nhiệm vụ quản trị, LF-tags.

Grant data permission to the consumer account

We will now provide data access to the consumer account by specifying an LF-Tag expression and granting the consumer account access to any table or database that matches the expression.

1. Trong ngăn dẫn hướng, dưới Quyền, Quyền của hồ dữ liệu, chọn Cấp.
2. Trong Hiệu trưởng, chọn External accounts, and enter the consumer AWS account ID.
3. Trong LF-tags or catalog resources, Dưới Resources matched by LF-Tags (recommended), chọn Add LF-Tag.
4. Select the key and values of the tag that is being shared with the consumer account (key Confidentiality và giá trị public).
5. Trong Database permissions, lựa chọn Mô tả Dưới Database permissions to grant access permissions at the database level.
6. Chọn Mô tả Dưới Quyền được cấp so the consumer account can grant database-level permissions to its users.
7. Trong Table and column permissions, lựa chọn Chọn và Mô tả Dưới Quyền bảng.
8. Chọn Chọn và Mô tả Dưới Quyền được cấp.
9. Chọn Cấp.
   

Revoke permission for IAMAllowedPrincipals on the database, tables, and columns (Optional)

At the very beginning of this tutorial, we changed the Lake Formation Data Catalog settings. If you skipped that part, this step is required. If you changed your Lake Formation Data Catalog settings, you can skip this step.

In this step, we have to revoke the default Super permission from IAMAllowedPrincipals on the database or table. See Secure Existing Data Catalog Resources để biết thêm chi tiết.

Before revoking permission for IAMAllowedPrincipals, make sure that you granted existing IAM principals with necessary permission through Lake Formation. This includes two steps:

1. Add IAM permission to the target IAM user or role with the Lake Formation GetDataAccess action (with IAM policy).
2. Grant the target IAM user or role with Lake Formation data permissions (alter, select, and so on)

Then, revoke permissions for IAMAllowedPrincipals. Otherwise, after revoking permissions for IAMAllowedPrincipals, existing IAM principals may no longer be able to access the target database or catalog.

Thu hồi Super cho phép IAMAllowedPrincipals is required when you want to apply the Lake Formation permission model (instead of the IAM policy model) to manage user access within a single account or among multiple accounts using the Lake Formation permission model. You don’t have to revoke permission of IAMAllowedPrincipals for other tables where you want to keep the traditional IAM policy model.

At this point, the consumer account data lake administrator should be able to find the database and table being shared via the consumer account Lake Formation console, under Danh mục dữ liệu, Cơ sở dữ liệu. If not, confirm if the following are properly configured:

• Make sure the correct policy tag and values are assigned to the target databases and tables
• Make sure the correct tag permission and data permission are assigned to the consumer account
• Revoke the default super permission from IAMAllowedPrincipals on the database or table

Create a resource link to the shared table

When a resource is shared between accounts, the shared resources are not put in the consumer accounts’ catalog. To make them available, and query the underlying data of a shared table using services like Athena, we need to create a resource link to the shared table. A resource link is a Data Catalog object that is a link to a local or shared database or table. By creating a resource link, you can:

• Assign a different name to a database or table that aligns with your Data Catalog resource naming policies
• Use services such as Athena and Quang phổ dịch chuyển đỏ Amazon to query shared databases or tables

To create a resource link, complete the following steps:

1. If you’re signed in to your consumer account, sign out.
2. Sign in as the consumer account data lake administrator. Use the consumer account ID, IAM user name (default DatalakeAdminConsumer) and password that you specified during CloudFormation stack creation.
3. On the Lake Formation console, in the navigation pane, under Danh mục dữ liệu, Cơ sở dữ liệu, choose the shared database lakeformation_tutorial_cross_account_database_tbac.

If you don’t see the database, revisit the previous steps to see if everything is properly configured.

4. Chọn View tables.
5. Choose the shared table amazon_reviews_table_tbac.
6. trên Hoạt động menu, chọn Tạo liên kết tài nguyên.
   
7. Trong Tên liên kết tài nguyên, nhập tên (cho bài đăng này, amazon_reviews_table_tbac_resource_link).
8. Theo Cơ sở dữ liệu, select the database that the resource link is created in (for this post, the CloudFormation stack created the database lakeformation_tutorial_cross_account_database_consumer).
9. Chọn Tạo.
   

