PluginBench
Skill
Pass
Audit score 90

creating-data-lake-table

aws/agent-toolkit-for-aws

How to install creating-data-lake-table

npx skills add https://github.com/aws/agent-toolkit-for-aws --skill creating-data-lake-table
Claude Code
Cursor
Windsurf
Cline
Full instructions (SKILL.md)

Source of truth, from aws/agent-toolkit-for-aws.


name: creating-data-lake-table description: >- Create managed Iceberg tables using Amazon S3 Tables (s3tables API namespace) with automatic compaction and snapshot management. Sets up table bucket, namespace, table, schema, Glue catalog registration, partitioning, IAM access control. Triggers on: create table, data lake table, analytics table, structured data storage, S3 Tables, Iceberg, Athena table, partitioning strategy, access permissions. Do NOT use for: importing files (use ingesting-into-data-lake), vector storage (use storing-and-querying-vectors), querying existing tables (use querying-data-lake), or locating existing table (use finding-data-lake-assets). version: 1 argument-hint: '[table-description|schema-spec]'

Create Data Lake Tables with Amazon S3 Tables

Overview

Amazon S3 Tables provides managed Iceberg tables with automatic compaction and snapshot management. Queryable via Athena and Iceberg-compatible engines.

Common Tasks

You MUST use AWS MCP server tools when connected, they provide command validation, sandboxed execution, and audit logging. Fall back to AWS CLI if MCP unavailable.

Decision Guide

Before creating, You MUST check what exists:

You MUST run aws glue get-tables --database-name <NAME> when user mentions a database.

What you findAction
Fuzzy database name ("our analytics db")You MUST STOP. Delegate to finding-data-lake-assets to resolve.
Non-S3-Tables table with matching nameYou MUST STOP. Delegate to finding-data-lake-assets. You MUST NOT create until user confirms.
Existing S3 Tables table with matching nameYou MUST check schema match. Reuse if compatible, recreate only if user confirms.
No matching tablesProceed with creation (Steps 1-8).
User explicitly requests new S3 Tables tableSkip checks, proceed with creation.

Creation paths:

  • Existing data in S3: Create empty table (Steps 1-8), then use ingesting-into-data-lake skill.
  • Glue ETL pipeline: Read references/table-creation-glue-etl.md first, then Steps 1-6.
  • Lake Formation access control: Search AWS docs for "S3 Tables integration with Lake Formation".

1. Verify Dependencies

Constraints:

  • You MUST check whether AWS MCP server tools or AWS CLI are available and inform user if missing
  • You MUST confirm target AWS region and verify credentials with aws sts get-caller-identity

2. Understand the Schema

  • Explicit schema: Validate Iceberg types.
  • Loose description: Ask columns, types, grain. Propose and confirm.
  • Existing S3 data: Infer schema from file headers only. Create empty table first, then use ingesting-into-data-lake skill.

Constraints:

  • You MUST read references/best-practices.md for Iceberg type mapping, partitions, and naming.
  • You MUST ask for all required parameters upfront: table name, columns, types, partition strategy. For schema evolution, see references/athena-ddl-path.md.
  • You MUST use all lowercase names -- Glue rejects mixed case with GENERIC_INTERNAL_ERROR. Namespace and table names MUST NOT contain hyphens.
  • You SHOULD suggest partition columns based on access patterns.

3. Create Table Bucket

Names: 3-63 chars, lowercase, numbers, hyphens.

aws s3tables create-table-bucket --name <BUCKET_NAME> --region <REGION>

Capture table-bucket-arn. Encryption (SSE-S3 default, SSE-KMS) and storage class (STANDARD, INTELLIGENT_TIERING) set at creation. See references/best-practices.md.

Constraints:

  • You MUST check existing buckets with aws s3tables list-table-buckets and ask user to select or create new.
  • If using SSE-KMS, KMS key policy MUST allow S3 Tables maintenance service principal to read data. Search AWS docs for "S3 Tables KMS key policy" for required policy.
  • If bucket creation fails, see references/best-practices.md for common errors.

