# Setting up hybrid access mode - common scenarios As with Lake Formation permissions, you generally have two types of scenarios in which you can use hybrid access mode to manage data access: Provide access to principals within one AWS account and provide access to an external AWS account or principal. This section provides instructions for setting up hybrid access mode in the following scenarios: **Manage permissions in hybrid access mode within one AWS account** + [Converting an AWS Glue resource to a hybrid resource](hybrid-access-mode-new.md) – You are currently providing access to tables in a database for all principals in your account using IAM permissions for Amazon S3 and AWS Glue but want to adopt Lake Formation to manage permissions incrementally. + [Converting a Lake Formation resource to a hybrid resource](hybrid-access-mode-update.md) – You are currently using Lake Formation to manage access for tables in a database for all principals in your account but want to use Lake Formation only for specific principals. You want to provide access to new principals by using IAM permissions for AWS Glue and Amazon S3 on the same database and tables. **Manage permissions in hybrid access mode across AWS accounts** + [Sharing an AWS Glue resource using hybrid access mode](hybrid-access-mode-cross-account.md) – You're currently not using Lake Formation to manage permissions for a table but want to apply Lake Formation permissions to provide access for principals in another account. + [Sharing a Lake Formation resource using hybrid access mode](hybrid-access-mode-cross-account-IAM.md) – You're using Lake Formation to manage access for a table but want to provide access for principals in another account by using IAM permissions for AWS Glue and Amazon S3 on the same database and tables. **Setting up hybrid access mode – High-level steps** 1. Register the Amazon S3 data location with Lake Formation by selecting **Hybrid access mode**. 1. Principals must have `DATA_LOCATION` permission on a data lake location to create Data Catalog tables or databases that point to that location. 1. Set the **Cross-account version setting** to Version 4. 1. Grant fine-grained permissions to specific IAM users or roles on databases and tables. At the same time, make sure to set `Super` or `All` permissions to the `IAMAllowedPrincipals` group on the database and all or selected tables in the database. 1. Opt in the principals and resources. Other principals in the account can continue accessing the databases and tables using IAM permission policies for AWS Glue and Amazon S3 actions. 1. Optionally clean up IAM permission policies for Amazon S3 for the principals that are opted in to use Lake Formation permissions. # Prerequisites for setting up hybrid access mode Prerequisites The following are the prerequisites for setting up hybrid access mode: **Note** We recommend that a Lake Formation administrator registers the Amazon S3 location in hybrid access mode, and opt in principals and resources. 1. Grant data location permission (`DATA_LOCATION_ACCESS`) to create Data Catalog resources that point to the Amazon S3 locations. Data location permissions control the ability to create Data Catalog catalogs, databases and tables that point to particular Amazon S3 locations. 1. To share Data Catalog resources with another account in hybrid access mode (without removing `IAMAllowedPrincipals` group permissions from the resource), you need to update the **Cross account version settings** to Version 4 or higher. To update the version using Lake Formation console, choose **Version 4** or **Version 5** under **Cross account version settings** on the **Data Catalog settings** page. You can also use the `put-data-lake-settings` AWS CLI command to set the `CROSS_ACCOUNT_VERSION` parameter to version 4 or 5: ``` aws lakeformation put-data-lake-settings --region us-east-1 --data-lake-settings file://settings { "DataLakeAdmins": [ { "DataLakePrincipalIdentifier": "arn:aws:iam::<111122223333>:user/" } ], "CreateDatabaseDefaultPermissions": [], "CreateTableDefaultPermissions": [], "Parameters": { "CROSS_ACCOUNT_VERSION": "5" } } ``` 1. 
To grant cross-account permissions in hybrid access mode, the grantor must have the required IAM permissions for AWS Glue and AWS RAM services. The AWS managed policy `AWSLakeFormationCrossAccountManager` grants the required permissions.
