- Newest
- Most votes
- Most comments
Hi,
you are not doing anything wrong. In Amazon DataZone, resources are organized in DataZone domains. A domain is a collection of Amazon DataZone objects, such as data assets, projects, associated AWS accounts. And as per the documentation
Associated AWS accounts - these are AWS accounts that host data assets that you want to catalog, discover, govern, share, or analyze through Amazon DataZone. These accounts have a trust relationship with an AWS account that houses an Amazon DataZone domain. This association enables data producers to publish data assets to Amazon DataZone domains from the associated AWS accounts, and enables data consumers to subscribe to data assets in the associated AWS accounts.
That's why you can query the data via Amazon Athena if you use the link from the DataZone console. You are at that time using an identity that as a trust relationship with the account that holds the data. If you use Athena without first assuming this identity, you don't have access to the data.
Relevant content
- asked 10 months ago
- asked 2 years ago
- asked a year ago
- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 8 months ago
Hi Ben and thank you for the answer!
Am I correct to think that there is no way for a user who has been granted some permissions in DataZone to use tools that are not available in DataZone portal (for example to transform the data via AWS EMR / Glue)?
I can think of a workflow where users (using the trust relationship assumed via DataZone portal) queries the data in Athena into an S3 bucket available for both the "regular" user and the assumed identity, then does the transformations (eg. Glue) and then saves the data into a location they can publish from. But it seems like security policies nightmare and waste of storage to me. Do you think it makes sense?