DEV Community

Cover image for Granting Cross-Account Permissions Using Lake Formation and Glue Policy
AWS Community Builders

Granting Cross-Account Permissions Using Lake Formation and Glue Policy

Willian "Bill" Rocha
Data Engineer 4life and DataOps Enthusiast
・2 min read

The Data Lake in the company that I work is managed by AWS Lake Formation, and recently we need to setup a Glue Policy to deny a couple of tables in a specific database, but Lake Formation you don't have this feature yet(Helloooo AWS!!) … Lake Formation have some feature to allow all tables except a few tables, you have the option to allow All tables or each table.

Ok but in my case I (and others too) have a lot of tables, and some of them with overwrite process what cause another issue, the overwrite tables looses their previous granted access, so you need to grant all the access again, and again, this approach is unacceptable.

So our solution was to setup a Glue Policy denying just the couple of tables that we want to deny access, this works seamlessly BUT we have a collateral effect, when you set a Glue Policy and try to do a new Cross Account sharing you need to setup another Glue Policy to allow Cross Account permissions using Lake Formation.

When Granting Cross-Account Permissions Using Lake Formation ?

If there is no Data Catalog resource policy in your account, Lake Formation cross-account grants that you make proceed as usual. However, if a Data Catalog resource policy exists, you must add the following statement to it to permit your Lake Formation cross-account grants to succeed. Replace <region> with a valid Region name and <account-id> with your AWS account ID.

      "Effect": "Allow",
      "Action": [
      "Principal": {"Service": [
      "Resource": [
Enter fullscreen mode Exit fullscreen mode

Documentation link:

Discussion (0)