 To enable cross-account data sharing in hybrid access mode, we’ve updated the `AWSLakeFormationCrossAccountManager` managed policy by adding two new IAM permissions: + ram:ListResourceSharePermissions + ram:AssociateResourceSharePermission **Note** If you are not using the AWS managed policy for the grantor role, add the above policies to your custom policies. ## Amazon S3 bucket location and user access When you create a catalog, database or a table in the AWS Glue Data Catalog, you can specify the Amazon S3 bucket location of the underlying data and register it with Lake Formation. The tables below describe how permissions work for AWS Glue and Lake Formation users (principals) based on the Amazon S3 data location of the table or database. **Amazon S3 location registered with Lake Formation** | Amazon S3 location of a database | AWS Glue users | Lake Formation users | | --- | --- | --- | | Registered with Lake Formation (in hybrid access mode or in Lake Formation mode) | Have read/write access to the Amazon S3 data location by inheriting permissions from the IAMAllowedPrincipals group (super access) permissions. | Inherit permissions to create tables from their granted CREATE TABLE permission. | | No associated Amazon S3 location | Require explicit DATA LOCATION permission for running CREATE TABLE and INSERT TABLE statements. | Require explicit DATA LOCATION permission for running CREATE TABLE and INSERT TABLE statements. | ****IsRegisteredWithLakeFormation** table property** The `IsRegisteredWithLakeFormation` property of a table indicates whether the data location of the table is registered with Lake Formation for the requester. If the permission mode of the location is registered as Lake Formation, then the `IsRegisteredWithLakeFormation` property is `true` for all users accessing the data location because all users are considered as opted in for that table. If the location is registered in hybrid access mode, then the value is set to `true` only for users who have opted in for that table. **How `IsRegisteredWithLakeFormation` works** | Permission mode | Users/Roles | `IsRegisteredWithLakeFormation` | Description | | --- | --- | --- | --- | | Lake Formation | All | True | When a location is registered with Lake Formation, the `IsRegisteredWithLakeFormation` property will be set to true for all users. This means that the permissions defined in Lake Formation apply to the registered location. Credential vending will be done by Lake Formation. | | Hybrid access mode | Opted in | True | For users who have opted in to using Lake Formation for data access and governance for a table, the `IsRegisteredWithLakeFormation` property will be set to `true` for that table. They are subject to the permission policies defined in Lake Formation for the registered location. | | Hybrid access mode | Not opted in | False | For users who have not opted in to using Lake Formation permissions, the `IsRegisteredWithLakeFormation` property is set to `false`. They are not subject to the permission policies defined in Lake Formation for the registered location. Instead, users will follow the Amazon S3 permissions policies. | # Converting an AWS Glue resource to a hybrid resource Follow these steps to register an Amazon S3 location in hybrid access mode and on-board new Lake Formation users without interrupting the existing Data Catalog users' data access. Scenario description - The data location is not registered with Lake Formation, and users' access to the Data Catalog database and tables is determined by IAM permissions policies for Amazon S3 and AWS Glue actions.
 The `IAMAllowedPrincipals` group by default has `Super` permissions on all tables in the database. **To enable hybrid access mode for a data location that is not registered with Lake Formation** 1. **Register an Amazon S3 location enabling hybrid access mode.** ------ #### [ Console ] 1. Sign in to the [Lake Formation console](https://console.aws.amazon.com/lakeformation/) as a data lake administrator. 1. In the navigation pane, choose **Data lake locations** under **Administration**. 1. Choose **Register location**. ![\[Register location form for Amazon S3 data lake with path input, IAM role selection, and permission mode options.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/hybrid-access-register-s3.png) 1. On the **Register location** window, choose the **Amazon S3** path that you want to register with Lake Formation. 1. For **IAM role**, choose either the `AWSServiceRoleForLakeFormationDataAccess` service-linked role (the default) or a custom IAM
 role that meets the requirements in [Requirements for roles used to register locations](registration-role.md). 1. Choose **Hybrid access mode** to apply fine-grained Lake Formation access control policies to opt-in principals and Data Catalog databases and tables pointing to the registered location.
 Choose Lake Formation to allow Lake Formation to authorize access requests to the registered location.
