# Amazon S3 Tables integration with AWS Glue Data Catalog and AWS Lake Formation
[Amazon S3 Tables](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables.html) provide S3 storage that's specifically optimized for analytics workloads, improving query performance while reducing costs. The data in S3 Tables is stored in a new bucket type: a *table bucket*, which stores tables as subresources. S3 tables have built-in support for Apache Iceberg standard, which allows you to easily query tabular data in Amazon S3 table buckets using popular query engines like Apache Spark.
You can integrate Amazon S3 Tables with AWS Glue Data Catalog using either IAM access controls or with IAM and Lake Formation grants:
+ **IAM access control**: Uses IAM policies to control access to S3 Tables and Data Catalog. In this access control approach, you need IAM permissions on both S3 Tables resources and Data Catalog objects to access resources.
+ **Lake Formation access control**: Uses AWS Lake Formation grants in addition to AWS Glue IAM permissions to control access to S3 Tables through the Data Catalog. In this mode, principals require IAM permissions to interact with the Data Catalog, and Lake Formation grants determine which catalog resources (databases, tables, columns, rows) the principal can access. This mode supports both coarse-grained access control (database-level and table-level grants) and fine-grained access control (column-level and row-level security). When a registered role is configured and credential vending is enabled, S3 Tables IAM permissions are not required for the principal, as Lake Formation vends credentials on behalf of the principal using the registered role. Lake Formation access control also supports credential vending for third-party analytics engines.
This section provides guidance to configure the integration with AWS Lake Formation for the following scenarios:
+ **Scenario A**: You integrated S3 Tables and Data Catalog using IAM access controls and now plan to use AWS Lake Formation. See [Changing access controls for S3 Tables integration](manage-s3tables-catalog-integration.md) to learn more.
+ **Scenario B**: You plan to integrate S3 Tables and Data Catalog using AWS Lake Formation and do not have them integrated in your account and Region today. Start with the [Prerequisites for integrating Amazon S3 tables catalog with the Data Catalog and Lake Formation](s3tables-catalog-prerequisites.md) section and follow [Enabling Amazon S3 Tables integration](enable-s3-tables-catalog-integration.md).
+ **Scenario C**: You integrated S3 Tables and Data Catalog using AWS Lake Formation and now plan to use IAM. See [Changing access controls for S3 Tables integration](manage-s3tables-catalog-integration.md) to learn more.
Make sure that you follow the steps in [Integrating S3 Tables with AWS analytics services](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-integrating-aws.html) so that you have the appropriate permissions to access the AWS Glue Data Catalog and your table resources, and to work with AWS analytics services.
**Topics**
+ [How Data Catalog and Lake Formation integration works](#w2aac13c27c19)
+ [Prerequisites for integrating Amazon S3 tables catalog with the Data Catalog and Lake Formation](s3tables-catalog-prerequisites.md)
+ [Enabling Amazon S3 Tables integration](enable-s3-tables-catalog-integration.md)
+ [Creating databases and tables in the S3 tables catalog](create-databases-tables-s3-catalog.md)
+ [Registering an Amazon S3 table bucket in another AWS account](register-cross-account-s3-table-bucket.md)
+ [Granting permissions](s3-tables-grant-permissions.md)
## How Data Catalog and Lake Formation integration works
When you integrate the S3 tables catalog with the Data Catalog and Lake Formation, the AWS Glue service creates a single federated catalog called `s3tablescatalog` in your account's default Data Catalog specific to your AWS Region. The integration maps all Amazon S3 table bucket resources in your account and AWS Region under the federated catalog in the following manner:
+ Amazon S3 table buckets become a multi-level catalog in the Data Catalog.
+ The associated Amazon S3 namespace is registered as a database in the Data Catalog.
+ The Amazon S3 tables in the table bucket becomes tables in the Data Catalog.
![\[Mapping of objects between S3 Tables and AWS Glue Data Catalog.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/S3Tables-glue-catalog.png)
After integrating with Lake Formation, you can create Apache Iceberg tables in the table buckets catalog, and access them via integrated AWS analytics engines such as Amazon Athena, Amazon EMR as well as third-party analytics engines.
