# Integrating with Amazon S3 Tables
Integrating with Amazon S3 Tables

AWS Glue Data Catalog integration with Amazon S3 Tables allows you to discover, query, and join S3 Tables with data in Amazon S3 data lakes using a single catalog. When you integrate S3 Tables with the Data Catalog, the service creates a federated catalog structure that maps S3 Tables resources to AWS Glue catalog objects:
+ An S3 table bucket becomes a catalog in the Data Catalog
+ An S3 namespace becomes a AWS Glue database
+ An S3 table becomes a AWS Glue table

## Access controls


The Data Catalog supports two access control modes for S3 Tables integration:
+ **IAM access control** – Uses IAM policies to control access to S3 Tables and the Data Catalog. In this approach, you need IAM permissions on both S3 Tables resources and Data Catalog objects to access resources.
+ **AWS Lake Formation access control** – Uses AWS Lake Formation grants in addition to AWS Glue IAM permissions to control access to S3 Tables through the Data Catalog. In this mode, principals require IAM permissions to interact with the Data Catalog, and AWS Lake Formation grants determine which catalog resources (databases, tables, columns, rows) the principal can access. This mode supports both coarse-grained access control (database-level and table-level grants) and fine-grained access control (column-level and row-level security). When a registered role is configured and credential vending is enabled, S3 Tables IAM permissions are not required for the principal, as AWS Lake Formation vends credentials on behalf of the principal using the registered role. AWS Lake Formation access control also supports credential vending for third-party analytics engines. For more information, see [Creating an S3 Tables catalog](https://docs.aws.amazon.com/lake-formation/latest/dg/create-s3-tables-catalog.html) in the *AWS Lake Formation Developer Guide*.

You can migrate between access control modes as your requirements evolve.

## Catalog hierarchy for auto-mounting


When you integrate S3 Tables with the Data Catalog using the Amazon S3 management console, the console creates a federated catalog called `s3tablescatalog` in the Data Catalog in your account in that AWS Region. This federated catalog serves as the parent catalog for all existing and future S3 table buckets in that account and Region. The integration maps Amazon S3 table bucket resources in the following hierarchy:
+ **Federated catalog** – `s3tablescatalog` (automatically created)
+ **Child catalogs** – Each S3 table bucket becomes a child catalog under `s3tablescatalog`
+ **Databases** – Each S3 namespace within a table bucket becomes a database
+ **Tables** – Each S3 table within a namespace becomes a table

For example, if you have an S3 table bucket named "analytics-bucket" with a namespace "sales" containing a table "transactions", the full path in the Data Catalog would be: `s3tablescatalog/analytics-bucket/sales/transactions`

This four-part hierarchy applies to same-account scenarios where S3 Tables and the Data Catalog are in the same AWS account. For cross-account scenarios, you manually mount individual S3 table buckets in the Data Catalog, which creates a three-part hierarchy.

## Supported Regions


S3 Tables integration with the Data Catalog is available in the following AWS Regions:


| Region code | Region name | 
| --- | --- | 
| us-east-1 | US East (N. Virginia) | 
| us-east-2 | US East (Ohio) | 
| us-west-1 | US West (N. California) | 
| us-west-2 | US West (Oregon) | 
| af-south-1 | Africa (Cape Town) | 
| ap-east-1 | Asia Pacific (Hong Kong) | 
| ap-east-2 | Asia Pacific (Taipei) | 
| ap-northeast-1 | Asia Pacific (Tokyo) | 
| ap-northeast-2 | Asia Pacific (Seoul) | 
| ap-northeast-3 | Asia Pacific (Osaka) | 
| ap-south-1 | Asia Pacific (Mumbai) | 
| ap-south-2 | Asia Pacific (Hyderabad) | 
| ap-southeast-1 | Asia Pacific (Singapore) | 
| ap-southeast-2 | Asia Pacific (Sydney) | 
| ap-southeast-3 | Asia Pacific (Jakarta) | 
| ap-southeast-4 | Asia Pacific (Melbourne) | 
| ap-southeast-5 | Asia Pacific (Malaysia) | 
| ap-southeast-6 | Asia Pacific (New Zealand) | 
| ap-southeast-7 | Asia Pacific (Thailand) | 
| ca-central-1 | Canada (Central) | 
| ca-west-1 | Canada West (Calgary) | 
| eu-central-1 | Europe (Frankfurt) | 
| eu-central-2 | Europe (Zurich) | 
| eu-north-1 | Europe (Stockholm) | 
| eu-south-1 | Europe (Milan) | 
| eu-south-2 | Europe (Spain) | 
| eu-west-1 | Europe (Ireland) | 
| eu-west-2 | Europe (London) | 
| eu-west-3 | Europe (Paris) | 
| il-central-1 | Israel (Tel Aviv) | 
| mx-central-1 | Mexico (Central) | 
| sa-east-1 | South America (Sao Paulo) | 