 1. Choose **Register location**. ------ #### [ AWS CLI ] Following is an example for registering a data location with Lake Formation with HybridAccessEnabled:true/false. Default value for the `HybridAccessEnabled` parameter is false. Replace Amazon S3 path, role name, and AWS account id with valid values. ``` aws lakeformation register-resource --cli-input-json file:file path json: { "ResourceArn": "arn:aws:s3:::s3-path", "UseServiceLinkedRole": false, "RoleArn": "arn:aws:iam::<123456789012>:role/", "HybridAccessEnabled": true } ``` ------ 1. **Grant permissions and opt in principals to use Lake Formation permissions for resources in hybrid access mode** Before you opt in principals and resources in hybrid access mode, verify that `Super` or `All` permissions to `IAMAllowedPrincipals` group exists on the databases and tables that have location registered with Lake Formation in hybrid access mode. **Note** You can't grant the `IAMAllowedPrincipals` group permission on `All tables` within a database. You need to select each table separately from the drop-down menu, and grant permissions. Also, when you create new tables in the database, you can choose to use the `Use only IAM access control for new tables in new databases` in the **Data Catalog Settings**. This option grants `Super` permission to the `IAMAllowedPrincipals` group automatically when you create new tables within the database. ------ #### [ Console ] 1. On the Lake Formation console, under **Data Catalog**, choose **Catalogs**, **Databases**, or **Tables**. 1. Select a catalog, a database, or a table from the list, and choose **Grant** from the **Actions** menu. 1. Choose principals to grant permissions on the database, tables, and columns using named resource method or LF-Tags. Alternatively, choose **Data permissions**, select the principals to grant permissions from the list, and choose **Grant**. For more details on granting data permissions, see [Granting permissions on Data Catalog resources](granting-catalog-permissions.md). **Note** If you’re granting a principal Create table permission, you also need to grant data location permissions (`DATA_LOCATION_ACCESS`) to the principal. This permission is not needed to update tables. For more information, see [Granting data location permissions](granting-location-permissions.md). 1. When you use **Named resource method** to grant permissions, the option to opt in principals and resources is available on the lower section of the **Grant data permission** page. Choose **Make Lake Formation permissions effective immediately** to enable Lake Formation permissions for the principals and resources. ![\[The option to choose hybrid access mode for the Data Catalog resource.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/hybrid-access-grant-option.png) 1. Choose **Grant**. When you opt in principal A on table A that is pointing to a data location, it allows principal A to have access to this table’s location using Lake Formation permissions if the data location is registered in hybrid mode. ------ #### [ AWS CLI ] Following is an example for opting in a principal and a table in hybrid access mode. Replace the role name, AWS account id, database name, and table name with valid values. ``` aws lakeformation create-lake-formation-opt-in --cli-input-json file://file path json: { "Principal": { "DataLakePrincipalIdentifier": "arn:aws:iam::<123456789012>:role/" }, "Resource": { "Table": { "CatalogId": "<123456789012>", "DatabaseName": "", "Name": "" } } } ``` ------ 1. If you choose LF-Tags to grant permissions, you can opt in principals to use Lake Formation permissions in a separate step. You can do this by choosing **Hybrid access mode** under **Permissions** from the left navigation bar. 1. On the lower section of the **Hybrid access mode** page, choose **Add** to add resources and principals to hybrid access mode. 1. On the **Add resources and principals** page, choose the catalogs, databases and tables registered in hybrid access mode. You can choose `All tables` under a database to grant access. ![\[The interface to add catalogs, databases, and tables in hybrid access mode.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/hybrid-access-opt-in.png) 1. Choose principals opt in to use Lake Formation permissions in hybrid access mode. + **Principals** – You can choose IAM users and roles in the same account or in another account. You can also choose SAML users and groups. + **Attributes** – Select attributes to grant permissions based on attributes. ![\[The interface to add principals and resources with an attribute expression.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/abac-hybrid-access.png) + Enter the key-value pair to create a grant based on attributes. Review the Cedar policy expression on the console. For more information about Cedar, see [What is Cedar? \$1 Cedar Policy Language Reference GuideLink](https://docs.cedarpolicy.com/). + Choose **Add**. All IAM roles/users with matching attributes are granted access. 1. Choose **Add**. # Converting a Lake Formation resource to a hybrid resource In cases where you're currently using Lake Formation permissions for your Data Catalog databases and tables, you can edit the location registration properties to enable hybrid access mode. This allows you to provide new principals access to the same resources using IAM permission policies for Amazon S3 and AWS Glue actions without interrupting existing Lake Formation permissions. Scenario description - The following steps assume that you’ve a data location registered with Lake Formation, and you've set up permissions for principals on databases, tables, or columns pointing to that location. If the location was registered with a service linked role, you can’t update the location parameters and enable hybrid access mode. The `IAMAllowedPrincipals` group by default has Super permissions on the database and all its tables. **Important** Don’t update a location registration to hybrid access mode without opting in the principals that are accessing data in this location. **Enabling hybrid access mode for a data location registered with Lake Formation** 1. **Warning** We don't recommend converting a Lake Formation managed data location to hybrid access mode to avoid interrupting the permission policies of other existing users or workloads. Opt in the existing principals who have Lake Formation permissions. 