The resource link appears under Danh mục dữ liệu, Bàn.

Create an LF-tag and assign it to the target database

Lake Formation tags reside in the same catalog as the resources. This means that tags created in the producer account aren’t available to use when granting access to the resource links in the consumer account. You need to create a separate set of LF-tags in the consumer account to use LF tag-based access control when sharing the resource links in the consumer account. Let’s first create the LF-tag. Refer to the previous sections for full instructions.

1. Define the LF-tag in the consumer account. For this post, we use key Division và giá trị sales, marketingvà analyst.
   
2. Assign the LF-tag key Division và giá trị analyst đến cơ sở dữ liệu lakeformation_tutorial_cross_account_database_consumer, where the resource link is created in.
   

Grant LF-tag data permission to the consumer

As a final step, we grant LF-tag data permission to the consumer.

1. Trong ngăn dẫn hướng, dưới Quyền, Quyền của hồ dữ liệu, chọn Cấp.
2. Trong Hiệu trưởng, chọn Người dùng IAM và vai tròvà chọn người dùng DataAnalyst.
3. Trong LF-tags or catalog resources, chọn Resources matched by LF-tags (recommended).
4. Choose key Division và giá trị analyst.
5. Trong Database permissions, lựa chọn Mô tả Dưới Database permissions.
6. Trong Table and column permissions, lựa chọn Chọn và Mô tả Dưới Quyền bảng.
7. Chọn Cấp.
8. Repeat these steps for user DataAnalyst, where the LF-tag key is Confidentiality và giá trị là public.
   

At this point, the data analyst user in the consumer account should be able to find the database and resource link, and query the shared table via the Athena console.

If not, confirm if the following are properly configured:

• Make sure the resource link is created for the shared table
• Make sure you granted the user access to the LF-tag shared by the producer account
• Make sure you granted the user access to the LF-tag associated to the resource link and database that the resource link is created in
• Check if you assigned the correct LF-tag to the resource link, and to the database that the resource link is created in
  

Implement the Lake Formation named resource method

To use the named resource method, we walk through the following high-level steps:

1. Optionally, revoke permission for IAMAllowedPrincipals on the database, tables, and columns.
2. Grant data permission to the consumer account.
3. Accept a resource share from AWS RAM.
4. Create a resource link for the shared table.
5. Grant data permission for the shared table to the consumer.
6. Grant data permission for the resource link to the consumer.

Revoke permission for IAMAllowedPrincipals on the database, tables, and columns (Optional)

At the very beginning of this tutorial, we changed Lake Formation Data Catalog settings. If you skipped that part, this step is required. For instructions, see the optional step in the previous section.

Grant data permission to the consumer account

If you’re signed in to producer account as another user, sign out first.

1. Sign in as the producer account data lake administrator using the AWS account ID, IAM user name (default is DatalakeAdminProducer), and password specified during CloudFormation stack creation.
2. Trong ngăn dẫn hướng, dưới Quyền, Quyền của hồ dữ liệu, chọn Cấp.
3. Trong Hiệu trưởng, chọn External accounts, and enter one or more AWS account IDs or Tổ chức AWS ID.

Organizations that the producer account belongs to and AWS accounts within the same organization appear automatically. Otherwise, manually enter the account ID or organization ID.

4. Trong LF-tags or catalog resources, chọn Tài nguyên danh mục dữ liệu được đặt tên.
5. Theo Cơ sở dữ liệu, chọn cơ sở dữ liệu lakeformation_tutorial_cross_account_database_named_resource.
6. Theo Bàn, chọn Tất cả các bảng.
7. Trong Table and column permissions, lựa chọn Chọn và Mô tả Dưới Quyền bảng.
8. Chọn Chọn và Mô tả Dưới Quyền được cấp.
9. Tùy chọn, cho Quyền dữ liệu, lựa chọn Quyền truy cập dựa trên cột đơn giản if column-level permission management is required.
10. Chọn Cấp.
    

If you haven’t revoked permission for IAMAllowedPrincipals, Bạn nhận được một Grant permissions failed lỗi.

At this point, you should see the target table being shared via AWS RAM with the consumer account under Quyền, Quyền dữ liệu.

Accept a resource share from AWS RAM

This step is required only for account ID-based sharing, not for organization-based sharing.