**Topics**
+ [

## Access controls
](#s3-tables-access-controls)
+ [

## Catalog hierarchy for auto-mounting
](#s3-tables-catalog-hierarchy)
+ [

## Supported Regions
](#s3-tables-supported-regions)
+ [

# Prerequisites
](s3tables-catalog-prerequisites.md)
+ [

# Enabling S3 Tables integration with the Data Catalog
](enable-s3-tables-catalog-integration.md)
+ [

# Adding databases and tables to the S3 Tables catalog
](create-databases-tables-s3-catalog.md)
+ [

# Sharing S3 Tables catalog objects
](share-s3-tables-catalog.md)
+ [

# Managing S3 Tables integration
](manage-s3-tables-catalog-integration.md)

# Prerequisites
Prerequisites

Before you create a federated catalog for S3 Tables in the AWS Glue Data Catalog, ensure your IAM principal (user or role) has the required permissions.

## Required IAM permissions


Your IAM principal needs the following permissions to enable S3 Tables integration:

**AWS Glue permissions**:
+ `glue:CreateCatalog` – Required to create the `s3tablescatalog` federated catalog
+ `glue:GetCatalog` – Required to view catalog details
+ `glue:GetDatabase` – Required to view S3 namespaces as databases
+ `glue:GetTable` – Required to view S3 tables
+ `glue:passConnection` – Grants the calling principal the right to delegate the `aws:s3tables` connection to the AWS Glue service

**S3 Tables permissions** (for IAM access control):
+ `s3tables:CreateTableBucket`
+ `s3tables:GetTableBucket`
+ `s3tables:CreateNamespace`
+ `s3tables:GetNamespace`
+ `s3tables:ListNamespaces`
+ `s3tables:CreateTable`
+ `s3tables:GetTable`
+ `s3tables:ListTables`
+ `s3tables:UpdateTableMetadataLocation`
+ `s3tables:GetTableMetadataLocation`
+ `s3tables:GetTableData`
+ `s3tables:PutTableData`

## IAM policy example


The following IAM policy provides the minimum permissions required to enable S3 Tables integration with the Data Catalog in IAM mode:

```
{
  "Version": "2012-10-17",		 	 	 
  "Statement": [
    {
      "Sid": "GlueDataCatalogPermissions",
      "Effect": "Allow",
      "Action": [
        "glue:CreateCatalog",
        "glue:GetCatalog",
        "glue:GetDatabase",
        "glue:GetTable"
      ],
      "Resource": [
        "arn:aws:glue:region:account-id:catalog/s3tablescatalog",
        "arn:aws:glue:region:account-id:database/s3tablescatalog/*/*",
        "arn:aws:glue:region:account-id:table/s3tablescatalog/*/*/*"
      ]
    },
    {
      "Sid": "S3TablesDataAccessPermissions",
      "Effect": "Allow",
      "Action": [
        "s3tables:GetTableBucket",
        "s3tables:GetNamespace",
        "s3tables:GetTable",
        "s3tables:GetTableMetadataLocation",
        "s3tables:GetTableData"
      ],
      "Resource": [
        "arn:aws:s3tables:region:account-id:bucket/*",
        "arn:aws:s3tables:region:account-id:bucket/*/table/*"
      ]
    }
  ]
}
```

# Enabling S3 Tables integration with the Data Catalog
Enable integration

You can enable S3 Tables integration with the AWS Glue Data Catalog using the Amazon S3 management console or AWS CLI. When you enable the integration using the console, AWS creates a federated catalog named `s3tablescatalog` that automatically discovers and mounts all S3 table buckets in your AWS account and Region.

