AWS Big Data Blog
Access and manage data from multiple accounts from a central AWS Lake Formation account
This post shows how to access and manage data in multiple accounts from a central AWS Lake Formation account. The walkthrough demonstrates a centralized catalog residing in the master Lake Formation account, with data residing in the different accounts. The post shows how to grant access permissions from the Lake Formation service to read, write and update the catalog and access data in different accounts.
The post uses two datasets of data to determine if there is a cor-relation between the news generated around the world (gdelt) ) and the number of reviews that Amazon’s products received (amazonreviews).
Prerequisites
This walkthrough requires using the region of Virginia (US-EAST-1), also you will need to use three different accounts, each with S3 buckets and their account numbers.
Setting up the Environment
The three accounts are as follows:
- Account Products (AP) – This is the account in which the Amazon product reviews are stored. This post deploys the configuration using AWS CloudFormation.
- Account External (AE) – This account monitors the world’s broadcast, print, and web news from around the world in over 100 languages. It identifies the people, locations, organizations, counts, themes, sources, emotions, quotes, images, and events driving global society every second of every day. This post deploys the configuration using AWS CloudFormation.
- Main Account (MA) – This is the main account, which gathers data from the other two accounts. This post configures Lake Formation in this account. This account has access to the product data and world news account.
The following diagram shows the account architecture.
Account Products
Deploy the following AWS Cloud Formation template in the AP.
This creates an S3 bucket called productsaccountcf-bucketname-1pcfoxar1pxp (templateName-bucket-name-random_string) and a cross account bucket policy in the AP. This policy gives the main account root ID access to this bucket.
- It uses a Lambda function to download the amazonreviews dataset into the new bucket created.
Make sure you insert the account number of your main account in the datalake-AccountId field. The following screenshot shows that for this post, the MA account number is 1111111111111
.
Account External
Deploy the following AWS Cloud Formation template in the AE.
This creates an S3 bucket called externalaccountcf-resultbucket-12ecq638afqiq (templateName-bucket-name_random_string) and a cross account bucket policy in the AE. This policy gives the main account access to this bucket. Due to the nature of the dataset this template also creates tables in the data catalog. Instead of AWS Glue crawlers, Athena queries are created on the structure of the tables.
The template executes queries in Amazon Athena to download the gdelt dataset, and to create the metadata of the tables that Lake Formation uses.
Make sure you insert the account number of your main account datalakeAccountid field. For this post, the MA account number is 1111111111111.Though the CloudFormation console will show CREATE_COMPLETE, a query is still executing, which you can observe in the Athena console. You can access the Athena console from AWS Management Console. The query that continues to run is creating a new table in the AE with the data in Parquet format so that queries can perform better.
The following screenshot shows your query history and status.
You are now ready to go to Lake Formation in your main account and start configuring.
Registering data stores in Lake Formation
Login to the Lake Formation console in your main account. If it’s the first time you are accessing Lake Formation, you need to add administrators to the account. The user is the account user you have logged into.
To add your data lakes, complete the following steps:
- On the Lake Formation console, under Register and ingest, choose Data lake locations. The page displays a list of S3 buckets that are marked as data lake storage resources for Lake Formation. Here, a single S3 bucket may act as the repository for many datasets, or you could use separate buckets for separate data sources. This post registers the S3 buckets in the other accounts and creates a master catalog in Lake Formation
- Choose Register location.The following screenshot shows the Data lake locations pane.You can now register both buckets you created in your AP and AE.
- In Amazon S3 location, for Amazon S3 path, enter
s3://productsaccountcf-bucketname-1pcfoxar1pxp
- For IAM role, select You need an IAM role that gives Lake Formation the necessary permissions (
GetObject
,PutObject
,DeleteObject
, andListBucket
) to properly use your S3 bucket as a data lake. This default role has the necessary permissions. Alternatively, select a pre-existing IAM role that has required permissions and is configured withlakeformation.amazonaws.com
as a trusted entity. - Choose Register location.The following screenshot shows the Amazon S3 location pane.You now have a storage resource and are ready to register the second bucket.
- Repeat the previous steps, but in Step 3, register the bucket externalaccountcf-resultbucket-12ecq638afqiq from your AE (
888888888888
) ass3://externalaccountcf-resultbucket-12ecq638afqiq
.
Setting up your IAM role
You need an IAM role that allows Lake Formation to create catalog tables of the datasets in the storage locations. Complete the following steps:
- On the AWS console, access IAM and create an IAM role
- Attach AWS Glue and AWS Lambda policies as described here.
- Edit the trust relationship for the role with the following policy:
Add managed policies to give the role permissions to S3 to execute Athena queries, AWS Glue and to publish AWS CloudWatch logs.
Creating a database
Lake Formation maintains a Hive-compatible data catalog within your data lake. Before you can catalog data within your S3 storage backend or use Lake Formation data importers to push data to S3 (which this post discusses later), you must first create a database within your Lake Formation catalog.
