Verifying How IAM and Lake For... Note

Verifying How IAM and Lake Formation Behave for the Glue REST Catalog and S3 Tables

This article examines the differing authorization behaviors of AWS Glue REST Catalog and S3 Tables endpoints when interacting with Iceberg tables. While the Glue endpoint relies on both IAM policies and Lake Formation grants, the S3 Tables endpoint uses IAM alone for authorization. Tests were conducted by varying IAM permissions and Lake Formation grants to observe the outcomes. The baseline scenario, with both IAM and Lake Formation permissions in place, resulted in successful 200 responses from both endpoints. When Lake Formation grants were removed, the Glue endpoint returned a 403 error, indicating its dependency on Lake Formation, while the S3 Tables endpoint remained accessible with a 200 response. Conversely, removing s3tables IAM actions resulted in 403 errors from both endpoints. CloudTrail logs were used to trace the authorization flow, showing that Glue invokes GetDataAccess for Lake Formation evaluation, even if ultimately denied. The S3 Tables endpoint, however, does not trigger GetDataAccess calls. This confirms that the Glue endpoint orchestrates a two-step authorization process, first checking IAM and then delegating to Lake Formation, whereas the S3 Tables endpoint performs a single IAM authorization check.