AWS Lake Formation access control support#

Note

AWS Lake Formation access control support is a public preview feature. Contact Starburst support with questions or feedback.

Starburst Enterprise platform (SEP) provides support for using an existing AWS Lake Formation access control system.

Requirements#

In order to use AWS Lake Formation integration with Starburst Enterprise, you need:

  • An existing AWS Lake Formation configuration and AWS credentials that allow interacting with it’s API.

  • A valid Starburst Enterprise license.

Overview#

AWS Lake Formation provides a single place to manage access controls policies. You can define security policies that restrict access to data at database, table, column, row and cell levels. These policies apply to AWS Identity and Access Management (IAM) users and roles, and to users and groups when federating through an external identity provider.

Starburst Enterprise platform (SEP) integration with AWS Lake Formation enforces AWS Lake Formation access control policies when accessing registered Amazon S3 data lake locations.

AWS Lake Formation access control support is only available for catalogs, that use the Hive connector, since it utilizes the security system of the Hive connector.

Configure AWS Lake Formation#

Each catalog that needs to be controlled with AWS Lake Formation must have the catalog properties file configured to use the lake-formation Hive security:

hive.security=lake-formation

The following is a more complex example of a catalog properties file that is configured to use AWS Lake Formation for authorization with the Hive connector.

connector.name=hive
hive.security=lake-formation
hive.metastore=glue
hive.metastore.glue.region=us-east-2
hive.metastore.glue.default-warehouse-dir=s3://data-lake-bucket
hive.metastore.glue.iam-role=arn:aws:iam::<account_id>:role/role_for_glue
hive.s3.iam-role=arn:aws:iam::<account_id>:role/role_for_s3
lake-formation.role-credential-name=aws_role
lake-formation.authorized-caller-tag=starburst-enterprise

Configuration properties#

AWS Lake Formation configuration properties#

Property

Description

lake-formation.role-credential

The name of the extra credential used to provide role ARN which is used when communicating with AWS Lake Formation. For example, given lake-formation.role-credential=aws_lf_role add extraCredentials=aws_lf_role:arn:aws:iam::<account_id>:role/lf_role to the parameters used with the JDBC driver to connect to SEP. Users of the CLI can use the --extraCredential option.

lake-formation.authorized-caller-tag

The value of LakeFormationAuthorizedCaller registered for SEP in third-party query engine integration.

Limitations#

  • Starburst Enterprise platform (SEP) does not support cell filters and column masking defined in AWS Lake Formation.