aws.lakeformation.Permissions
Explore with Pulumi AI
Grants permissions to the principal to access metadata in the Data Catalog and data organized in underlying data storage such as Amazon S3. Permissions are granted to a principal, in a Data Catalog, relative to a Lake Formation resource, which includes the Data Catalog, databases, tables, LF-tags, and LF-tag policies. For more information, see Security and Access Control to Metadata and Data in Lake Formation.
!> WARNING: Lake Formation permissions are not in effect by default within AWS. Using this resource will not secure your data and will result in errors if you do not change the security settings for existing resources and the default security settings for new resources. See Default Behavior and IAMAllowedPrincipals
for additional details.
NOTE: In general, the
principal
should NOT be a Lake Formation administrator or the entity (e.g., IAM role) that is running the deployment. Administrators have implicit permissions. These should be managed by granting or not granting administrator rights usingaws.lakeformation.DataLakeSettings
, not with this resource.
Default Behavior and IAMAllowedPrincipals
Lake Formation permissions are not in effect by default within AWS. IAMAllowedPrincipals
(i.e., IAM_ALLOWED_PRINCIPALS
) conflicts with individual Lake Formation permissions (i.e., non-IAMAllowedPrincipals
permissions), will cause unexpected behavior, and may result in errors.
When using Lake Formation, choose ONE of the following options as they are mutually exclusive:
- Use this resource (
aws.lakeformation.Permissions
), change the default security settings usingaws.lakeformation.DataLakeSettings
, and remove existingIAMAllowedPrincipals
permissions - Use
IAMAllowedPrincipals
withoutaws.lakeformation.Permissions
This example shows removing the IAMAllowedPrincipals
default security settings and making the caller a Lake Formation admin. Since create_database_default_permissions
and create_table_default_permissions
are not set in the aws.lakeformation.DataLakeSettings
resource, they are cleared.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const current = aws.getCallerIdentity({});
const currentGetSessionContext = current.then(current => aws.iam.getSessionContext({
arn: current.arn,
}));
const test = new aws.lakeformation.DataLakeSettings("test", {admins: [currentGetSessionContext.then(currentGetSessionContext => currentGetSessionContext.issuerArn)]});
import pulumi
import pulumi_aws as aws
current = aws.get_caller_identity()
current_get_session_context = aws.iam.get_session_context(arn=current.arn)
test = aws.lakeformation.DataLakeSettings("test", admins=[current_get_session_context.issuer_arn])
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/lakeformation"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
current, err := aws.GetCallerIdentity(ctx, &aws.GetCallerIdentityArgs{}, nil)
if err != nil {
return err
}
currentGetSessionContext, err := iam.GetSessionContext(ctx, &iam.GetSessionContextArgs{
Arn: current.Arn,
}, nil)
if err != nil {
return err
}
_, err = lakeformation.NewDataLakeSettings(ctx, "test", &lakeformation.DataLakeSettingsArgs{
Admins: pulumi.StringArray{
pulumi.String(currentGetSessionContext.IssuerArn),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var current = Aws.GetCallerIdentity.Invoke();
var currentGetSessionContext = Aws.Iam.GetSessionContext.Invoke(new()
{
Arn = current.Apply(getCallerIdentityResult => getCallerIdentityResult.Arn),
});
var test = new Aws.LakeFormation.DataLakeSettings("test", new()
{
Admins = new[]
{
currentGetSessionContext.Apply(getSessionContextResult => getSessionContextResult.IssuerArn),
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.AwsFunctions;
import com.pulumi.aws.inputs.GetCallerIdentityArgs;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetSessionContextArgs;
import com.pulumi.aws.lakeformation.DataLakeSettings;
import com.pulumi.aws.lakeformation.DataLakeSettingsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var current = AwsFunctions.getCallerIdentity();
final var currentGetSessionContext = IamFunctions.getSessionContext(GetSessionContextArgs.builder()
.arn(current.applyValue(getCallerIdentityResult -> getCallerIdentityResult.arn()))
.build());
var test = new DataLakeSettings("test", DataLakeSettingsArgs.builder()
.admins(currentGetSessionContext.applyValue(getSessionContextResult -> getSessionContextResult.issuerArn()))
.build());
}
}
resources:
test:
type: aws:lakeformation:DataLakeSettings
properties:
admins:
- ${currentGetSessionContext.issuerArn}
variables:
current:
fn::invoke:
Function: aws:getCallerIdentity
Arguments: {}
currentGetSessionContext:
fn::invoke:
Function: aws:iam:getSessionContext
Arguments:
arn: ${current.arn}
To remove existing IAMAllowedPrincipals
permissions, use the AWS Lake Formation Console or AWS CLI.