## Enable S3 Tables integration using the Amazon S3 management console


1. Open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).

1. In the left navigation pane, choose **Table buckets**.

1. Choose **Create table bucket**.

1. Enter a **Table bucket name** and make sure that the **Enable integration** checkbox is selected.

1. Choose **Create table bucket**.

Amazon S3 automatically integrates your table buckets in that Region. The first time that you integrate table buckets in any Region, Amazon S3 creates `s3tablescatalog` in the Data Catalog in that Region.

After the catalog is created, all S3 table buckets in your account and Region are automatically mounted as child catalogs. You can view the databases (namespaces) and tables by navigating to the catalog in the Data Catalog.

## Enable S3 Tables integration using AWS CLI


Use the `glue create-catalog` command to create the `s3tablescatalog` catalog.

```
aws glue create-catalog \
  --name "s3tablescatalog" \
  --catalog-input '{
    "Description": "Federated catalog for S3 Tables",
    "FederatedCatalog": {
      "Identifier": "arn:aws:s3tables:region:account-id:bucket/*",
      "ConnectionName": "aws:s3tables"
    },
    "CreateDatabaseDefaultPermissions": [{
      "Principal": {
        "DataLakePrincipalIdentifier": "IAM_ALLOWED_PRINCIPALS"
      },
      "Permissions": ["ALL"]
    }],
    "CreateTableDefaultPermissions": [{
      "Principal": {
        "DataLakePrincipalIdentifier": "IAM_ALLOWED_PRINCIPALS"
      },
      "Permissions": ["ALL"]
    }]
  }'
```

Replace *region* with your AWS Region and *account-id* with your AWS account ID.

## Verifying the integration


After creating the catalog, you can verify that S3 table buckets are mounted by listing the child catalogs:

```
aws glue get-catalogs \
  --parent-catalog-id s3tablescatalog
```

# Adding databases and tables to the S3 Tables catalog
Add databases and tables

Ensure that you have the necessary permissions to list and create catalogs, databases, and tables in the Data Catalog in your Region. Ensure that S3 Tables integration is enabled in your AWS account and Region.

## Adding a database to the S3 Tables catalog


### Adding a database (console)


1. Open the AWS Glue console at [https://console.aws.amazon.com/glue/home](https://console.aws.amazon.com/glue/home).

1. In the left navigation pane, choose **Databases**.

1. Choose **Add Database**.

1. Choose **Glue Database in S3 Tables Federated Catalog**.

1. Enter a unique name for the database.

1. Select the target catalog which maps to a table bucket in S3 Tables.

1. Choose **Create Database**.

### Adding a database (AWS CLI)


```
aws glue create-database \
  --region region \
  --catalog-id "account-id:s3tablescatalog/my-catalog" \
  --database-input '{"Name": "my-database"}'
```

## Adding a table to the S3 Tables catalog


### Adding a table (console)


1. Open the AWS Glue console at [https://console.aws.amazon.com/glue/home](https://console.aws.amazon.com/glue/home).

1. In the left navigation pane, choose **Tables**.

1. Select the appropriate S3 Tables catalog in the catalog dropdown.

1. Choose **Add Table**.

1. Enter a unique name for your table.

1. Confirm the correct S3 Tables catalog is selected in the catalog dropdown.

1. Select the database in the database dropdown.

1. Enter the table schema by either inputting a JSON or adding each column individually.

1. Choose **Create table**.

### Adding a table (AWS CLI)


```
aws glue create-table \
  --region region \
  --catalog-id "account-id:s3tablescatalog/my-catalog" \
  --database-name "my-database" \
  --table-input '{
    "Name": "my-table",
    "Parameters": {
      "classification": "",
      "format": "ICEBERG"
    },
    "StorageDescriptor": {
      "Columns": [
        {"Name": "id", "Type": "int", "Parameters": {}},
        {"Name": "val", "Type": "string", "Parameters": {}}
      ]
    }
  }'
```

