# Granting data location permissions
<a name="granting-location-permissions"></a>

Data location permissions in AWS Lake Formation enable principals to create and alter Data Catalog resources that point to designated registered Amazon S3 locations. Data location permissions work in addition to Lake Formation data permissions to secure information in your data lake.

Lake Formation does not use the AWS Resource Access Manager (AWS RAM) service for data location permission grants, so you don't need to accept resource share invitations for data location permissions.

You can grant data location permissions by using the Lake Formation console, API, or AWS Command Line Interface (AWS CLI).

**Note**  
For a grant to succeed, you must first register the data location with Lake Formation.

**See Also:**  
[Underlying data access control](access-control-underlying-data.md#data-location-permissions)

**Topics**
+ [Granting data location permissions (same account)](granting-location-permissions-local.md)
+ [Granting data location permissions (external account)](granting-location-permissions-external.md)
+ [Granting permissions on a data location shared with your account](regranting-locations.md)

# Granting data location permissions (same account)
<a name="granting-location-permissions-local"></a>

Follow these steps to grant data location permissions to principals in your AWS account. You can grant permissions by using the Lake Formation console, the API, or the AWS Command Line Interface (AWS CLI).

------
#### [ AWS Management Console ]

**To grant data location permissions (same account)**

1. Open the AWS Lake Formation console at [https://console.aws.amazon.com/lakeformation/](https://console.aws.amazon.com/lakeformation/). Sign in as a data lake administrator or as a principal who has grant permissions on the desired data location.

1. In the navigation pane, under **Permissions**, choose **Data locations**.

1. Choose **Grant**.

1. In the **Grant permissions** dialog box, ensure that the **My account** tile is selected. Then provide the following information:
   + For **IAM users and roles**, choose one or more principals. 
   + For **SAML and Amazon Quick users and groups**, enter one or more Amazon Resource Names (ARNs) for users or groups federated through SAML or ARNs for Amazon Quick users or groups.

     Enter one ARN at a time, and press **Enter** after each ARN. For information about how to construct the ARNs, see [Lake Formation grant and revoke AWS CLI commands](lf-permissions-reference.md#perm-command-format).
   + For **Storage locations**, choose **Browse**, and choose an Amazon Simple Storage Service (Amazon S3) storage location. The location must be registered with Lake Formation. Choose **Browse** again to add another location. You can also type the location, but ensure that you precede the location with `s3://`.
   + For **Registered account location**, enter the AWS account ID where the location is registered. This defaults to your account ID. In a cross-account scenario, data lake administrators in a recipient account can specify the owner account here when granting the data location permission to other principals in the recipient account.
   + (Optional) To enable the selected principals to grant data location permissions on the selected location, select **Grantable**.  
![\[In the Grant permissions dialog box, the user datalake_user and storage location s3://retail/transactions/q119 are selected.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/grant-location-dialog-local.png)

1. Choose **Grant**.

------
#### [ AWS CLI ]

**To grant data location permissions (same account)**
+ Run a `grant-permissions` command, and grant `DATA_LOCATION_ACCESS` to the principal, specifying the Amazon S3 path as the resource.  
**Example**  

  The following example grants data location permissions on `s3://retail` to user `datalake_user1`.

  ```
  aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=arn:aws:iam::<account-id>:user/datalake_user1 --permissions "DATA_LOCATION_ACCESS" --resource '{ "DataLocation": {"ResourceArn":"arn:aws:s3:::retail"}}'
  ```  
**Example**  

  The following example grants data location permissions on `s3://retail` to `ALLIAMPrincipals` group.

  ```
  aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=111122223333:IAMPrincipals --permissions "DATA_LOCATION_ACCESS" --resource '{ "DataLocation": {"ResourceArn":"arn:aws:s3:::retail", "CatalogId": "111122223333"}}'
  ```

------

**See Also:**  
[Lake Formation permissions reference](lf-permissions-reference.md)

# Granting data location permissions (external account)
<a name="granting-location-permissions-external"></a>

Follow these steps to grant data location permissions to an external AWS account or organization. 

You can grant permissions by using the Lake Formation console, the API, or the AWS Command Line Interface (AWS CLI).

**Before you begin**  
Ensure that all cross-account access prerequisites are satisfied. For more information, see [Prerequisites](cross-account-prereqs.md).

------
#### [ AWS Management Console ]

**To grant data location permissions (external account, console)**

1. Open the AWS Lake Formation console at [https://console.aws.amazon.com/lakeformation/](https://console.aws.amazon.com/lakeformation/). Sign in as a data lake administrator.

1. In the navigation pane, under **Permissions**, choose **Data locations**, and then choose **Grant**.

1. In the **Grant permissions** dialog box, choose the **External account** tile.

1. Provide the following information:
   + For **AWS account ID or AWS organization ID**, enter valid AWS account numbers, organization IDs, or organizational unit IDs.

     Press **Enter** after each ID.