IAMAllowedPrincipals
is a hook to maintain backwards compatibility with AWS Glue. IAMAllowedPrincipals
is a pseudo-entity group that acts like a Lake Formation principal. The group includes any IAM users and roles that are allowed access to your Data Catalog resources by your IAM policies.
This is Lake Formation’s default behavior:
- Lake Formation grants
Super
permission toIAMAllowedPrincipals
on all existing AWS Glue Data Catalog resources. - Lake Formation enables “Use only IAM access control” for new Data Catalog resources.
For more details, see Changing the Default Security Settings for Your Data Lake.
Problem Using IAMAllowedPrincipals
AWS does not support combining IAMAllowedPrincipals
permissions and non-IAMAllowedPrincipals
permissions. Doing so results in unexpected permissions and behaviors. For example, this configuration grants a user SELECT
on a column in a table.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.glue.CatalogDatabase("example", {name: "sadabate"});
const exampleCatalogTable = new aws.glue.CatalogTable("example", {
name: "abelt",
databaseName: test.name,
storageDescriptor: {
columns: [{
name: "event",
type: "string",
}],
},
});
const examplePermissions = new aws.lakeformation.Permissions("example", {
permissions: ["SELECT"],
principal: "arn:aws:iam:us-east-1:123456789012:user/SanHolo",
tableWithColumns: {
databaseName: exampleCatalogTable.databaseName,
name: exampleCatalogTable.name,
columnNames: ["event"],
},
});
import pulumi
import pulumi_aws as aws
example = aws.glue.CatalogDatabase("example", name="sadabate")
example_catalog_table = aws.glue.CatalogTable("example",
name="abelt",
database_name=test["name"],
storage_descriptor={
"columns": [{
"name": "event",
"type": "string",
}],
})
example_permissions = aws.lakeformation.Permissions("example",
permissions=["SELECT"],
principal="arn:aws:iam:us-east-1:123456789012:user/SanHolo",
table_with_columns={
"database_name": example_catalog_table.database_name,
"name": example_catalog_table.name,
"column_names": ["event"],
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/glue"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/lakeformation"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := glue.NewCatalogDatabase(ctx, "example", &glue.CatalogDatabaseArgs{
Name: pulumi.String("sadabate"),
})
if err != nil {
return err
}
exampleCatalogTable, err := glue.NewCatalogTable(ctx, "example", &glue.CatalogTableArgs{
Name: pulumi.String("abelt"),
DatabaseName: pulumi.Any(test.Name),
StorageDescriptor: &glue.CatalogTableStorageDescriptorArgs{
Columns: glue.CatalogTableStorageDescriptorColumnArray{
&glue.CatalogTableStorageDescriptorColumnArgs{
Name: pulumi.String("event"),
Type: pulumi.String("string"),
},
},
},
})
if err != nil {
return err
}
_, err = lakeformation.NewPermissions(ctx, "example", &lakeformation.PermissionsArgs{
Permissions: pulumi.StringArray{
pulumi.String("SELECT"),
},
Principal: pulumi.String("arn:aws:iam:us-east-1:123456789012:user/SanHolo"),
TableWithColumns: &lakeformation.PermissionsTableWithColumnsArgs{
DatabaseName: exampleCatalogTable.DatabaseName,
Name: exampleCatalogTable.Name,
ColumnNames: pulumi.StringArray{
pulumi.String("event"),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Glue.CatalogDatabase("example", new()
{
Name = "sadabate",
});
var exampleCatalogTable = new Aws.Glue.CatalogTable("example", new()
{
Name = "abelt",
DatabaseName = test.Name,
StorageDescriptor = new Aws.Glue.Inputs.CatalogTableStorageDescriptorArgs
{
Columns = new[]
{
new Aws.Glue.Inputs.CatalogTableStorageDescriptorColumnArgs
{
Name = "event",
Type = "string",
},
},
},
});
var examplePermissions = new Aws.LakeFormation.Permissions("example", new()
{
PermissionDetails = new[]
{
"SELECT",
},
Principal = "arn:aws:iam:us-east-1:123456789012:user/SanHolo",
TableWithColumns = new Aws.LakeFormation.Inputs.PermissionsTableWithColumnsArgs
{
DatabaseName = exampleCatalogTable.DatabaseName,
Name = exampleCatalogTable.Name,
ColumnNames = new[]
{
"event",