# Sharing S3 Tables catalog objects
Sharing catalog objects

When using IAM access control, you can share S3 Tables catalog objects with other users using AWS Glue resource links for same-account sharing. For cross-account sharing, you can share S3 table buckets with another AWS account and the IAM role or user in the recipient account can create a AWS Glue catalog object using the shared table bucket.

## Sharing within the same account using resource links


Resource links allow you to create references to AWS Glue databases and tables in the `s3tablescatalog` that appear in your AWS Glue default catalog. This is useful for organizing data access or creating logical groupings of tables.

### Create a resource link (console)


1. Open the AWS Glue console at [https://console.aws.amazon.com/glue/](https://console.aws.amazon.com/glue/).

1. In the navigation pane, choose **Catalogs**.

1. In the **Catalog** list, select **s3tablescatalog**.

1. Select the table you want to share from the `s3tablescatalog`.

1. Choose **Actions**, then choose **Create resource link**.

1. For **Resource link name**, enter a name for the resource link.

1. For **Target database**, select the database where you want to create the resource link.

1. (Optional) For **Description**, enter a description.

1. Choose **Create**.

The resource link appears in the target database and points to the original table in `s3tablescatalog`.

### Create resource links (AWS CLI)


Create a database resource link:

```
aws glue create-database \
  --database-name "my-database-resource-link" \
  --database-input '{
    "Name": "sales_data_link",
    "TargetDatabase": {
      "CatalogId": "account-id:s3tablescatalog/analytics-bucket",
      "DatabaseName": "sales"
    }
  }'
```

Create a table resource link:

```
aws glue create-table \
  --table-name "my-table-resource-link" \
  --table-input '{
    "Name": "sales_data_link",
    "TargetTable": {
      "CatalogId": "account-id:s3tablescatalog/analytics-bucket",
      "DatabaseName": "sales",
      "Name": "transactions"
    }
  }'
```

# Managing S3 Tables integration
Manage integration

## Enable AWS Lake Formation


You can enable AWS Lake Formation for your S3 Tables catalog when you want to scale your data governance requirements. AWS Lake Formation provides database-style grants to manage fine-grained access, scale permissions using tag-based access, and grant permissions based on user attributes such as group associations to your tables in S3 Tables.

Go to the AWS Lake Formation management console to enable AWS Lake Formation for your S3 Tables catalog in AWS Glue. For more information, see [Creating an S3 Tables catalog](https://docs.aws.amazon.com/lake-formation/latest/dg/create-s3-tables-catalog.html) in the *AWS Lake Formation Developer Guide*.

## Delete S3 Tables integration


You can delete S3 Tables integration by deleting the catalog integration in the Data Catalog. This operation only deletes the metadata in the Data Catalog and not the resources in S3 Tables.

Ensure that you have the necessary permissions to list, edit, and delete catalog objects in AWS Glue.

### Delete integration (console)


1. Open the AWS Glue console at [https://console.aws.amazon.com/glue/home](https://console.aws.amazon.com/glue/home).

1. In the navigation pane, choose **Catalogs**.

1. In the **Catalog** list, select **s3tablescatalog**.

1. Choose **Delete**.

1. Confirm that deleting the catalog also deletes all associated catalog objects in the Data Catalog.

1. Choose **Delete**.

### Delete integration (AWS CLI)


```
aws glue delete-catalog \
  --region region \
  --catalog-id "s3tablescatalog"
```