     An organization ID consists of "o-" followed by 10 to 32 lower-case letters or digits.

     An organizational unit ID consists of "ou-" followed by 4 to 32 lowercase letters or digits (the ID of the root that contains the OU). This string is followed by a second "-" (hyphen) and 8 to 32 additional lowercase letters or digits.
   + Under **Storage locations**, choose **Browse**, and choose an Amazon Simple Storage Service (Amazon S3) storage location. The location must be registered with Lake Formation.  
![\[The Grant permission dialog has the External account radio button selected, an AWS account specified, and a storage location specified.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/grant-location-dialog-external.png)

1. Select **Grantable**.

1. Choose **Grant**.

------
#### [ AWS CLI ]

**To grant data location permissions (external account, AWS CLI)**
+ To grant permissions to an external AWS account, enter a command similar to the following.

  ```
  aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=111122223333  --permissions "DATA_LOCATION_ACCESS" --permissions-with-grant-option "DATA_LOCATION_ACCESS" --resource '{ "DataLocation": {"CatalogId":"123456789012","ResourceArn":"arn:aws:s3::retail/transactions/2020q1"}}'
  ```

  This command grants `DATA_LOCATION_ACCESS` with the grant option to account 1111-2222-3333 on the Amazon S3 location `s3://retail/transactions/2020q1`, which is owned by account 1234-5678-9012.

  To grant permissions to an organization, enter a command similar to the following.

  ```
  aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=arn:aws:organizations::111122223333:organization/o-abcdefghijkl --permissions "DATA_LOCATION_ACCESS" --permissions-with-grant-option "DATA_LOCATION_ACCESS" --resource '{"DataLocation": {"CatalogId":"123456789012","ResourceArn":"arn:aws:s3::retail/transactions/2020q1"}}'
  ```

  This command grants `DATA_LOCATION_ACCESS` with grant option to the organization `o-abcdefghijkl` on the Amazon S3 location `s3://retail/transactions/2020q1`, which is owned by account 1234-5678-9012.

   To grant permissions to a principal in an external AWS account, enter a command similar to the following.

  ```
  aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=arn:aws:iam::111122223333:user/datalake_user1 --permissions "DATA_LOCATION_ACCESS" --resource '{ "DataLocation": {"ResourceArn":"arn:aws:s3::retail/transactions/2020q1", "CatalogId": "123456789012"}}'
  ```

  This command grants `DATA_LOCATION_ACCESS` to a principal in account 1111-2222-3333 on the Amazon S3 location `s3://retail/transactions/2020q1`, which is owned by account 1234-5678-9012.  
**Example**  

  The following example grants data location permissions on `s3://retail` to `ALLIAMPrincipals` group in an external account.

  ```
  aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=111122223333:IAMPrincipals --permissions "DATA_LOCATION_ACCESS" --resource '{ "DataLocation": {"ResourceArn":"arn:aws:s3:::retail", "CatalogId": "123456789012"}}'
  ```

------

**See Also:**  
[Lake Formation permissions reference](lf-permissions-reference.md)

# Granting permissions on a data location shared with your account
<a name="regranting-locations"></a>

After a Data Catalog resource is shared with your AWS account, as a data lake administrator, you can grant permissions on the resource to other principals in your account. If the `ALTER` permission is granted on a shared table, and the table points to a registered Amazon S3 location, you must also grant data location permissions on the location. Likewise, if the `CREATE_TABLE` or `ALTER` permission is granted on a shared database and the database has a location property that points to a registered location, you must also grant data location permissions on the location.

To grant data location permissions on a shared location to a principal in your account, your account must have been granted the `DATA_LOCATION_ACCESS` permission on the location with the grant option. When you then grant `DATA_LOCATION_ACCESS` to another principal in your account, you must include the Data Catalog ID (AWS account ID) of the owner account. The owner account is the account that registered the location.

You can use the AWS Lake Formation console, the API, or the AWS Command Line Interface (AWS CLI to grant data location permissions.

**To grant permissions on a data location shared with your account (console)**
+ Follow the steps in [Granting data location permissions (same account)](granting-location-permissions-local.md).

  For **Storage locations**, you must type the locations. For **Registered account location**, enter the AWS account ID of the owner account.

**To grant permissions on a data location shared with your account (AWS CLI)**
+ Enter one of the following commands to grant permissions to either a user or a role.

  ```
  aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=arn:aws:iam::<account-id>:user/<user-name> --permissions "DATA_LOCATION_ACCESS" --resource '{ "DataLocation": {"CatalogId":"<owner-account-ID>","ResourceArn":"arn:aws:s3:::<s3-location>"}}'
  aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=arn:aws:iam::<account-id>:role/<role-name> --permissions "DATA_LOCATION_ACCESS" --resource '{ "DataLocation": {"CatalogId":"<owner-account-ID>","ResourceArn":"arn:aws:s3:::<s3-location>"}}'
  ```