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.glue.CatalogDatabase;
import com.pulumi.aws.glue.CatalogDatabaseArgs;
import com.pulumi.aws.glue.CatalogTable;
import com.pulumi.aws.glue.CatalogTableArgs;
import com.pulumi.aws.glue.inputs.CatalogTableStorageDescriptorArgs;
import com.pulumi.aws.lakeformation.Permissions;
import com.pulumi.aws.lakeformation.PermissionsArgs;
import com.pulumi.aws.lakeformation.inputs.PermissionsTableWithColumnsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new CatalogDatabase("example", CatalogDatabaseArgs.builder()
.name("sadabate")
.build());
var exampleCatalogTable = new CatalogTable("exampleCatalogTable", CatalogTableArgs.builder()
.name("abelt")
.databaseName(test.name())
.storageDescriptor(CatalogTableStorageDescriptorArgs.builder()
.columns(CatalogTableStorageDescriptorColumnArgs.builder()
.name("event")
.type("string")
.build())
.build())
.build());
var examplePermissions = new Permissions("examplePermissions", PermissionsArgs.builder()
.permissions("SELECT")
.principal("arn:aws:iam:us-east-1:123456789012:user/SanHolo")
.tableWithColumns(PermissionsTableWithColumnsArgs.builder()
.databaseName(exampleCatalogTable.databaseName())
.name(exampleCatalogTable.name())
.columnNames("event")
.build())
.build());
}
}
resources:
example:
type: aws:glue:CatalogDatabase
properties:
name: sadabate
exampleCatalogTable:
type: aws:glue:CatalogTable
name: example
properties:
name: abelt
databaseName: ${test.name}
storageDescriptor:
columns:
- name: event
type: string
examplePermissions:
type: aws:lakeformation:Permissions
name: example
properties:
permissions:
- SELECT
principal: arn:aws:iam:us-east-1:123456789012:user/SanHolo
tableWithColumns:
databaseName: ${exampleCatalogTable.databaseName}
name: ${exampleCatalogTable.name}
columnNames:
- event
The resulting permissions depend on whether the table had IAMAllowedPrincipals
(IAP) permissions or not.
Result With IAP | Result Without IAP |
---|---|
SELECT column wildcard (i.e., all columns) | SELECT on "event" (as expected) |
Using Lake Formation Permissions
Lake Formation grants implicit permissions to data lake administrators, database creators, and table creators. These implicit permissions cannot be revoked per se. If this resource reads implicit permissions, it will attempt to revoke them, which causes an error when the resource is destroyed.
There are two ways to avoid these errors. First, and the way we recommend, is to avoid using this resource with principals that have implicit permissions. A second, error-prone option, is to grant explicit permissions (and permissions_with_grant_option
) to “overwrite” a principal’s implicit permissions, which you can then revoke with this resource. For more information, see Implicit Lake Formation Permissions.
If the principal
is also a data lake administrator, AWS grants implicit permissions that can cause errors using this resource. For example, AWS implicitly grants a principal
/administrator permissions
and permissions_with_grant_option
of ALL
, ALTER
, DELETE
, DESCRIBE
, DROP
, INSERT
, and SELECT
on a table. If you use this resource to explicitly grant the principal
/administrator permissions
but not permissions_with_grant_option
of ALL
, ALTER
, DELETE
, DESCRIBE
, DROP
, INSERT
, and SELECT
on the table, this resource will read the implicit permissions_with_grant_option
and attempt to revoke them when the resource is destroyed. Doing so will cause an InvalidInputException: No permissions revoked
error because you cannot revoke implicit permissions per se. To workaround this problem, explicitly grant the principal
/administrator permissions
and permissions_with_grant_option
, which can then be revoked. Similarly, granting a principal
/administrator permissions on a table with columns and providing column_names
, will result in a InvalidInputException: Permissions modification is invalid
error because you are narrowing the implicit permissions. Instead, set wildcard
to true
and remove the column_names
.
