- The customer DBA logs on to the database and creates an AUTHORIZATION object with using the customer’s IAM role information.
CREATE AUTHORIZATION Finance_Auth USING AUTHSERVICETYPE 'ASSUME_ROLE' ROLENAME 'arn:aws:iam::158228458290:role/finance-dept--role' EXTERNALID '7b50f73c-8224-4143-86f0-9541a9938f34';
- The customer DBA creates a DATALAKE database object that references the AUTHORIZATION object configured in the previous step. Two important points to highlight in the USING clause are as follows: lakeformation_enabled is set to true, and lakeformation_authorized_caller_session_tag is assigned the string defined during the Lake Formation integration for the external engine.
CREATE DATALAKE Finance_Datalake EXTERNAL SECURITY CATALOG Finance_Auth, EXTERNAL SECURITY STORAGE Finance_Auth USING catalog_type ('glue') storage_location ('s3://jpmc-poc/') storage_region ('us-west-2’) lakeformation_enabled(‘true’) lakeformation_authorized_caller_session_tag(‘vcl_tdotf’) TABLE FORMAT iceberg ; - Customer DBA grants the following permissions on the AUTHORIZATION and DATALAKE to database users/roles.
Grant EXECUTE ON Finance_Auth TO <user/role>; Grant SELECT ON TD_SERVER_DB.Finance_Datalake TO <user/role>;
At this point, database users with access to DATALAKE can run OTF HELP and SELECT queries.