When you also enable Lake Formation with integration, it enables fine-grained access control through AWS Lake Formation. This security approach means that, in addition to AWS Identity and Access Management (IAM) permissions, you must grant your IAM principal with Lake Formation permissions on your tables before you can work with them.
There are two main types of permissions in AWS Lake Formation:
+ Metadata access permissions control the ability to create, read, update, and delete metadata databases and tables in the Data Catalog.
+ Underlying data access permissions control the ability to read and write data to the underlying Amazon S3 locations that the Data Catalog resources point to.
Lake Formation uses a combination of its own permissions model and the IAM permissions model to control access to Data Catalog resources and underlying data:
+ For a request to access Data Catalog resources or underlying data to succeed, the request must pass permission checks by both IAM and Lake Formation.
+ IAM permissions control access to the Lake Formation and AWS Glue APIs and resources, whereas Lake Formation permissions control access to the Data Catalog resources, Amazon S3 locations, and the underlying data.
Lake Formation permissions apply only in the Region in which they were granted, and a principal must be authorized by a data lake administrator or another principal with the necessary permissions in order to be granted Lake Formation permissions.
# Prerequisites for integrating Amazon S3 tables catalog with the Data Catalog and Lake Formation
Following are the prerequisites to enable Amazon S3 table integration with AWS Glue Data Catalog and AWS Lake Formation.
1. When you enable the Amazon S3 tables integration, Lake Formation automatically registers the S3 tables' location. To register the table bucket location with Lake Formation, you need an IAM role/user with `lakeformation:RegisterResource`, `lakeformation:RegisterResourceWithPrivilegedAccess`, and `lakeformation:CreateCatalog` permissions. When a non-administrator user with these permissions registers a catalog location, Lake Formation automatically grants them the `DATA_LOCATION_ACCESS` permission for that location allowing the calling principal the permissions to perform all supported Lake Formation operations on the registered data location.
1. When you enable the S3 tables integration, you need to choose an IAM role for Lake Formation to vend credentials to allow data access. Create an IAM role for Lake Formation data access to your S3 table buckets. The IAM role used when registering the table bucket with Lake Formation requires the following permissions:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "LakeFormationPermissionsForS3ListTableBucket",
"Effect": "Allow",
"Action": [
"s3tables:ListTableBuckets"
],
"Resource": [
"*"
]
},
{
"Sid": "LakeFormationDataAccessPermissionsForS3TableBucket",
"Effect": "Allow",
"Action": [
"s3tables:CreateTableBucket",
"s3tables:GetTableBucket",
"s3tables:CreateNamespace",
"s3tables:GetNamespace",
"s3tables:ListNamespaces",
"s3tables:DeleteNamespace",
"s3tables:DeleteTableBucket",
"s3tables:CreateTable",
"s3tables:DeleteTable",
"s3tables:GetTable",
"s3tables:ListTables",
"s3tables:RenameTable",
"s3tables:UpdateTableMetadataLocation",
"s3tables:GetTableMetadataLocation",
"s3tables:GetTableData",
"s3tables:PutTableData"
],
"Resource": [
"arn:aws:s3tables:us-east-1:123456789012:bucket/*"
]
}
]
}
```
------
For more information, see [Requirements for roles used to register locations](registration-role.md).
1. Add the following trust policy to the IAM role to allow the Lake Formation service to assume the role and vend temporary credentials to the integrated analytical engines.
```
{
"Effect": "Allow",
"Principal": {
"Service": "lakeformation.amazonaws.com"
},
"Action": [
"sts:AssumeRole",
"sts:SetSourceIdentity",
"sts:SetContext" # add action to trust relationship when using IAM Identity center principals with Lake Formation
]
}
```
**Note**
The AWS analytics services integration process has been updated. If you've set up the integration with the preview release, you can continue to use your current integration. However, the updated integration process provides performance improvements. To update the integration:
First, delete your existing S3 tables catalog in Lake Formation. To delete the catalog, select the `s3tablescatalog` catalog from the catalogs list, and choose **Delete** from **Actions**.