Example Usage
Grant Permissions For A Lake Formation S3 Resource
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.lakeformation.Permissions("example", {
principal: workflowRole.arn,
permissions: ["DATA_LOCATION_ACCESS"],
dataLocation: {
arn: exampleAwsLakeformationResource.arn,
},
});
import pulumi
import pulumi_aws as aws
example = aws.lakeformation.Permissions("example",
principal=workflow_role["arn"],
permissions=["DATA_LOCATION_ACCESS"],
data_location={
"arn": example_aws_lakeformation_resource["arn"],
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/lakeformation"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := lakeformation.NewPermissions(ctx, "example", &lakeformation.PermissionsArgs{
Principal: pulumi.Any(workflowRole.Arn),
Permissions: pulumi.StringArray{
pulumi.String("DATA_LOCATION_ACCESS"),
},
DataLocation: &lakeformation.PermissionsDataLocationArgs{
Arn: pulumi.Any(exampleAwsLakeformationResource.Arn),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.LakeFormation.Permissions("example", new()
{
Principal = workflowRole.Arn,
PermissionDetails = new[]
{
"DATA_LOCATION_ACCESS",
},
DataLocation = new Aws.LakeFormation.Inputs.PermissionsDataLocationArgs
{
Arn = exampleAwsLakeformationResource.Arn,
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.lakeformation.Permissions;
import com.pulumi.aws.lakeformation.PermissionsArgs;
import com.pulumi.aws.lakeformation.inputs.PermissionsDataLocationArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Permissions("example", PermissionsArgs.builder()
.principal(workflowRole.arn())
.permissions("DATA_LOCATION_ACCESS")
.dataLocation(PermissionsDataLocationArgs.builder()
.arn(exampleAwsLakeformationResource.arn())
.build())
.build());
}
}
resources:
example:
type: aws:lakeformation:Permissions
properties:
principal: ${workflowRole.arn}
permissions:
- DATA_LOCATION_ACCESS
dataLocation:
arn: ${exampleAwsLakeformationResource.arn}
Grant Permissions For A Glue Catalog Database
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.lakeformation.Permissions("example", {
principal: workflowRole.arn,
permissions: [
"CREATE_TABLE",
"ALTER",
"DROP",
],
database: {
name: exampleAwsGlueCatalogDatabase.name,
catalogId: "110376042874",
},
});
import pulumi
import pulumi_aws as aws
example = aws.lakeformation.Permissions("example",
principal=workflow_role["arn"],
permissions=[
"CREATE_TABLE",
"ALTER",
"DROP",
],
database={
"name": example_aws_glue_catalog_database["name"],
"catalog_id": "110376042874",
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/lakeformation"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := lakeformation.NewPermissions(ctx, "example", &lakeformation.PermissionsArgs{
Principal: pulumi.Any(workflowRole.Arn),
Permissions: pulumi.StringArray{
pulumi.String("CREATE_TABLE"),
pulumi.String("ALTER"),
pulumi.String("DROP"),
},
Database: &lakeformation.PermissionsDatabaseArgs{
Name: pulumi.Any(exampleAwsGlueCatalogDatabase.Name),
CatalogId: pulumi.String("110376042874"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.LakeFormation.Permissions("example", new()
{
Principal = workflowRole.Arn,
PermissionDetails = new[]
{
"CREATE_TABLE",
"ALTER",
"DROP",
},
Database = new Aws.LakeFormation.Inputs.PermissionsDatabaseArgs
{
Name = exampleAwsGlueCatalogDatabase.Name,
CatalogId = "110376042874",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.lakeformation.Permissions;
import com.pulumi.aws.lakeformation.PermissionsArgs;
import com.pulumi.aws.lakeformation.inputs.PermissionsDatabaseArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Permissions("example", PermissionsArgs.builder()
.principal(workflowRole.arn())
.permissions(
"CREATE_TABLE",
"ALTER",
"DROP")
.database(PermissionsDatabaseArgs.builder()
.name(exampleAwsGlueCatalogDatabase.name())
.catalogId("110376042874")
.build())
.build());
}
}
resources:
example:
type: aws:lakeformation:Permissions
properties:
principal: ${workflowRole.arn}
permissions:
- CREATE_TABLE
- ALTER
- DROP
database:
name: ${exampleAwsGlueCatalogDatabase.name}
catalogId: '110376042874'
Grant Permissions Using Tag-Based Access Control
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const test = new aws.lakeformation.Permissions("test", {
principal: salesRole.arn,
permissions: [
"CREATE_TABLE",
"ALTER",
"DROP",
