By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Unable to Create Resource-Linked Database to Shared Catalog (`s3tablescatalog/my-bucket`)

0

I'm attempting to create a resource-linked database in AWS Lake Formation that targets a database in a shared Glue catalog (s3tablescatalog/my-bucket). However, I'm encountering issues where the AWS Management Console and CLI both appear to reference only the default catalog, despite explicitly specifying the shared catalog.

🔧 Environment Overview

  • Shared Catalog: 111122223333:s3tablescatalog/my-bucket
  • Target Database (within shared catalog): analytics_namespace
  • Objective: Create a resource-linked database in my account that points to this shared database (analytics_namespace) from the s3tablescatalog/my-bucket catalog.

💡 Steps Taken

✅ Using AWS Lake Formation Console

  • Navigated to Lake Formation → Create resource link
  • Set Target catalog to s3tablescatalog/my-bucket
  • Issue: The Shared database dropdown only shows databases from the default Glue catalog, not from the specified shared catalog.

✅ Using AWS CLI

I also attempted to create the resource link programmatically with the following command:

aws glue create-database --region us-east-1 \
--catalog-id "111122223333" \
--database-input '{
  "Name": "linked_analytics_namespace",
  "TargetDatabase": {
    "CatalogId": "111122223333:s3tablescatalog/my-bucket",
    "DatabaseName": "analytics_namespace"
  },
  "CreateTableDefaultPermissions": []
}'

Observed behavior: The resulting resource-linked database still references the default Glue catalog rather than the specified shared catalog (s3tablescatalog/my-bucket).

🔐 Lake Formation Permissions

The assumed role being used has the following Lake Formation permissions:

{
  "Permissions": ["ALL"],
  "PermissionsWithGrantOption": ["ALL"],
  "Resource": {
    "Database": {
      "CatalogId": "111122223333:s3tablescatalog/my-bucket",
      "Name": "analytics_namespace"
    }
  }
}

❗ Issue Summary

Even when specifying the shared catalog in both the console and CLI, the behavior suggests that Lake Formation only recognizes the default catalog. Databases from s3tablescatalog/my-bucket do not appear in the UI, and CLI-created resource links still default to the primary Glue catalog.

📌 Questions for the Community

  1. Is there an additional configuration or permission required to surface shared catalog databases in the UI or via the CLI?
  2. Are resource-linked databases supported when the source catalog is a custom catalog like s3tablescatalog/my-bucket?
  3. Are there known limitations or alternative approaches for linking databases from a custom Glue catalog?

Any insights or workarounds would be greatly appreciated. Thank you!

Topics
AnalyticsDatabaseSecurity, Identity, & Compliance
Tags
AnalyticsDatabaseAWS GlueAWS Lake FormationIAM Policies
Language
English
Tharanesh Balaji
asked 19 days ago59 views
1 Answer
0

Based on the information provided, it appears that there are some limitations and considerations when working with S3 tables catalog integration in AWS Lake Formation that are affecting your ability to create a resource-linked database to a shared catalog.

  1. Resource links to custom catalogs: Currently, resource links are primarily designed to work with the default AWS Glue Data Catalog. The S3 tables catalog integration (s3tablescatalog) is a separate feature that may not fully support resource linking in the same way as the default catalog.

  2. Limitations of S3 tables catalog integration: There are several limitations when integrating S3 table buckets and tables with AWS Glue Data Catalog and Lake Formation. For instance, the LF-Tag Based Access Control (LF-TBAC) method for granting permissions is not supported for catalogs, databases, and tables that have S3 Tables as their storage location.

  3. API limitations: Some APIs have limitations when working with S3 tables. For example, the SearchTables API cannot search S3 tables, which might affect how resource links are created or managed.

  4. Permissions: While you have set the appropriate Lake Formation permissions, it's important to note that when accessing a target database or table through a resource link, you must have both AWS Identity and Access Management (IAM) and Lake Formation permissions on both the target and the resource link. The Lake Formation permission required on resource links is DESCRIBE.

  5. Creating resource links: The process for creating resource links to shared databases typically involves using the AWS Glue create-database command with the --database-input parameter. However, this process may not work as expected with custom catalogs like s3tablescatalog.

Given these limitations and considerations, it's possible that resource-linked databases may not be fully supported when the source catalog is a custom catalog like s3tablescatalog/my-bucket. You might need to explore alternative approaches for accessing and managing data across catalogs in this scenario.

To move forward, you could consider:

  1. Contacting AWS support for specific guidance on working with S3 tables catalog and resource links.
  2. Exploring alternative data sharing methods that are compatible with S3 tables catalog integration.
  3. Investigating if there are any recent updates or feature releases that address these limitations.

Remember that AWS services and features are continually evolving, so it's always a good idea to check the latest documentation and release notes for any updates that might address these issues.
Sources
S3 tables catalog integration limitations - AWS Lake Formation
Creating a resource link to a shared Data Catalog database - AWS Lake Formation
Resource link handling in AWS Glue APIs - AWS Lake Formation
Enabling Amazon S3 Tables integration - AWS Lake Formation

profile picture
re:Post Agent
answered 19 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content