Next, deregister the data location for the `s3tablescatalog`.
On the Lake Formation console, under the **Administrations** section, choose **Data Locations**.
Select a location, and from the **Actions** menu, choose **Remove**.
When prompted for confirmation, choose **Remove**.
For detailed instructions on deregistering a data location, see the [Deregistering an Amazon S3 location](unregister-location.md) section.
Then, follow the updated integration steps in the [Enabling Amazon S3 Tables integration](enable-s3-tables-catalog-integration.md) section.
# Enabling Amazon S3 Tables integration
You can create Amazon S3 table buckets using Amazon S3 console, and integrate it with AWS analytics services. For more information, see [Using Amazon S3 Tables with AWS analytics services](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-integrating-aws.html).
In AWS Lake Formation, you can enable Amazon S3 Tables integration with AWS Glue Data Catalog and AWS Lake Formation using the Lake Formation console or use AWS CLI.
## To integrate Amazon S3 Tables with the Data Catalog and Lake Formation (console)
1. Open the Lake Formation console at [https://console.aws.amazon.com/lakeformation/](https://console.aws.amazon.com/lakeformation/).
1. In the navigation pane, choose **Catalogs** under **Data Catalog**.
1. Choose **Enable S3 Table integration** on the **Catalogs** page.
![\[The enable S3 table integration option on the catalogs page.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/enable-s3-table-integration.png)
1. Choose an IAM role with the required permissions for Lake Formation to assume to vend credentials to the analytical query engines. For the permissions required for the role to accessing data, see [step3-permissions](s3tables-catalog-prerequisites.md#step3-permissions) in the prerequisites section.
![\[The enable S3 integration screen with IAM role.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/enable-s3-table-catalog.png)
1. Select **Allow external engines to access data in Amazon S3 locations with full table access** option. When you enable full table access for third-party engines, Lake Formation returns credentials to the third-party engine directly without performing IAM session tag validation. This means you cannot apply Lake Formation fine-grained access controls to the tables being accessed.
1. Choose **Enable**. The new catalog for S3 Tables is added to the catalog list. When you enable the S3 tables catalog integration, the service registers the data location of the S3 table bucket with Lake Formation.
1. Choose the catalog to view catalog objects and grant permissions to other principals.
![\[The S3 Table Catalog\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/s3-table-catalog.png)
To create multi-level catalogs, see the [Creating a table bucket ](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-buckets-create.html) section in the Amazon Simple Storage Service User Guide.
## To integrate Amazon S3 tables with the Data Catalog and Lake Formation (CLI)
Following the prerequisites section, create an IAM service role that allows Lake Formation to access your table resources.
1. Create a file called `Role-Trust-Policy.json` that contains the following trust policy:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "LakeFormationDataAccessPolicy",
"Effect": "Allow",
"Principal": {
"Service": "lakeformation.amazonaws.com"
},
"Action": [
"sts:AssumeRole",
"sts:SetContext",
"sts:SetSourceIdentity"
],
"Condition": {
"StringEquals": {
"aws:SourceAccount": "111122223333"
}
}
}
]
}
```
1. Create the IAM service role by using the following command:
```
aws iam create-role \
--role-name S3TablesRoleForLakeFormation \
--assume-role-policy-document file://Role-Trust-Policy.json
```
1. Create a file called `LF-GluePolicy.json` that contains the following policy:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "LakeFormationPermissionsForS3ListTableBucket",
"Effect": "Allow",
"Action": [
"s3tables:ListTableBuckets"
],
"Resource": [
"*"
]
},
{
"Sid": "LakeFormationDataAccessPermissionsForS3TableBucket",
"Effect": "Allow",
"Action": [
"s3tables:CreateTableBucket",
"s3tables:GetTableBucket",
"s3tables:CreateNamespace",
"s3tables:GetNamespace",
"s3tables:ListNamespaces",