],
lfTagPolicy: {
resourceType: "DATABASE",
expressions: [
{
key: "Team",
values: ["Sales"],
},
{
key: "Environment",
values: [
"Dev",
"Production",
],
},
],
},
});
import pulumi
import pulumi_aws as aws
test = aws.lakeformation.Permissions("test",
principal=sales_role["arn"],
permissions=[
"CREATE_TABLE",
"ALTER",
"DROP",
],
lf_tag_policy={
"resource_type": "DATABASE",
"expressions": [
{
"key": "Team",
"values": ["Sales"],
},
{
"key": "Environment",
"values": [
"Dev",
"Production",
],
},
],
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/lakeformation"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := lakeformation.NewPermissions(ctx, "test", &lakeformation.PermissionsArgs{
Principal: pulumi.Any(salesRole.Arn),
Permissions: pulumi.StringArray{
pulumi.String("CREATE_TABLE"),
pulumi.String("ALTER"),
pulumi.String("DROP"),
},
LfTagPolicy: &lakeformation.PermissionsLfTagPolicyArgs{
ResourceType: pulumi.String("DATABASE"),
Expressions: lakeformation.PermissionsLfTagPolicyExpressionArray{
&lakeformation.PermissionsLfTagPolicyExpressionArgs{
Key: pulumi.String("Team"),
Values: pulumi.StringArray{
pulumi.String("Sales"),
},
},
&lakeformation.PermissionsLfTagPolicyExpressionArgs{
Key: pulumi.String("Environment"),
Values: pulumi.StringArray{
pulumi.String("Dev"),
pulumi.String("Production"),
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var test = new Aws.LakeFormation.Permissions("test", new()
{
Principal = salesRole.Arn,
PermissionDetails = new[]
{
"CREATE_TABLE",
"ALTER",
"DROP",
},
LfTagPolicy = new Aws.LakeFormation.Inputs.PermissionsLfTagPolicyArgs
{
ResourceType = "DATABASE",
Expressions = new[]
{
new Aws.LakeFormation.Inputs.PermissionsLfTagPolicyExpressionArgs
{
Key = "Team",
Values = new[]
{
"Sales",
},
},
new Aws.LakeFormation.Inputs.PermissionsLfTagPolicyExpressionArgs
{
Key = "Environment",
Values = new[]
{
"Dev",
"Production",
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.lakeformation.Permissions;
import com.pulumi.aws.lakeformation.PermissionsArgs;
import com.pulumi.aws.lakeformation.inputs.PermissionsLfTagPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var test = new Permissions("test", PermissionsArgs.builder()
.principal(salesRole.arn())
.permissions(
"CREATE_TABLE",
"ALTER",
"DROP")
.lfTagPolicy(PermissionsLfTagPolicyArgs.builder()
.resourceType("DATABASE")
.expressions(
PermissionsLfTagPolicyExpressionArgs.builder()
.key("Team")
.values("Sales")
.build(),
PermissionsLfTagPolicyExpressionArgs.builder()
.key("Environment")
.values(
"Dev",
"Production")
.build())
.build())
.build());
}
}
resources:
test:
type: aws:lakeformation:Permissions
properties:
principal: ${salesRole.arn}
permissions:
- CREATE_TABLE
- ALTER
- DROP
lfTagPolicy:
resourceType: DATABASE
expressions:
- key: Team
values:
- Sales
- key: Environment
values:
- Dev
- Production
Create Permissions Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new Permissions(name: string, args: PermissionsArgs, opts?: CustomResourceOptions);
@overload
def Permissions(resource_name: str,
args: PermissionsArgs,
opts: Optional[ResourceOptions] = None)
@overload
def Permissions(resource_name: str,
opts: Optional[ResourceOptions] = None,
permissions: Optional[Sequence[str]] = None,
principal: Optional[str] = None,
catalog_id: Optional[str] = None,
catalog_resource: Optional[bool] = None,
data_cells_filter: Optional[PermissionsDataCellsFilterArgs] = None,
data_location: Optional[PermissionsDataLocationArgs] = None,
database: Optional[PermissionsDatabaseArgs] = None,
lf_tag: Optional[PermissionsLfTagArgs] = None,
lf_tag_policy: Optional[PermissionsLfTagPolicyArgs] = None,
permissions_with_grant_options: Optional[Sequence[str]] = None,
table: Optional[PermissionsTableArgs] = None,
table_with_columns: Optional[PermissionsTableWithColumnsArgs] = None)
func NewPermissions(ctx *Context, name string, args PermissionsArgs, opts ...ResourceOption) (*Permissions, error)
public Permissions(string name, PermissionsArgs args, CustomResourceOptions? opts = null)
public Permissions(String name, PermissionsArgs args)
public Permissions(String name, PermissionsArgs args, CustomResourceOptions options)
type: aws:lakeformation:Permissions