4. Create Namespace

aws s3tables create-namespace --table-bucket-arn <ARN> --namespace <NAMESPACE>

Constraints:

  • You MUST list existing namespaces first and suggest reusing if relevant
  • You MUST use lowercase names with no hyphens

5. Create Glue Data Catalog Integration

Check if s3tablescatalog exists (create once per region per account):

aws glue get-catalog --catalog-id s3tablescatalog

If not found, create (requires glue:CreateCatalog, glue:passConnection):

aws glue create-catalog --name "s3tablescatalog" --catalog-input '{
  "FederatedCatalog": {
    "Identifier": "arn:aws:s3tables:<REGION>:<ACCOUNT_ID>:bucket/*",
    "ConnectionName": "aws:s3tables"
  },
  "CreateDatabaseDefaultPermissions": [{"Principal": {"DataLakePrincipalIdentifier": "IAM_ALLOWED_PRINCIPALS"}, "Permissions": ["ALL"]}],
  "CreateTableDefaultPermissions": [{"Principal": {"DataLakePrincipalIdentifier": "IAM_ALLOWED_PRINCIPALS"}, "Permissions": ["ALL"]}],
  "AllowFullTableExternalDataAccess": "True"
}'

Verify with aws glue get-catalogs --parent-catalog-id s3tablescatalog.

6. Configure Access Control

S3 Tables uses s3tables:* IAM namespace (not s3:*).

Querying principal permissions (bucket policy):

  • s3tables:GetTableBucket, s3tables:GetNamespace, s3tables:GetTable, s3tables:GetTableMetadataLocation, s3tables:GetTableData

Querying principal permissions (IAM policy):

  • glue:GetCatalog, glue:GetDatabase, glue:GetTable

You MUST scope to correct ARN patterns. You MUST read references/access-control.md for exact resource ARNs.

Constraints:

  • You MUST ask user for querying principal ARN
  • You MUST NOT grant broader permissions than necessary
  • You MUST NOT create IAM roles automatically, verify existing and guide user

7. Create the Table

ContextPath
Default (any user)S3 Tables API (below)
User specifically wants SQL DDLAthena DDL (see references/athena-ddl-path.md)
Glue ETL pipelineSpark DDL via --conf job args (not spark.conf.set()). You MUST read references/table-creation-glue-etl.md for the --conf string.

Default: S3 Tables API:

aws s3tables create-table \
  --table-bucket-arn <ARN> \
  --namespace <NAMESPACE> \
  --name <TABLE_NAME> \
  --format ICEBERG \
  --metadata '<METADATA_JSON>'

Metadata JSON MUST nest under "iceberg" key:

{"iceberg":{"schema":{"fields":[
  {"name":"order_date","type":"date","required":true},
  {"name":"customer_id","type":"string","required":true},
  {"name":"amount","type":"double","required":false}
]},
"partitionSpec":{"fields":[
  {"sourceId":1,"fieldId":1000,"transform":"month","name":"order_date_month"}
]}}}

Constraints:

  • partitionSpec.sourceId MUST reference a valid schema field ID
  • For schema evolution after creation, use Athena DDL. See references/athena-ddl-path.md
  • You MUST use schemaV2 for complex types (list, map, struct) with explicit field IDs. See references/best-practices.md.
  • You SHOULD search AWS docs for "IcebergPartitionField S3 Tables" for supported partition transforms

8. Verify and Confirm

You MUST verify with aws s3tables get-table and confirm queryability with DESCRIBE <table_name> via Athena using --query-execution-context '{"Catalog":"s3tablescatalog/<BUCKET_NAME>","Database":"<NAMESPACE>"}'. Do NOT put catalog in SQL. Present summary: bucket ARN, namespace, table, schema, partitions.