"s3tables:DeleteNamespace",
"s3tables:DeleteTableBucket",
"s3tables:CreateTable",
"s3tables:DeleteTable",
"s3tables:GetTable",
"s3tables:ListTables",
"s3tables:RenameTable",
"s3tables:UpdateTableMetadataLocation",
"s3tables:GetTableMetadataLocation",
"s3tables:GetTableData",
"s3tables:PutTableData"
],
"Resource": [
"arn:aws:s3tables:us-east-1:111122223333:bucket/*"
]
}
]
}
```
1. Attach the policy to the role by using the following command:
```
aws iam put-role-policy \
--role-name S3TablesRoleForLakeFormation \
--policy-name LakeFormationDataAccessPermissionsForS3TableBucket \
--policy-document file://LF-GluePolicy.json
```
1. Create a file called `input.json` that contains the following:
```
{
"ResourceArn": "arn:aws:s3tables:us-east-1:111122223333:bucket/*",
"WithFederation": true,
"RoleArn": "arn:aws:iam::111122223333:role/S3TablesRoleForLakeFormation"
}
```
1. Register table buckets with Lake Formation by using the following command:
```
aws lakeformation register-resource \
--region us-east-1 \
--with-privileged-access \
--cli-input-json file://input.json
```
1. Create a file called `catalog.json` that contains the following catalog:
```
{
"Name": "s3tablescatalog",
"CatalogInput": {
"FederatedCatalog": {
"Identifier": "arn:aws:s3tables:us-east-1:111122223333:bucket/*",
"ConnectionName": "aws:s3tables"
},
"CreateDatabaseDefaultPermissions": [],
"CreateTableDefaultPermissions": [],
"AllowFullTableExternalDataAccess": "True"
}
}
```
1. Create the `s3tablescatalog` catalog by using the following command. Creating this catalog populates the AWS Glue Data Catalog with objects corresponding to table buckets, namespaces, and tables.
```
aws glue create-catalog \
--region us-east-1 \
--cli-input-json file://catalog.json
```
1. Verify that the `s3tablescatalog` catalog was added in AWS Glue by using the following command:
```
aws glue get-catalog --catalog-id s3tablescatalog
```
# Creating databases and tables in the S3 tables catalog
You can create databases to organize your Apache Iceberg tables, and tables to define the schema and location of your data in the S3 tables catalog.
## Create a database (console)
1. Open the Lake Formation console at [https://console.aws.amazon.com/lakeformation/](https://console.aws.amazon.com/lakeformation/), and sign in as a data lake administrator or database creator.
1. In the navigation pane, choose **Databases** under **Data Catalog**.
1. Choose **Create database**.
1. On the **Create database** page, choose the **Database** option, and enter the following details:
+ **Name **– A unique name for the database
+ **Data catalog** – Choose the S3 tables catalog. The database will reside in this catalog.
+ **Description** –(Optional) Add a description and location.
+ **IAM access control for new tables** – Optionally select Use only IAM access control for new tables in this database. For information about this option, see the [Changing the default settings for your data lake](https://docs.aws.amazon.com/lake-formation/latest/dg/change-settings.html) section.
+ Choose **Create database**.You can see the database created under the S3 tables catalog.
## Create a database using AWS CLI
The following CLI command shows how to create a database in the S3 tables catalog.
```
aws glue create-database
--region us-east-1 \
--catalog-id "123456789012:s3tablescatalog/test" \
--database-input \
'{ "Name": "testglueclidbcreation" }'
```
## Create a table (AWS Management Console)
You can create Apache Iceberg metadata tables in the S3 tables catalog using Lake Formation console or the AWS Glue `CreateTable` API.
1. Open the Lake Formation console at [https://console.aws.amazon.com/lakeformation/](https://console.aws.amazon.com/lakeformation/), and sign in as a data lake administrator or a user with `CreateTable` permission.
1. In the navigation pane, choose **Tables** under Data Catalog.
1. Choose Create table.
1. On the **Create table** page, enter the table details:
![\[The S3 Table Catalog\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/s3-catalog-create-table.png)
+ **Name **– Enter a unique name for the table.
+ **Catalog** – Choose the S3 tables catalog as the catalog.
+ **Database** – Choose the database under the S3 tables catalog.
+ **Description** – Enter a description for the table.
