By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

DataZone - scope of permissions

0

I'm not intermediate in AWS IAM, so perhaps I'm doing something wrong.

I've created an IAM UserA that has access to a project in DataZone.

When clicking the "Athena query" in DataZone project:

  • I'm forwarded from DataZone portal to AWS Athena console
  • I'm assigned a user by DataZone (I think this is called "federated user") with some random looking name starting with datazone-usr-c-proj-
  • I can query the data in the project

However when I try to query the data by:

  • logging into the AWS console (console.aws.amazon.com, IAM user: UserA)
  • opening Athena or Glue
  • I cannot access the data

Is this behavior expected? Or should the user be granted Lake Formation permissions to the tables they have access to? If this is expected, than is interacting via Athena / Redshift the only way to interact with the data in DataZone (at least without providing additional permissions in, for example, Lake Formation)?

Topics
Analytics
Tags
AWS Lake FormationAmazon DataZone
Language
English
ksazon
asked 9 months ago468 views
1 Answer
0

Hi,

you are not doing anything wrong. In Amazon DataZone, resources are organized in DataZone domains. A domain is a collection of Amazon DataZone objects, such as data assets, projects, associated AWS accounts. And as per the documentation

Associated AWS accounts - these are AWS accounts that host data assets that you want to catalog, discover, govern, share, or analyze through Amazon DataZone. These accounts have a trust relationship with an AWS account that houses an Amazon DataZone domain. This association enables data producers to publish data assets to Amazon DataZone domains from the associated AWS accounts, and enables data consumers to subscribe to data assets in the associated AWS accounts.

That's why you can query the data via Amazon Athena if you use the link from the DataZone console. You are at that time using an identity that as a trust relationship with the account that holds the data. If you use Athena without first assuming this identity, you don't have access to the data.

profile pictureAWS
EXPERT
ben-from-aws
answered 9 months ago
  • ksazon
    9 months ago

    Hi Ben and thank you for the answer!

    Am I correct to think that there is no way for a user who has been granted some permissions in DataZone to use tools that are not available in DataZone portal (for example to transform the data via AWS EMR / Glue)?

    I can think of a workflow where users (using the trust relationship assumed via DataZone portal) queries the data in Athena into an S3 bucket available for both the "regular" user and the assumed identity, then does the transformations (eg. Glue) and then saves the data into a location they can publish from. But it seems like security policies nightmare and waste of storage to me. Do you think it makes sense?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content