1. List and review the permissions you’ve granted to principals on catalogs, databases and tables. For more information, see [Viewing database and table permissions in Lake Formation](viewing-permissions.md). 1. Choose **Hybrid access mode** under **Permissions** from the left navigation bar, and choose **Add**. 1. On the **Add principals and resources** page, choose the catalogs, databases, and tables from the Amazon S3 data location that you want to use in hybrid access mode. Choose the principals that already have Lake Formation permissions. 1. Choose **Add** to opt in the principals to use Lake Formation permissions in hybrid access mode. 1. Update the Amazon S3 bucket/prefix registration by choosing **Hybrid access mode** option. ------ #### [ Console ] 1. Sign in to the Lake Formation console as the data lake administrator. 1. In the navigation pane, under **Register and Ingest**, choose **Data lake locations**. 1. Select a location, and on the **Actions**menu, choose **Edit**. 1. Choose **Hybrid access mode**. 1. Choose **Save**. 1. Under Data Catalog, select the database or table and grant `Super` or `All` permissions to the virtual group called `IAMAllowedPrincipals`. 1. Verify that your existing Lake Formation users' access is not interrupted when you updated the location registration properties. Sign in to Athena console as a Lake Formation principal and run a sample query on a table that is pointing to the updated location. Similarly, verify the access of AWS Glue users who are using IAM permissions policies to access the database and tables. ------ #### [ AWS CLI ] Following is an example for registering a data location with Lake Formation with HybridAccessEnabled:true/false. Default value for the `HybridAccessEnabled` parameter is false. Replace Amazon S3 path, role name, and AWS account id with valid values. ``` aws lakeformation update-resource --cli-input-json file://file path json: { "ResourceArn": "arn:aws:s3:::", "RoleArn": "arn:aws:iam::<123456789012>:role/", "HybridAccessEnabled": true } ``` ------ # Sharing an AWS Glue resource using hybrid access mode Share data with another AWS account or a principal in another AWS account enforcing Lake Formation permissions without interrupting existing Data Catalog users' IAM based access. Scenario description - The producer account has a Data Catalog database that has access controlled using IAM principal policies for Amazon S3 and AWS Glue actions. The data location of the database is not registered with Lake Formation. The `IAMAllowedPrincipals` group, by default, has `Super` permissions on the database and all its tables. **Granting cross-account Lake Formation permissions in hybrid access mode** 1. **Producer account set up** 1. Sign in to the Lake Formation console using a role that has `lakeformation:PutDataLakeSettings` IAM permission. 1. Go to **Data Catalog settings**, and choose `Version 4` for the **Cross account version settings**. If you're currently using version 1 or 2, see [Updating cross-account data sharing version settings](optimize-ram.md) instructions on updating to version 3. There are no permission policy changes required when upgrading from version 3 to 4. 1. Register the Amazon S3 location of the database or table that you're planning to share in hybrid access mode. 1. Verify that `Super` permission to the `IAMAllowedPrincipals` group exists on the databases and tables of which you registered the data location in hybrid access mode in the above step. 1. Grant Lake Formation permissions to AWS organizations, organizational units (OUs), or directly with an IAM principal in another account. 1. If you're granting permissions directly to an IAM principal, opt in the principal from the consumer account to enforce Lake Formation permissions in hybrid access mode by enabling the option **Make Lake Formation permissions effective immediately**. If you're granting cross-account permissions to another AWS account, when you opt in the account, Lake Formation permissions are enforced only for the admins of that account. The recipient account data lake administrator need to cascade down the permissions and opt in the principals in the account to enforce Lake Formation permissions for the shared resources that are in hybrid access mode. If you choose **Resources matched by LF-Tags** option to grant cross-account permissions, you need to first complete granting permissions step. You can opt in principals and resources to hybrid access mode as a separate step by choosing **Hybrid access mode** under Permissions on the left-navigation bar of the Lake Formation console. Then choose **Add** to add the resources and principals that you want to enforce Lake Formation permissions. 1. **Consumer account set up** 1. Sign in to the Lake Formation console at [https://console.aws.amazon.com/lakeformation/](https://console.aws.amazon.com/lakeformation/) as a data lake administrator. 1. Go to [https://console.aws.amazon.com/ram/home](https://console.aws.amazon.com/ram/home), and accept the resource share invitation. The **Shared with me** tab in the AWS RAM console displays the database and tables that are shared with your account. 1. Create a resource link to the shared database and/or table in Lake Formation. 1. Grant `Describe` permission on resource link and `Grant on target` permission (on the original shared resource) to the IAM principals in your (consumer) account. 1. Grant Lake Formation permissions on the database or table shared with you to the principals in your account. Opt in the principals and resources to enforce Lake Formation permissions in hybrid access mode by enabling the option **Make Lake Formation permissions effective immediately**. 