+ **Schema** – Choose Add columns to add columns and data types of the columns. You have the option to create an empty table and update the schema later. Iceberg allows you to evolve schema and partition after you create the table. You can use Athena queries to update the table schema and Spark queries for updating partitions.
1. Choose **Submit**.
## Create a table (AWS CLI)
```
aws glue create-table \
--database-name "testglueclidbcreation" \
--catalog-id "123456789012:s3tablescatalog/test" \
--region us-east-1 \
--table-input \
'{ "Name": "testtablegluecli", "Parameters": { "format": "ICEBERG" }, "StorageDescriptor": { "Columns": [ {"Name": "x", "Type": "int", "Parameters": {"required": "true"}} ] } }'
```
# Registering an Amazon S3 table bucket in another AWS account
You can register individual Amazon S3 table buckets (ARN format:`arn:aws:s3tables:us-east-1:account-id:bucket/bucket-name`) from one AWS account with Lake Formation in another account. For example, you can register a table bucket from account A in account B's Lake Formation.
## Prerequisites
Before beginning the cross-account bucket registration:
+ Create a table bucket in account A.
+ Create an IAM role in account B with appropriate permissions for bucket registration.
For more information about the permissions required to register a table bucket with Lake Formation, see [Prerequisites for integrating Amazon S3 tables catalog with the Data Catalog and Lake Formation](s3tables-catalog-prerequisites.md).
+ Register the table bucket in the account where you are going to create the S3 table catalog.
+ For cross-account access, the role specified when registering the table bucket must be an in-account role with appropriate permissions to access the cross-account bucket. The role needs necessary S3 Tables IAM actions to access bucket resources.
## Cross-account table bucket registration
In the following procedures, account A is the resource owning account, and account B is where the table bucket will be registered for managing access permissions.
1. Sign in to the AWS Management Console in account A.
Open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).
1. Create a table bucket. For more information, see [Creating a table bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-tables-buckets-create.html) in the Amazon S3 User Guide.
1. Register the table bucket in account B.
Use the AWS CLI to register the table bucket from account A with Lake Formation in account B.
```
aws lakeformation register-resource \
--resource-arn 'arn:aws:s3tables:us-east-1:account-A-id:bucket/single-bucket-name' \
--role-arn arn:aws:iam::account-B-id:role/role-name \
--region us-east-1
```
Replace account-A-id, single-bucket-name, account-B-id, and role-name with your specific values.
1. Next, create a catalog for the table bucket in account B.
Create a catalog using the AWS CLI.
```
aws glue create-catalog --region us-east-1 \
--cli-input-json \
'{
"Name": "catalog-name",
"CatalogInput" : {
"FederatedCatalog": {
"Identifier": "arn:aws:s3tables:us-east-1:account A:bucket/single-bucket-name",
"ConnectionName": "aws:s3tables"
},
"CreateDatabaseDefaultPermissions": [],
"CreateTableDefaultPermissions": []
}
}'
```
Replace catalog-name, account-A-id, and bucket-name with your specific values.
The following CLI example shows how to view the details of the catalog.
```
aws glue get-catalog \
--catalog-id account-id:catalog-name \
--region us-east-1
```
1. Next, create databases and tables in newly created catalog in account B.
Create a database.
```
aws glue create-database \
--region us-east-1 \
--catalog-id "account-B-id:catalog-name" \
--database-input \
'{
"Name": "database-name"
}'
```
Create a table.
```
aws glue create-table \
--database-name database-name \
--catalog-id account-B-id:catalog-name\
--region us-east-1 \
--table-input \
'{
"Name": "table-name",
"Parameters": {
"format": "ICEBERG"
},
"StorageDescriptor": {
"Columns": [
{"Name": "x", "Type": "int", "Parameters": {"required": "true"}}
]
}
}'
```
Replace database-name, account-B-id, catalog-name, and table-name with your specific values.
1. The following examples show how to view the objects in the catalog.
View database details.
```
aws glue get-database \
--name database-name \
--catalog-id account-B-id:catalog-name \
--region us-east-1
```
View table details.
