Configure account A
In account A, configure the catalog, grant permissions to account B, and register the object storage location with fine-grained permissions. You can use either your IAM administrator role (added as administrator) or a role with the permissions described in the prerequisites.
Configure your catalog
To configure your catalog in account A:
-
Log in to the AWS Management Console
as an administrator. -
Open the Amazon Redshift console, register your Amazon Redshift clusters and namespaces to the Data Catalog.
-
After the registration is initiated, you will see an invite from Amazon Redshift on the Lake Formation console.
-
Select the pending catalog invitation and choose Approve and create catalog.
-
On the Set catalog details page, configure your catalog:
-
For Name, enter a name.
-
Select Access this catalog from Apache Iceberg compatible engines.
-
Choose the IAM role you created for the data transfer and choose Next.
-
-
On the Grant permissions – optional page, choose Add permissions.
-
For IAM users and roles, choose Admin
-
For Catalog permissions, grant Super user to catalog permissions and grantable permissions.
-
Choose Add.
-
-
Review the details on the Review and create page and choose Create catalog.
-
Verify that the catalog is created.
-
Explore the catalog detail page to verify the database and table structure.
-
On the database View dropdown menu, view the table and verify that the table shows up.
Note
As the Admin role, you can also query the table in Amazon Athena
and confirm that the data is available.
Grant permissions on the tables from account A to account B
Share the data warehouse federated catalog database and table, as well as the object storage-based Iceberg table and its database from the default catalog to account B.
Note
You cannot share the entire catalog to external accounts as a catalog-level permission; you can only share the database and table.
To grant permissions:
-
On the Lake Formation console, choose Data permissions in the navigation pane.
-
Choose Grant.
-
Under Principals, select External accounts and provide the account ID of account B.
-
Under LF-Tags or catalog resources, select Named Data Catalog resources.
-
For Catalogs, choose the account ID that represents the default catalog.
-
For Databases, choose the database you want to share (for example,
).customerdb
-
Under Database permissions, select Describe under both Database permissions and Grantable permissions.
-
Choose Grant.
-
Repeat these steps to grant table-level Select and Describe permissions on the tables you want to share.
-
Repeat these steps again to grant database and table level permissions for the federated catalog database.
-
Choose Data permissions in the navigation pane and verify that account B has been granted database and table level permissions for both tables from the federated catalog and from the default catalog.
Register the Amazon S3 location
Register the object storage-based Iceberg table data location with fine-grained permissions so that it can be managed by permissions.
-
On the Lake Formation console, choose Data lake locations in the navigation pane.
-
Choose Register location.
-
For Amazon S3 path, enter the path for your storage bucket that contains the Iceberg table data.
-
For IAM role, provide the user-defined role
that you created as a prerequisite.LakeFormationS3Registration_custom -
For Permission mode, choose Lake Formation. Choose Register location.
-
Choose Data lake locations in the navigation pane to verify the S3 registration.