AWS Redshift data sharing using Lake formation

Scenario: In this scenario, we will be configuring data sharing between two Redshift databases in different accounts via central access management using Lake formation.

Prerequisites

1. Data Catalog set to use LF permissions (both checkboxes are unchecked and cross-account version is set to 3 or higher). Details: https://docs.aws.amazon.com/lake-formation/latest/dg/initial-lf-config.html#setup-change-cat-settings

   
   

2. Lake Formation admin role configured

   • https://docs.aws.amazon.com/lake-formation/latest/dg/initial-lf-config.html#permissions-lf-principal

   • Prerequisites for setting up permissions on Amazon Redshift datashares - AWS Lake Formation

Producer Account:

1. create DATASHARE <Producer_DS> set publicaccessible false;

2. Alter datashare Producer_DS add schema public;

3. Alter datashare Producer_DS add table public.<table name>;

4. GRANT USAGE ON DATASHARE Producer_DS TO ACCOUNT '<Account id>'; ---central data governance account id

5. GRANT ALTER, SHARE ON DATASHARE Producer_DS To "<DB Role Name>";

6. Go to Redshift > Data shares > Accept Invitation

Lake Formation Account:

1. Admin to Accept the invitation of Data Share created from Producer

2. Now, Create a database from Data share by giving it a name

3. Grant usage/select permissions to the external Consumer account

4. Grant usage/select permissions to the role “DB Role name of Consumer"

Consumer Account:

1. Consume the data share from Lake formation

2. CREATE DATABASE <database name> FROM ARN 'arn:aws:glue:<region>:<account id>:database/<Lake formation database name>' WITH DATA CATALOG SCHEMA <Lake formation database name>;

3. Grant usage on database <database name> to "<Role name>"

Now you have successfully consumed the Lake formation data share and created a database in your consumer account.