Granting Permissions to IAM Roles¶
The Lake Formation Connector allows you to grant permissions to IAM roles in your AWS account (AWS account used to configure the connector) or in external AWS accounts (Cross-account access).
To ensure accurate permission resolution—particularly for cross-account IAM roles—roles must be specified using a strict, account-qualified naming format. This requirement aligns with AWS Lake Formation Connector access control conventions and is mandatory for successful permission grants.
Role Formats for Your AWS Account¶
When the IAM role belongs to the same AWS account as your Lake Formation Connector, you can use either format:
Option 1: Role name only¶
| Text Only | |
|---|---|
Option 2: Full account-qualified format¶
| Text Only | |
|---|---|
Both formats are functionally equivalent for same-account roles.
Role Format for External AWS Accounts¶
When granting permissions to an IAM role that belongs to an external AWS account, you must use the full account-qualified format:
Required format:¶
| Text Only | |
|---|---|
Example¶
| Text Only | |
|---|---|
This format uniquely identifies the IAM role across AWS accounts and is required for all cross-account permission grants.
Important Notes and Constraints¶
- External (cross-account) roles require the full account-qualified format.
- Specifying only the role name is not supported for external accounts.
- Roles must be created or referenced in the portal using the correct format to successfully grant Lake Formation permissions.
- Incorrect role formatting will result in permission grant failures, which may surface as access denied errors during query execution or metadata access.
- Prev Connector Guide