1. Sign in as the consumer account data lake administrator using the IAM user name (default is DatalakeAdminConsumer) and password specified during CloudFormation stack creation.
2. On the AWS RAM console, in the navigation pane, under Chia sẻ với tôi, Chia sẻ tài nguyên, choose the shared Lake Formation resource.

Mô hình Trạng thái nên là Pending.

3. Confirm the resource details, and choose Chấp nhận chia sẻ tài nguyên.
   

At this point, the consumer account data lake administrator should be able to find the shared resource on the Lake Formation console under Danh mục dữ liệu, Cơ sở dữ liệu.

Create a resource link for the shared table

Follow the instructions detailed earlier to create a resource link for a shared table. Name the resource link amazon_reviews_table_named_resource_resource_link. Create the resource link in the database lakeformation_tutorial_cross_account_database_consumer.

Grant data permission for the shared table to the consumer

To grant data permission for the shared table to the consumer, complete the following steps:

1. Trong ngăn dẫn hướng, dưới Quyền, Quyền của hồ dữ liệu, chọn Cấp.
2. Trong Hiệu trưởng, chọn Người dùng IAM và vai tròvà chọn người dùng DataAnalyst.
3. Trong LF-tags or catalog resources, chọn Tài nguyên danh mục dữ liệu được đặt tên.
4. Theo Cơ sở dữ liệu, chọn cơ sở dữ liệu lakeformation_tutorial_cross_account_database_named_resource.

If you don’t see the database on the drop-down list, choose tải thêm.

5. Theo Bàn, chọn bàn amazon_reviews_table_named_resource.
6. Trong Table and column permissions, lựa chọn Chọn và Mô tả Dưới Quyền bảng.
7. Chọn Cấp.
   

Grant data permission for the resource link to the consumer

In addition to granting the data lake user permission to access the shared table, you also need to grant the data lake user permission to access the resource link.

1. Trong ngăn dẫn hướng, dưới Quyền, Quyền của hồ dữ liệu, chọn Cấp.
2. Trong Hiệu trưởng, chọn Người dùng IAM và vai tròvà chọn người dùng DataAnalyst.
3. Trong LF-tags or catalog resources, chọn Tài nguyên danh mục dữ liệu được đặt tên.
4. Theo Cơ sở dữ liệu, chọn cơ sở dữ liệu lakeformation_tutorial_cross_account_database_consumer.
5. Theo Bàn, chọn bàn amazon_reviews_table_named_resource_resource_link.
6. Trong Resource link permissions, lựa chọn Mô tả Dưới Resource link permissions.
7. Chọn Cấp.
   

At this point, the data analyst user in the consumer account should be able to find the database and resource link, and query the shared table via the Athena console.

If not, confirm if the following are properly configured:

• Make sure the resource link is created for the shared table
• Make sure you granted the user access to the table shared by the producer account
• Make sure you granted the user access to the resource link and database that the resource link is created in

Làm sạch

To clean up the resources created within this tutorial, delete or change the following resources:

• Producer account:
  • AWS RAM resource share
  • Lake Formation tags
  • Ngăn xếp CloudFormation
  • Lake Formation settings
  • AWS Glue Data Catalog settings
• Consumer account:
  • Lake Formation tags
  • Ngăn xếp CloudFormation

Tổng kết

Lake Formation cross-account sharing enables you to share data across AWS accounts without copying the actual data. Also, it provides both the producer and consumer with control over data permissions in a flexible way. In this post, we introduced two different options to reference catalog data from another account by using the cross-account access features provided by Lake Formation:

• Tag-based access control
• Named resource

The tag-based access control method is recommended when many resources and entities are involved. Although it seems like this option requires more steps, tag-based access control helps data lake administrators control relationships between each user and table via tags dynamically. The named resource method provides the data lake administrator with a more straightforward way to manage catalog permissions. You can choose the method that best fits your requirement.

Giới thiệu về tác giả

Yumiko Kanasugi là Kiến trúc sư giải pháp của Amazon Web Services Japan, hỗ trợ khách hàng doanh nghiệp bản địa kỹ thuật số sử dụng AWS.

Source: https://aws.amazon.com/blogs/big-data/securely-share-your-data-across-aws-accounts-using-aws-lake-formation/