Lake Formation Access Model
Data Platform access is layered. A successful query or write usually needs all of these to align:
| Layer | Purpose | Example Failure Signal |
|---|---|---|
| IAM transport permissions | Allows the principal to call AWS APIs such as Glue, Lake Formation, Athena, or S3. | AccessDenied for an AWS API action. |
| Glue resource policy | Allows cross-account principals to access the producer Glue catalog. | Glue AccessDeniedException on GetDatabases, GetTable, or UpdateTable. |
| Lake Formation grants | Authorizes catalog, database, table, and data-location access. | Lake Formation Required Describe, Insufficient Lake Formation permissions, or denied GetDataAccess. |
| S3 bucket policy | Allows physical data and metadata file reads/writes. | S3 AccessDenied on GetObject, PutObject, or ListBucket. |
| Engine/catalog config | Points Spark, Polaris, Snowflake, or Grafana at the intended catalog and account. | Catalog not found, table not initialized, or queries showing data from the wrong account. |
Current Cross-Environment Shape
- Same-environment writes remain normal for each environment’s local Kyuubi and service roles.
- Cross-environment reads use remote Spark catalog aliases with the same
lakehouse_<env>naming pattern, but each Kyuubi environment only has the aliases explicitly configured interraform/kyuubi/env/<env>/main.tf. - The approved dev-write exception allows stage, preprod, and prod interactive Kyuubi roles to write existing dev Iceberg tables.
- Remote new-table creation into dev remains unresolved for cross-account interactive Kyuubi and should not be treated as supported.
Current Kyuubi remote alias coverage:
| Kyuubi Environment | Local Catalog | Remote Aliases |
|---|---|---|
| dev | lakehouse_dev | lakehouse_stage, lakehouse_preprod |
| stage | lakehouse_stage | lakehouse_dev, lakehouse_preprod |
| preprod | lakehouse_preprod | lakehouse_dev, lakehouse_stage |
| prod | lakehouse_prod | lakehouse_dev, lakehouse_stage, lakehouse_preprod |
The table above describes Spark/Kyuubi catalog configuration only. Lake Formation and S3 grants may exist more broadly, but a Spark query still needs the catalog alias configured in that environment.
Checked Against
implementations/2026-05-22-dl-419-dev-catalog-interactive-write-exception-progress.md.implementations/2026-05-21-dl-419-prod-dataops-runtime-progress.md.terraform/lakehouse/env/*onorigin/main.terraform/kyuubi/env/*onorigin/main.