Troubleshooting

ErrorCauseFix
"Table location can not be specified"LOCATION in CREATE TABLERemove LOCATION clause. S3 Tables manages storage automatically.
AccessDeniedException with s3:* policyUsing s3:* not s3tables:*S3 Tables uses s3tables:* namespace. Update IAM policy.

Additional Resources

Related skills

More from aws/agent-toolkit-for-aws and the wider catalog.

AW

aws-iam

aws/agent-toolkit-for-aws

"Verified corrections for IAM behaviors that AI agents frequently get\

2.6k installsAudited
AW

aws-serverless

aws/agent-toolkit-for-aws

Builds, deploys, manages, debugs, configures, and optimizes serverless applications on AWS using Lambda, API Gateway, Step Functions, EventBridge, and SAM/CDK. Covers cold starts, CORS debugging, event source mappings, troubleshooting, concurrency, SnapStart, Powertools, function URLs, EventBridge Scheduler, Lambda layers, and production readiness. Triggers on mentions of Lambda, API Gateway, Step Functions, SAM templates, CDK serverless stacks, DynamoDB stream triggers, SQS event sources, cold starts, timeouts, 502/504 errors, throttling, concurrency, CORS, Powertools, or any event-driven architecture on AWS, even without the word "serverless." Does not apply to EC2, ECS/Fargate containers, or Amplify hosting.

2.4k installsAudited
AW

aws-cdk

aws/agent-toolkit-for-aws

Authors, deploys, and troubleshoots AWS infrastructure using CDK with TypeScript or Python. Covers best practices, stack architecture, and construct patterns. Always use when writing CDK constructs, bootstrapping environments, running cdk deploy/synth/diff, fixing CDK or CloudFormation errors, planning stack structure, importing existing resources, resolving drift, or refactoring stacks without resource replacement.

2.3k installsAudited
AW

aws-observability

aws/agent-toolkit-for-aws

Builds, configures, debugs, and optimizes AWS observability using CloudWatch (Logs Insights, Metrics, Alarms, Dashboards, EMF), X-Ray, CloudTrail, and ADOT. Covers Log Insights query syntax (fields, filter, stats, parse, pattern, join, subqueries), alarm configuration (metric, composite, anomaly detection, missing data treatment), dashboard design, custom metrics (PutMetricData, EMF, metric filters), X-Ray tracing (ADOT, sampling rules, annotations vs metadata), ADOT collector config, and CloudTrail auditing. Use when the user mentions CloudWatch, Log Insights, alarms, INSUFFICIENT_DATA, dashboards, custom metrics, EMF, X-Ray, traces, sampling, CloudTrail, who deleted, ADOT, OpenTelemetry, observability, monitoring, synthetics, canaries, or troubleshooting alarm behavior. Do NOT use for application logging setup, container log drivers, or security threat detection.

2.2k installsAudited
AM

amazon-bedrock

aws/agent-toolkit-for-aws

Builds generative AI applications on Amazon Bedrock. Covers model invocation (Converse API, InvokeModel), RAG with Knowledge Bases, Bedrock Agents, Guardrails, and AgentCore. Use when invoking models, setting up Knowledge Bases, creating agents, applying guardrails, deploying to AgentCore, troubleshooting Bedrock errors (ThrottlingException, AccessDeniedException), or choosing models (Claude, Llama, Nova, Titan). ALSO USE for prompt caching setup and debugging, quota health checks and throttling diagnosis, cost attribution and tracking, migrating between Claude model generations (4.5 to 4.6 to 4.7), chunking strategies, API selection (Converse vs InvokeModel), guardrail capabilities, and model selection. Also covers AgentCore Payments setup (x402, microtransactions, Payment Manager, Connector, Instrument, Coinbase CDP, Stripe Privy, 402 Payment Required, pay for content, paid endpoint, agent payments). NOT for custom model training, Rekognition, or Comprehend.

2.1k installs
AW

aws-billing-and-cost-management

aws/agent-toolkit-for-aws

|

2.1k installs