- 最新
- 最多得票
- 最多評論
Hi,
you are not doing anything wrong. In Amazon DataZone, resources are organized in DataZone domains. A domain is a collection of Amazon DataZone objects, such as data assets, projects, associated AWS accounts. And as per the documentation
Associated AWS accounts - these are AWS accounts that host data assets that you want to catalog, discover, govern, share, or analyze through Amazon DataZone. These accounts have a trust relationship with an AWS account that houses an Amazon DataZone domain. This association enables data producers to publish data assets to Amazon DataZone domains from the associated AWS accounts, and enables data consumers to subscribe to data assets in the associated AWS accounts.
That's why you can query the data via Amazon Athena if you use the link from the DataZone console. You are at that time using an identity that as a trust relationship with the account that holds the data. If you use Athena without first assuming this identity, you don't have access to the data.
相關內容
AWS 官方已更新 2 年前
Hi Ben and thank you for the answer!
Am I correct to think that there is no way for a user who has been granted some permissions in DataZone to use tools that are not available in DataZone portal (for example to transform the data via AWS EMR / Glue)?
I can think of a workflow where users (using the trust relationship assumed via DataZone portal) queries the data in Athena into an S3 bucket available for both the "regular" user and the assumed identity, then does the transformations (eg. Glue) and then saves the data into a location they can publish from. But it seems like security policies nightmare and waste of storage to me. Do you think it makes sense?
Hi Ben-from-aws, Thank you for the answer. Is there a way for project members (who get access to the data through the project role) to get access to the project data in, let's say, Power BI( requiring access keys and secret keys) without having to go back to Lake Formation and grant the individual project members permissions to access that data?
Hi Ben-from-aws, Thank you for the answer. Is there a way for project members (who get access to the data through the project role) to get access to the project data in, let's say, Power BI( requiring access keys and secret keys) without having to go back to Lake Formation and grant the individual project members permissions to access that data?
Hi Jean, I'm not too familiar with PowerBI but if the service requires an IAM access and secret key, you will need to use IAM to create those. DataZone integrates with IAM as well as Identity Center to manage users and permissions, see https://docs.aws.amazon.com/datazone/latest/userguide/user-management-console.html