```
aws glue get-table \
--name table-name \
--database-name database-name \
--catalog-id account-B-id:catalog-name \
--region us-east-1
```
Replace database-name, account-B-id, catalog-name, and table-name with your specific values.
# Granting permissions
After integrating your S3 tables with AWS Lake Formation, you can grant permissions on the S3 tables catalog and the catalog objects (table buckets, databases, tables) to other IAM roles and users in your account. Lake Formation permissions allows you to define access controls at table, column, and row-level granularity for users of integrated analytical engines such as Amazon Redshift Spectrum and Athena.
You can grant permissions by using either the named resource method or the Lake Formation tag-based access control (LF-TBAC) method. Before granting permissions using LF-Tags and LF-Tag expressions, you must define them and assing them to Data Catalog objects.
For more information, see [Managing LF-Tags for metadata access control](managing-tags.md).
You can share databases and tables with external AWS accounts by granting Lake Formation permissions to the external accounts. Users can then run queries and jobs that join and query tables across multiple accounts. When you share a catalog resource with another account, principals in that account can operate on that resource as if the resource were in their Data Catalog.
When you share databases and tables with external accounts, the **Super user** permission is not available.
For detailed instructions about granting permissions, see the [Managing Lake Formation permissions](managing-permissions.md) section.
## AWS CLI example for granting permissions on an Amazon S3 Table
```
aws lakeformation grant-permissions \
--cli-input-json \
'{
"Principal": {
"DataLakePrincipalIdentifier":"arn:aws:iam::111122223333:role/DataAnalystRole"
},
"Resource": {
"Table": {
"CatalogId":"111122223333:s3tablescatalog/amzn-s3-demo-bucket1",
"DatabaseName":"S3 table bucket namespace ",
"Name":"S3 table bucket table name "
}
},
"Permissions": [
"SELECT"
]
}'
```
The following are the parameters to include in the command:
+ DataLakePrincipalIdentifier – IAM user, role, or group ARN to grant permissions
+ CatalogId – 12-digit AWS account ID that owns the Data Catalog
+ DatabaseName – Name of the Amazon S3 table bucket name space
+ Name – Amazon S3 table bucket table name
+ Permissions – Permissions to grant. Options include: SELECT, INSERT, DELETE, DESCRIBE, ALTER, DROP, ALLL, and SUPER
# Accessing shared Amazon S3 tables
After you grant cross-account permissions on a database or table in the S3 tables catalog, to access the resources, you need to create resource links to the shared databases and tables.
1. In the destination account (the account that receives the shared resources), create a database resource link. For detailed instructions, see [Creating a resource link to a shared Data Catalog database](create-resource-link-database.md).
CLI example for creating a database resource link
```
aws glue create-database
--region us-east-1
--catalog-id "111122223333"
--database-input \
'{
"Name": "s3table_resourcelink",
"TargetDatabase": {
"CatalogId": "011426214932:s3tablescatalog/chmni-s3-table-bucket-011426214932",
"DatabaseName": "s3_table_ns"
},
"CreateTableDefaultPermissions": []
}'
```
1. Grant cross account permission on the table.
CLI example for cross-account permission grant
```
aws lakeformation grant-permissions \
--region us-east-1 \
--cli-input-json \
'{
"Principal": {
"DataLakePrincipalIdentifier": "arn:aws:iam::111122223333:role/S3TablesTestExecRole"
},
"Resource": {
"Table": {
"CatalogId": "011426214932:s3tablescatalog/chmni-s3-table-bucket-011426214932",
"DatabaseName": "s3_table_ns",
"Name": "test_s3_iceberg_table"
}
},
"Permissions": [
"ALL"
]
}'
```
1. Grant Lake Formation `DESCRIBE` permission on the resource link.
CLI example for granting describe permission on the resource link.
```
aws lakeformation grant-permissions \
--principal DataLakePrincipalIdentifier=arn:aws:iam::111122223333:role/S3TablesTestExecRole
--resource Database='{CatalogId=111122223333;, Name=s3table_resourcelink}' \
--permissions DESCRIBE
```