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args PermissionsArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args PermissionsArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args PermissionsArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args PermissionsArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args PermissionsArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var permissionsResource = new Aws.LakeFormation.Permissions("permissionsResource", new()
{
PermissionDetails = new[]
{
"string",
},
Principal = "string",
CatalogId = "string",
CatalogResource = false,
DataCellsFilter = new Aws.LakeFormation.Inputs.PermissionsDataCellsFilterArgs
{
DatabaseName = "string",
Name = "string",
TableCatalogId = "string",
TableName = "string",
},
DataLocation = new Aws.LakeFormation.Inputs.PermissionsDataLocationArgs
{
Arn = "string",
CatalogId = "string",
},
Database = new Aws.LakeFormation.Inputs.PermissionsDatabaseArgs
{
Name = "string",
CatalogId = "string",
},
LfTag = new Aws.LakeFormation.Inputs.PermissionsLfTagArgs
{
Key = "string",
Values = new[]
{
"string",
},
CatalogId = "string",
},
LfTagPolicy = new Aws.LakeFormation.Inputs.PermissionsLfTagPolicyArgs
{
Expressions = new[]
{
new Aws.LakeFormation.Inputs.PermissionsLfTagPolicyExpressionArgs
{
Key = "string",
Values = new[]
{
"string",
},
},
},
ResourceType = "string",
CatalogId = "string",
},
PermissionsWithGrantOptions = new[]
{
"string",
},
Table = new Aws.LakeFormation.Inputs.PermissionsTableArgs
{
DatabaseName = "string",
CatalogId = "string",
Name = "string",
Wildcard = false,
},
TableWithColumns = new Aws.LakeFormation.Inputs.PermissionsTableWithColumnsArgs
{
DatabaseName = "string",
Name = "string",
CatalogId = "string",
ColumnNames = new[]
{
"string",
},
ExcludedColumnNames = new[]
{
"string",
},
Wildcard = false,
},
});
example, err := lakeformation.NewPermissions(ctx, "permissionsResource", &lakeformation.PermissionsArgs{
Permissions: pulumi.StringArray{
pulumi.String("string"),
},
Principal: pulumi.String("string"),
CatalogId: pulumi.String("string"),
CatalogResource: pulumi.Bool(false),
DataCellsFilter: &lakeformation.PermissionsDataCellsFilterArgs{
DatabaseName: pulumi.String("string"),
Name: pulumi.String("string"),
TableCatalogId: pulumi.String("string"),
TableName: pulumi.String("string"),
},
DataLocation: &lakeformation.PermissionsDataLocationArgs{
Arn: pulumi.String("string"),
CatalogId: pulumi.String("string"),
},
Database: &lakeformation.PermissionsDatabaseArgs{
Name: pulumi.String("string"),
CatalogId: pulumi.String("string"),
},
LfTag: &lakeformation.PermissionsLfTagArgs{
Key: pulumi.String("string"),
Values: pulumi.StringArray{
pulumi.String("string"),
},
CatalogId: pulumi.String("string"),
},
LfTagPolicy: &lakeformation.PermissionsLfTagPolicyArgs{
Expressions: lakeformation.PermissionsLfTagPolicyExpressionArray{
&lakeformation.PermissionsLfTagPolicyExpressionArgs{
Key: pulumi.String("string"),
Values: pulumi.StringArray{
pulumi.String("string"),
},
},
},
ResourceType: pulumi.String("string"),
CatalogId: pulumi.String("string"),
},
PermissionsWithGrantOptions: pulumi.StringArray{
pulumi.String("string"),
},
Table: &lakeformation.PermissionsTableArgs{
DatabaseName: pulumi.String("string"),
CatalogId: pulumi.String("string"),
Name: pulumi.String("string"),
Wildcard: pulumi.Bool(false),
},
TableWithColumns: &lakeformation.PermissionsTableWithColumnsArgs{
DatabaseName: pulumi.String("string"),
Name: pulumi.String("string"),
CatalogId: pulumi.String("string"),
ColumnNames: pulumi.StringArray{
pulumi.String("string"),
},
ExcludedColumnNames: pulumi.StringArray{
pulumi.String("string"),
},
Wildcard: pulumi.Bool(false),
},
})
var permissionsResource = new Permissions("permissionsResource", PermissionsArgs.builder()
.permissions("string")
.principal("string")
.catalogId("string")
.catalogResource(false)
.dataCellsFilter(PermissionsDataCellsFilterArgs.builder()
.databaseName("string")
.name("string")
.tableCatalogId("string")
.tableName("string")
.build())
.dataLocation(PermissionsDataLocationArgs.builder()
.arn("string")
.catalogId("string")
.build())
.database(PermissionsDatabaseArgs.builder()
.name("string")
.catalogId("string")
.build())
.lfTag(PermissionsLfTagArgs.builder()
.key("string")
.values("string")
.catalogId("string")
.build())
.lfTagPolicy(PermissionsLfTagPolicyArgs.builder()
.expressions(PermissionsLfTagPolicyExpressionArgs.builder()