A Lake Formation database is a logical construct to which you can later add tables. Each table contains a mapping to one or more objects in S3 that, collectively, represent that table. Tables also contain basic column metadata such as file format, S3 location, and column definitions. Optionally, you can also define arbitrary key-value pairs for tables and columns to better describe the data and act as queryable attributes for data discovery.
You can create one or more databases and populate their tables either manually in the console, programmatically via the AWS SDKs or AWS CLI, or automatically by defining AWS Glue crawlers.
This post defines two logical databases, amazonreviews and gdelt.
- On the Lake Formation console, under Data catalog, choose Databases.
- Choose Create database.The following screenshot shows the Databases pane.
- For Name, enter
amazonreviews
. - For Location, enter
s3://productsaccountcf-bucketname-1pcfoxar1pxp/amazonreviews
. - For Description, enter a brief, meaningful description.
- Clear Grant All to Everyone for new tables in this database.
- Choose Create database.The following screenshot shows the database details.
- Create gdelt database. Set Name to
gdelt
- Set Locationto
s3://externalaccountcf-resultbucket-12ecq638afqiq/gdelt
- Set Description to a brief, meaningful description like the one shown below
- Uncheck the box for Grant All to Everyone for new tables in this database
- Create gdelt database. Set Name to
Granting permissions
You now have your databases and need to grant permissions to the role you created in Lake Formation. You need to configure your IAM users and roles as administrators.
- On the Lake Formation console, under Permissions, choose Admins and database creators. The following screenshot shows the Admins and database creators.
- Under Permissions choose Data Permissions
- From the Actions menu, choose Grant
- Select your new IAM role.
- For Database permissions, choose Create table and Grant all.
- Choose Grant.The following screenshot shows the Grant permissions pane. Repeat the previous steps for the
amazonreviews
andgdelt
databases. - Repeat the previous steps for the
amazonreviews
andgdelt
.The next step is granting your role permissions to the data lakes you created. - From Permissions, choose Data locations.
- Choose Grant
- Select your new role.The following screenshot shows the Data locations pane.
- For IAM users and roles, select your role.
- For Storage locations, enter
s3://productsaccountcf-bucketname-1pcfoxar1pxp
. - Choose Grant.The following screenshot shows the Grant permissions pane.
- Repeat the steps for datalake s3://externalaccountcf-resultbucket-12ecq638afqiq/
Setting up your main account
Deploy the following CloudFormation stack in the MA.
This creates tables in the amazonreviews and gdelt databases
From the Actions menu choose Grant. Select the role or users to grant access and select the two check boxes, and choose Grant.
Querying the data
Now that you have the data in the catalog, you can perform queries from the master account with Athena between the datasets in different accounts.
Grant table permissions by completing the following steps:
- On the Lake Formation console, under Data catalog, choose Tables.
- Choose the table to query.
- From the Actions menu, choose Enter your role or user name.The following screenshot shows the Tables pane.
- For Table permissions, select Select.
- For Grantable permissions, select Alter, Insert, Drop, Delete, Select, and Grant all.The following screenshot shows the Grant permissions pane.
- Repeat the previous steps for the
events
table in thegdelt
You are now ready to query the data.
- In Tables, select the
events
- From the Actions menu, choose View data.The following screenshot shows the Tables pane.
- Repeat the previous steps for the
events
table in thegdelt
You are now ready to query the data.
- In Tables, select the
events
- From the Actions menu, choose View data.
- You will be taken to the AWS Athena consoleThe following screenshot shows the Athena console.
- Use the Query Editor tab and enter SQL queries for the
reviews
andevents
To query the information by date, standardize the date columns and do aggregations by creating views. In sequential order, run the following queries:
You are now ready to query. You can determine how many gdelt
events were in the five days with the most amount of reviews by performing the following query:
The following screenshot shows the query results.
January 3, 2015, had the most reviews but not the most gdelt events (833,890).
You can also discover how many reviews where performed in the five days with the most amount of gdelt events by performing the following query:
The following screenshot shows the query results.
January 25, 2012, had 2 million events but only 378 reviews.
You can also perform a final query to check the correlation between the two with the following query:
The following screenshot shows the query results.
You can likely identify that there is no correlation between the two columns.
Conclusion
This post demonstrated how to set up cross-account access of datastores through a central Lake Formation catalog. The solution walked through creating two S3 buckets in external accounts, downloading some datasets on these buckets, and giving Lake Formation permission to access the data. You also learned how to govern the data in the data lakes from Lake Formation, and how to query the data in the two data lakes using Athena and Glue crawlers.
About the Authors
Shilpa Mehta is a Data Lab solutions architect at AWS. Shilpa helps our customers architect and build data and analytics prototypes in just four days in the AWS Data Lab.
Laura Caicedo Camacho is a solutions architect at AWS. She works with customers to help them embrace and adopt the cloud.
Luis Caro Perez is a solutions architect at AWS. He works with our customers to provide guidance and technical assistance on their applications, helping them improving the value of their solutions when using AWS.