- Newest
- Most votes
- Most comments
Since I am setting up my deployment with Terraform, I was able to tear it down and bring it back up again. On this second try the sharing between accounts worked immediately. The difference I can see compared to before is that there are AWS RAM resource shares that were not there before. I think these shares are what enable the consumer account to establish a connection to the producer Glue table. I am not quite sure why it didn't work in the beginning but at least it is solved for now! Thanks for your message!
Hi Wolfman,
When managing AWS Glue and cross-account access, it's crucial to equip the consumer project's IAM role with the necessary permissions. At minimum, ensure your IAM role includes:
glue:GetTable
glue:GetDatabase
ℹ️ Additionally, consider attaching a resource-based policy directly to the Glue Database or the specific Glue Table to explicitly grant access to the other account. This step is key for facilitating smooth cross-account interactions.
💡 If you're unsure how to set up an IAM role for cross-account access, you can check out this brief tutorial: link to AWS IAM tutorial.
Relevant content
- asked 3 months ago
- asked 2 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 months ago
Hi Osvaldo,
I temporarily added the policy
to the Consumer environment's IAM role. You mentioned the project's IAM role but I think there is no such role, only for an environment. Is that what you mean?
I also granted SELECT/DESCRIBE permissions in LakeFormation for the Consumer account to the Producer account's Glue database (pub) and the tables.
Still no success in adding (or removing) the asset. The Glue database in LakeFormation also shows two times FAILED in the "Cross-account access to all tables" section even though granting the permissions said "successful".
I have also tried adding the following resource-based policy to Glue:
That doesn't help, either.
Any idea what is still missing? I think a cross-account sharing scenario should really be included in the DataZone documentation.