.key("string")
.values("string")
.build())
.resourceType("string")
.catalogId("string")
.build())
.permissionsWithGrantOptions("string")
.table(PermissionsTableArgs.builder()
.databaseName("string")
.catalogId("string")
.name("string")
.wildcard(false)
.build())
.tableWithColumns(PermissionsTableWithColumnsArgs.builder()
.databaseName("string")
.name("string")
.catalogId("string")
.columnNames("string")
.excludedColumnNames("string")
.wildcard(false)
.build())
.build());
permissions_resource = aws.lakeformation.Permissions("permissionsResource",
permissions=["string"],
principal="string",
catalog_id="string",
catalog_resource=False,
data_cells_filter={
"database_name": "string",
"name": "string",
"table_catalog_id": "string",
"table_name": "string",
},
data_location={
"arn": "string",
"catalog_id": "string",
},
database={
"name": "string",
"catalog_id": "string",
},
lf_tag={
"key": "string",
"values": ["string"],
"catalog_id": "string",
},
lf_tag_policy={
"expressions": [{
"key": "string",
"values": ["string"],
}],
"resource_type": "string",
"catalog_id": "string",
},
permissions_with_grant_options=["string"],
table={
"database_name": "string",
"catalog_id": "string",
"name": "string",
"wildcard": False,
},
table_with_columns={
"database_name": "string",
"name": "string",
"catalog_id": "string",
"column_names": ["string"],
"excluded_column_names": ["string"],
"wildcard": False,
})
const permissionsResource = new aws.lakeformation.Permissions("permissionsResource", {
permissions: ["string"],
principal: "string",
catalogId: "string",
catalogResource: false,
dataCellsFilter: {
databaseName: "string",
name: "string",
tableCatalogId: "string",
tableName: "string",
},
dataLocation: {
arn: "string",
catalogId: "string",
},
database: {
name: "string",
catalogId: "string",
},
lfTag: {
key: "string",
values: ["string"],
catalogId: "string",
},
lfTagPolicy: {
expressions: [{
key: "string",
values: ["string"],
}],
resourceType: "string",
catalogId: "string",
},
permissionsWithGrantOptions: ["string"],
table: {
databaseName: "string",
catalogId: "string",
name: "string",
wildcard: false,
},
tableWithColumns: {
databaseName: "string",
name: "string",
catalogId: "string",
columnNames: ["string"],
excludedColumnNames: ["string"],
wildcard: false,
},
});
type: aws:lakeformation:Permissions
properties:
catalogId: string
catalogResource: false
dataCellsFilter:
databaseName: string
name: string
tableCatalogId: string
tableName: string
dataLocation:
arn: string
catalogId: string
database:
catalogId: string
name: string
lfTag:
catalogId: string
key: string
values:
- string
lfTagPolicy:
catalogId: string
expressions:
- key: string
values:
- string
resourceType: string
permissions:
- string
permissionsWithGrantOptions:
- string
principal: string
table:
catalogId: string
databaseName: string
name: string
wildcard: false
tableWithColumns:
catalogId: string
columnNames:
- string
databaseName: string
excludedColumnNames:
- string
name: string
wildcard: false
Permissions Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The Permissions resource accepts the following input properties:
- Permission
Details List<string> - List of permissions granted to the principal. Valid values may include
ALL
,ALTER
,ASSOCIATE
,CREATE_DATABASE
,CREATE_TABLE
,DATA_LOCATION_ACCESS
,DELETE
,DESCRIBE
,DROP
,INSERT
, andSELECT
. For details on each permission, see Lake Formation Permissions Reference. - Principal string
Principal to be granted the permissions on the resource. Supported principals include
IAM_ALLOWED_PRINCIPALS
(see Default Behavior andIAMAllowedPrincipals
above), IAM roles, users, groups, Federated Users, SAML groups and users, QuickSight groups, OUs, and organizations as well as AWS account IDs for cross-account permissions. For more information, see Lake Formation Permissions Reference.NOTE: We highly recommend that the
principal
NOT be a Lake Formation administrator (granted usingaws.lakeformation.DataLakeSettings
). The entity (e.g., IAM role) running the deployment will most likely need to be a Lake Formation administrator. As such, the entity will have implicit permissions and does not need permissions granted through this resource.One of the following is required:
- Catalog
Id string - Identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.
