Posted On: Jul 28, 2023

AWS Lake Formation is launching a Read-Only Administrator role which enables customers to add a Data Lake Administrator role with read-only permissions for Glue Data Catalog metadata and Lake Formation permissions. Previously, Data Lake Administrators could perform actions on the Glue Data Catalog and Lake Formation permissions, including modifying the Lake Formation grants and LF-Tags. Now, you can add an IAM role or user to be a Read-Only Administrator. Using this role, Read-Only Administrators can access metadata and permissions without making changes. This allows Read-Only Administrators to search metadata without needing access the data and to validate permissions without requiring access to make changes to permissions.

The Read-Only Administrator role allows auditing the existing catalog metadata and Lake Formation permissions while restricting the role from making changes to existing metadata, permissions, and LF-Tags. You create an IAM principal (role or user) with the IAM permissions recommended for the read-only administrator role. You can then add these principals as Read-Only Administrators from the Lake Formation console, SDK, and CLI.

The Read-Only Administrator role is available in all commercial regions where AWS Lake Formation and Glue Data Catalog are available. To get started on using the Read-only administrator role, refer Lake Formation personas and IAM permissions reference