Skip to content

Commit 33a775a

Browse files
committed
DOC-467 Added instructions for IAM policies
1 parent 0581b4f commit 33a775a

File tree

1 file changed

+16
-7
lines changed

1 file changed

+16
-7
lines changed

src/connections/storage/data-lakes/lake-formation.md

Lines changed: 16 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,7 @@ You can configure Lake Formation using the [`IAMAllowedPrincipals` group](#confi
2323
4. On the **Grant data permissions** page, select the `IAMAllowedPrincipals` group in the Principals section.
2424
5. Under the **Database permissions** section, select the checkboxes for **Super** database permissions and **Super** grantable permissions.
2525
6. Select the **Grant** button.
26-
7. On the **Permissions** page, verify the `IAMAllowedPrincipals` group is listed.
26+
7. On the **Permissions** page, verify the `IAMAllowedPrincipals` group has "All" permissions.
2727

2828
#### New databases
2929
1. Open the [AWS Lake Formation service](https://console.aws.amazon.com/lakeformation/).
@@ -38,26 +38,35 @@ You can configure Lake Formation using the [`IAMAllowedPrincipals` group](#confi
3838
5. On the **Grant data permissions** page, select the `IAMAllowedPrincipals` group in the Principals section.
3939
6. Under the **Database permissions** section, select the checkboxes for **Super** database permissions and **Super** grantable permissions.
4040
7. Select the **Grant** button.
41-
8. On the **Permissions** page, verify the `IAMAllowedPrincipals` group is listed.
41+
8. On the **Permissions** page, verify the `IAMAllowedPrincipals` group has "All" permissions.
4242

4343
#### Verifying your configuration
4444
To verify that you've successfully configured Lake Formation, open the [AWS Lake Formation service](https://console.aws.amazon.com/lakeformation/), select **Data lake permissions**, and verify the `IAMAllowedPrincipals` group is listed with "All" permissions.
4545

4646
### Configuring Lake Formation using IAM policies
4747

48-
<!-- totally start this section from scratch-->
48+
> note "Granting Super permission to IAM roles"
49+
> If you manually configured your database, assign the `EMR_EC2_DefaultRole` super permissions. If you configured your database using Terraform, assign the `segment_emr_instance_profile` super permissions.
4950
5051
#### Existing databases
5152
1. Open the [AWS Lake Formation service](https://console.aws.amazon.com/lakeformation/).
52-
2. Under **Data catalog**, select the settings tab. Ensure the checkboxes under the **Default permissions for newly created databases and tables** are not checked.
53-
3.
53+
2. Under **Data catalog**, select the **Settings** tab. Ensure the checkboxes under the **Default permissions for newly created databases and tables** are not checked.
54+
3. On the **Databases** page, select your database. From the **Actions** menu, select **Grant** under the Permissions section.
55+
5. On the **Grant data permissions** page, select the `EMR_EC2_DefaultRole` (or `segment_emr_instance_profile`, if you configured your data lake using Terraform) and `segment-data-lake-iam-role` roles in the Principals section.
56+
6. Under the **Database permissions** section, select the checkboxes for **Super** database permissions and **Super** grantable permissions.
57+
7. Select the **Grant** button.
58+
8. On the **Permissions** page, verify the `EMR_EC2_DefaultRole` (or `segment_emr_instance_profile`) and `segment-data-lake-iam-role` roles have "All" permissions.
5459

5560
#### New databases
5661
1. Open the [AWS Lake Formation service](https://console.aws.amazon.com/lakeformation/).
57-
2. Under **Data catalog**, select the settings tab. Ensure the checkboxes under the **Default permissions for newly created databases and tables** are not checked.
62+
2. Under **Data catalog**, select the **Settings** tab. Ensure the checkboxes under the **Default permissions for newly created databases and tables** are not checked.
5863
3. Select the Databases tab. Click the **Create database** button, and create your database:
5964
1. Select the **Database** button.
6065
2. Name your database.
6166
3. Set the location to `s3://$datalake_bucket/segment-data/`. <br/> **Optional:** Add a description to your database.
6267
4. Click **Create database**.
63-
4.
68+
4. On the **Databases** page, select your database. From the **Actions** menu, select **Grant** under the Permissions section.
69+
5. On the **Grant data permissions** page, select the `EMR_EC2_DefaultRole` (or `segment_emr_instance_profile`, if you configured your data lake using Terraform) and `segment-data-lake-iam-role` roles in the Principals section.
70+
6. Under the **Database permissions** section, select the checkboxes for **Super** database permissions and **Super** grantable permissions.
71+
7. Select the **Grant** button.
72+
8. On the **Permissions** page, verify the `EMR_EC2_DefaultRole` (or `segment_emr_instance_profile`) and `segment-data-lake-iam-role` roles have "All" permissions.

0 commit comments

Comments
 (0)