ryohang · June 16, 2021 20:25
diff --git a/datalake_s3.yaml b/datalake_s3.yaml
 AWSTemplateFormatVersion: "2010-09-09"
 Description: Share S3 as data location to Lake Formation main account
 Parameters:
  DataS3Bucket:
    Description: Name of your data S3 bucket
    Type: String
 Resources:
  DataLocationBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties: 
      Bucket: !Ref DataS3Bucket
      PolicyDocument: 
        Statement:
        - Effect: Allow
          Principal:
            AWS: arn:aws:iam::AWS_Account_ID:role/aws-service-role/lakeformation.amazonaws.com/AWSServiceRoleForLakeFormationDataAccess
          Action: s3:ListBucket
          Resource: !Join [ "", ["arn:aws:s3:::", !Ref DataS3Bucket] ]
        - Effect: Allow
          Principal:
            AWS: arn:aws:iam::AWS_Account_ID:role/aws-service-role/lakeformation.amazonaws.com/AWSServiceRoleForLakeFormationDataAccess
          Action:
          - s3:DeleteObject
          - s3:GetObject
          - s3:PutObject
          Resource: !Join [ "", ["arn:aws:s3:::", !Ref DataS3Bucket, "/*"] ]
        - Effect: Allow
          Principal:
            AWS: arn:aws:iam::AWS_Account_ID:role/service-role/AWSGlueServiceRole-lakeformation-crawler
          Action: s3:ListBucket
          Resource: !Join [ "", ["arn:aws:s3:::", !Ref DataS3Bucket] ]
        - Effect: Allow
          Principal:
            AWS: arn:aws:iam::AWS_Account_ID:role/service-role/AWSGlueServiceRole-lakeformation-crawler
          Action:
          - s3:GetObject
          - s3:PutObject
          Resource: !Join [ "", ["arn:aws:s3:::", !Ref DataS3Bucket, "/*"] ]
	AWSTemplateFormatVersion: "2010-09-09"
	Description: Share S3 as data location to Lake Formation main account
	Parameters:
	DataS3Bucket:
	Description: Name of your data S3 bucket
	Type: String
	Resources:
	DataLocationBucketPolicy:
	Type: AWS::S3::BucketPolicy
	Properties:
	Bucket: !Ref DataS3Bucket
	PolicyDocument:
	Statement:
	- Effect: Allow
	Principal:
	AWS: arn:aws:iam::AWS_Account_ID:role/aws-service-role/lakeformation.amazonaws.com/AWSServiceRoleForLakeFormationDataAccess
	Action: s3:ListBucket
	Resource: !Join [ "", ["arn:aws:s3:::", !Ref DataS3Bucket] ]
	- Effect: Allow
	Principal:
	AWS: arn:aws:iam::AWS_Account_ID:role/aws-service-role/lakeformation.amazonaws.com/AWSServiceRoleForLakeFormationDataAccess
	Action:
	- s3:DeleteObject
	- s3:GetObject
	- s3:PutObject
	Resource: !Join [ "", ["arn:aws:s3:::", !Ref DataS3Bucket, "/*"] ]
	- Effect: Allow
	Principal:
	AWS: arn:aws:iam::AWS_Account_ID:role/service-role/AWSGlueServiceRole-lakeformation-crawler
	Action: s3:ListBucket
	Resource: !Join [ "", ["arn:aws:s3:::", !Ref DataS3Bucket] ]
	- Effect: Allow
	Principal:
	AWS: arn:aws:iam::AWS_Account_ID:role/service-role/AWSGlueServiceRole-lakeformation-crawler
	Action:
	- s3:GetObject
	- s3:PutObject
	Resource: !Join [ "", ["arn:aws:s3:::", !Ref DataS3Bucket, "/*"] ]