1. Test the principal's Lake Formation permissions by running sample Athena queries. Test the existing access of your AWS Glue users with IAM principal policies for Amazon S3 and AWS Glue actions. (Optional) Remove the Amazon S3 bucket policy for data access and IAM principal policies for AWS Glue and Amazon S3 data access for the principals that you configured to use Lake Formation permissions. # Sharing a Lake Formation resource using hybrid access mode Allow new Data Catalog users in an external account to access Data Catalog databases and tables using IAM based policies without interrupting the existing Lake Formation cross-account sharing permissions. Scenario description - The producer account has Lake Formation managed database and tables that are shared with an external (consumer) account at account-level or IAM principal-level. The data location of the database is registered with Lake Formation. The `IAMAllowedPrincipals` group does not have `Super` permissions on the database and its tables. **Granting cross-account access to new Data Catalog users via IAM based policies without interrupting existing Lake Formation permissions** 1. **Producer account set up** 1. Sign in to the Lake Formation console using a role that `lakeformation:PutDataLakeSettings`. 1. Under **Data Catalog settings**, choose `Version 4` for the **Cross account version settings**. If you're currently using version 1 or 2, see [Updating cross-account data sharing version settings](optimize-ram.md) instructions on updating to version 3. There are no permission policy changes required to upgrade from version 3 to 4. 1. List the permissions you’ve granted to principals on databases and tables. For more information, see [Viewing database and table permissions in Lake Formation](viewing-permissions.md). 1. Regrant existing Lake Formation cross- account permissions by opting in principals and resources. **Note** Before updating a data location registration to hybrid access mode to grant cross-account permissions, you need to regrant at least one cross-account data share per account. This step is necessary to update the AWS RAM managed permissions attached to the AWS RAM resource share. In July 2023, Lake Formation has updated the AWS RAM managed permissions used for sharing databases and tables: `arn:aws:ram::aws:permission/AWSRAMLFEnabledGlueAllTablesReadWriteForDatabase` (database-level share policy) `arn:aws:ram::aws:permission/AWSRAMLFEnabledGlueTableReadWrite` (table-level share policy) The cross-account permission grants made before July 2023 don't have these updated AWS RAM permissions. If you've granted cross-account permissions directly to principals, you need to individually regrant those permissions to the principals. If you skip this step, the principals accessing the shared resource might get an illegal combination error. 1. Go to [https://console.aws.amazon.com/ram/home](https://console.aws.amazon.com/ram/home). 1. The **Shared by me** tab in the AWS RAM console displays the database and table names that you've shared with an external account or principal. Ensure that the permissions attached to the shared resource has the correct ARN. 1. Verify the resources in the AWS RAM share are in `Associated` status. If the status shows as `Associating`, wait until they go into `Associated` state. If the status becomes `Failed`, stop and contact Lake Formation service team. 1. Choose **Hybrid access mode** under **Permissions** from the left navigation bar, and choose **Add**. 1. The **Add principals and resources** page shows the databases, and/or tables and the principals that have access. You can make the required updates by adding or removing principals and resources. 1. Choose the principals with Lake Formation permissions for the database and tables that you want to change to hybrid access mode. Choose the databases and tables. 1. Choose **Add** to opt in the principals to enforce Lake Formation permissions in hybrid access mode. 1. Grant `Super` permission to the virtual group `IAMAllowedPrincipals` on your database and selected tables. 1. Edit the Amazon S3 location Lake Formation registration to hybrid access mode. 1. Grant permissions for the AWS Glue users in the external (consumer) account using IAM permission policies for Amazon S3 AWS Glue actions. 1. **Consumer account set up** 1. Sign in to the Lake Formation console at [https://console.aws.amazon.com/lakeformation/](https://console.aws.amazon.com/lakeformation/) as a data lake administrator. 1. Go to [https://console.aws.amazon.com/ram/home](https://console.aws.amazon.com/ram/home) and accept the resource share invitation. The **Resources shared with me** tab in the AWS RAM page displays the database and table names that are shared with your account. For the AWS RAM share, ensure that the attached permission has the correct ARN of the shared AWS RAM invite. Check if the resources in the AWS RAM share are in `Associated` status. If the status shows as `Associating`, wait until they go into `Associated` state. If the status becomes `Failed`, stop and contact Lake Formation service team. 1. Create a resource link to the shared database and/or table in Lake Formation. 1. Grant `Describe` permission on resource link and `Grant on target` permission (on the original shared resource) to the IAM principals in your (consumer) account. 1. Next, set up Lake Formation permissions for principals in your account on the shared database or table. On the left navigation bar, under **Permissions**, choose **Hybrid access mode**. 1. Choose **Add** in the lower section of the **Hybrid access mode** page to opt in the principals and the database or table shared with you from the producer account. 1. Grant permissions for the AWS Glue users in your account using IAM permission policies for Amazon S3 AWS Glue actions. 1. Test users' Lake Formation permissions and AWS Glue permissions by running separate sample queries on the table using Athena (Optional) Clean up IAM permission policies for Amazon S3 for the principals that are in the hybrid access mode.