Cross account glue data share using lake formation

Question

configuration:-
1. Data Catalog settings: 
   ✓  Use only IAM access control for new databases
   ✓ Use only IAM access control for new tables in new databases

2. create Database and create table using crawler
3.  Register Data lake locations   in Hybrid mode. 
4. As per my understanding, In Hybrid mode We can assign permission to user via IAM and lake formation permission.
5.  so further, give IAM permission to account-a in the same organization
6. and further , give lake formation permission to account-b in the same organization.
7. I got the issue in RAM.
8. shared resources are getting failed.

- quick references :-
1. glue permission:-

{
  "Version" : "2012-10-17",
  "Statement" : [ {
    "Sid" : "AllowAccountBToAccessCatalog",
    "Effect" : "Allow",
    "Principal" : {
      "AWS" : "arn:aws:iam:::root"
    },
    "Action" : [ "glue:GetDatabase", "glue:GetDatabases", "glue:GetTable", "glue:GetTables", "glue:GetPartition", "glue:GetPartitions", "glue:*" ],
    "Resource" : [ "arn:aws:glue:us-west-2::catalog", "arn:aws:glue:us-west-2::database/lf-database", "arn:aws:glue:us-west-2::table/lf-database/*" ]
  } ]
}

2. Error screenshot:-
![Enter image description here](/media/postImages/original/IMvcQLUd1wRjyacyaUcdkA1g)

I would appreciate it if someone could help me with this.

re:Post Agent · Answer

Based on the configuration and steps you've described, it seems you're trying to set up cross-account data sharing using AWS Lake Formation with a hybrid access mode. Let's address your setup and the issue you're encountering:

1. Your Data Catalog settings are configured to use only IAM access control for new databases and tables. This is consistent with the hybrid access mode approach.

2. You've created a database and table using a crawler, which is a standard practice.

3. Registering the Data Lake locations in Hybrid mode is correct. This allows you to use both IAM and Lake Formation permissions.

4. Your understanding of Hybrid mode is correct. It allows you to assign permissions via both IAM and Lake Formation.

5-6. Giving IAM permissions to account-A and Lake Formation permissions to account-B within the same organization is a valid approach for cross-account sharing.

7-8. The issue you're encountering with AWS Resource Access Manager (RAM) where shared resources are failing is likely related to a few potential causes:

a. Cross-account version settings: Ensure you've updated the Cross account version settings to version 4. This version provides the necessary AWS RAM permission policies for cross-account sharing when the IAMAllowedPrincipal group has Super permission on the resource.

b. AWS RAM permissions: Make sure the AWS Glue Data Catalog resource policy includes the necessary permissions for AWS RAM. The policy should allow the ram.amazonaws.com service to perform the glue:ShareResource action on the relevant resources (catalog, database, and tables).

c. Invitation acceptance: If the accounts are not in the same organization, the recipient account needs to accept the sharing invitation through the AWS RAM console or CLI.

d. Lake Formation permissions: Ensure you've granted the necessary Lake Formation permissions to the external account, including SELECT and DESCRIBE permissions on the shared tables.

To resolve the RAM issue:

1. Check your AWS Glue Data Catalog resource policy and ensure it includes the necessary permissions for AWS RAM.

2. Verify that you've granted the appropriate Lake Formation permissions to the external account.

3. If the accounts are not in the same organization, make sure the recipient account has accepted the sharing invitation.

4. Double-check that you've updated the Cross account version settings to version 4.

If the issue persists after verifying these points, you may need to review the specific error messages in the AWS RAM console or CloudTrail logs for more detailed information about why the resource sharing is failing.  
**Sources**  
[Sharing Data Catalog tables and databases across AWS Accounts - AWS Lake Formation](https://docs.aws.amazon.com/lake-formation/latest/dg/sharing-catalog-resources.html)  
[Cross-account data sharing in Lake Formation - AWS Lake Formation](https://docs.aws.amazon.com/lake-formation/latest/dg/cross-account-permissions.html)  
[Hybrid access mode - AWS Lake Formation](https://docs.aws.amazon.com/lake-formation/latest/dg/hybrid-access-mode.html)  
[Set up cross-account AWS Glue Data Catalog access using AWS Lake Formation and AWS IAM Identity Center with Amazon Redshift and Amazon QuickSight | AWS Big Data Blog](https://aws.amazon.com/blogs/big-data/set-up-cross-account-aws-glue-data-catalog-access-using-aws-lake-formation-and-aws-iam-identity-center-with-amazon-redshift-and-amazon-quicksight/)

Cross account glue data share using lake formation

Add your answer

Relevant content