Skip to main content

Setup

Lake Formation permissions are managed across both Ryft planes. The control plane reads existing LF grants to audit the current access state, while the data plane applies grants on Ryft’s behalf. The required IAM permissions for both roles are provisioned as part of the initial Ryft deployment. If access management was not enabled at that time, contact your Ryft representative - they will provide a CloudFormation stack to update your existing control plane and data plane roles with the necessary permissions.

Prerequisites

IdP Group to IAM Role Mapping

Lake Formation enforces access using IAM roles. For Ryft to apply policies defined in terms of IdP groups, a mapping between IdP groups and IAM roles must be established. Ryft supports two approaches: AWS IAM Identity Center (recommended) Ryft can automatically sync group-to-role mappings from AWS IAM Identity Center. This supports AWSReservedSSO_* roles, which are automatically created by Identity Center and mapped to permission sets. Enabling this requires read access to your AWS management account. Custom static mapping If Identity Center is not available, you can provide a static mapping of IdP groups to IAM roles. Ryft uses this mapping at policy enforcement time to resolve which IAM role a given group corresponds to. Contact your Ryft representative to configure either option.