4. Accept Resource Share

Add your created cleanroom to your AWS account

Your hosted cleanroom is securely shared with the AWS Account specified in 1. Create a Cleanroom using the Resource Access Manager. If you're unfamiliar, this process enables your sysadmins to manage internal access to your data assets with standard IAM roles, policies, and LF-tags.

Prerequisites

  • A data cleanroom — see 1. Create a Cleanroom
  • An IAM user with LakeFormation Administrator permissions
  • An IAM user with ram:AcceptResourceShareInvitation permission
    {
    	"Version": "2012-10-17",
    	"Statement": [
    		{
    			"Effect": "Allow",
    			"Action": "ram:AcceptResourceShareInvitation",
    			"Resource": "arn:aws:ram:us-east-2:254962200554:resource-share-invitation/*"
    		}
    	]
    }
    

Add Shared Resources

  1. Open the Resource Access Manager in Region US-East-2 and open Resource Shares under Shared with me.

  2. Select each resource from Owner 25496220054 and click Accept resource share. If this is your first cleanroom, you should see 2 pending shared resources.

  3. After accepting the shared resources, if you select Shared resources you'll see the Glue catalog, database, and table for your cleanroom registered.

Create Resource Link

Next you're going to create a Lake Formation resource link which will a) allow your own AWS services like Athena to access the shared resource and b) enable your sysadmins to grant, revoke, and control access to your new data asset.

  1. Open Lake Formation in Region US-East-2 and open Databases under Data Catalog. Your cleanroom should be visible in the list (cr_xyz_123).

  2. Select your cleanroom, click the Actions drop down and select Create resource link.

  3. Give your link a name (you can use the same name as the database itself) and click Create

  4. Your created resource link will appear in the database next to your cleanroom. To grant permission to your cleanroom, click Access and then select Grant. Just select the principal, scope, and click Grant.

    Alternatively, to grant direct access to the underlying assets in AWS Glue and S3 add the following IAM policy.

    {
        "Version": "2012-10-17",
        "Statement": [
            {
              "Effect": "Allow",
              "Action": [
                "glue:GetTable",
                "glue:GetTables",
                "glue:GetPartition",
                "glue:GetPartitions",
                "glue:BatchGetPartition",
                "glue:GetDatabase",
                "glue:GetDatabases"
               ],
               "Resource": [
                "arn:aws:glue:us-east-2:254962200554:table/*/*",
                "arn:aws:glue:us-east-2:254962200554:database/*",
                "arn:aws:glue:us-east-2:254962200554:catalog"
               ]
            },
            {
              "Effect": "Allow",
              "Action": [
                "lakeformation:GetDataAccess"
               ],
              "Resource": [
                "arn:aws:lakeformation:us-east-2:254962200554:catalog:254962200554"
               ],
              "Condition": {
                "StringLike": {
                  "lakeformation:GlueARN":"arn:aws:glue:us-east-2:254962200554:table/*/*"
                }
            }
        }
       ]
    }