- Catalog
Resource bool - Whether the permissions are to be granted for the Data Catalog. Defaults to
false
. - Data
Cells PermissionsFilter Data Cells Filter - Configuration block for a data cells filter resource. Detailed below.
- Data
Location PermissionsData Location - Configuration block for a data location resource. Detailed below.
- Database
Permissions
Database - Configuration block for a database resource. Detailed below.
- Lf
Tag PermissionsLf Tag - Configuration block for an LF-tag resource. Detailed below.
- Lf
Tag PermissionsPolicy Lf Tag Policy - Configuration block for an LF-tag policy resource. Detailed below.
- Permissions
With List<string>Grant Options - Subset of
permissions
which the principal can pass. - Table
Permissions
Table - Configuration block for a table resource. Detailed below.
- Table
With PermissionsColumns Table With Columns Configuration block for a table with columns resource. Detailed below.
The following arguments are optional:
- Permissions []string
- List of permissions granted to the principal. Valid values may include
ALL
,ALTER
,ASSOCIATE
,CREATE_DATABASE
,CREATE_TABLE
,DATA_LOCATION_ACCESS
,DELETE
,DESCRIBE
,DROP
,INSERT
, andSELECT
. For details on each permission, see Lake Formation Permissions Reference. - Principal string
Principal to be granted the permissions on the resource. Supported principals include
IAM_ALLOWED_PRINCIPALS
(see Default Behavior andIAMAllowedPrincipals
above), IAM roles, users, groups, Federated Users, SAML groups and users, QuickSight groups, OUs, and organizations as well as AWS account IDs for cross-account permissions. For more information, see Lake Formation Permissions Reference.NOTE: We highly recommend that the
principal
NOT be a Lake Formation administrator (granted usingaws.lakeformation.DataLakeSettings
). The entity (e.g., IAM role) running the deployment will most likely need to be a Lake Formation administrator. As such, the entity will have implicit permissions and does not need permissions granted through this resource.One of the following is required:
- Catalog
Id string - Identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.
- Catalog
Resource bool - Whether the permissions are to be granted for the Data Catalog. Defaults to
false
. - Data
Cells PermissionsFilter Data Cells Filter Args - Configuration block for a data cells filter resource. Detailed below.
- Data
Location PermissionsData Location Args - Configuration block for a data location resource. Detailed below.
- Database
Permissions
Database Args - Configuration block for a database resource. Detailed below.
- Lf
Tag PermissionsLf Tag Args - Configuration block for an LF-tag resource. Detailed below.
- Lf
Tag PermissionsPolicy Lf Tag Policy Args - Configuration block for an LF-tag policy resource. Detailed below.
- Permissions
With []stringGrant Options - Subset of
permissions
which the principal can pass. - Table
Permissions
Table Args - Configuration block for a table resource. Detailed below.
- Table
With PermissionsColumns Table With Columns Args Configuration block for a table with columns resource. Detailed below.
The following arguments are optional:
- permissions List<String>
- List of permissions granted to the principal. Valid values may include
ALL
,ALTER
,ASSOCIATE
,CREATE_DATABASE
,CREATE_TABLE
,DATA_LOCATION_ACCESS
,DELETE
,DESCRIBE
,DROP
,INSERT
, andSELECT
. For details on each permission, see Lake Formation Permissions Reference. - principal String
Principal to be granted the permissions on the resource. Supported principals include
IAM_ALLOWED_PRINCIPALS
(see Default Behavior andIAMAllowedPrincipals
above), IAM roles, users, groups, Federated Users, SAML groups and users, QuickSight groups, OUs, and organizations as well as AWS account IDs for cross-account permissions. For more information, see Lake Formation Permissions Reference.NOTE: We highly recommend that the
principal
NOT be a Lake Formation administrator (granted usingaws.lakeformation.DataLakeSettings
). The entity (e.g., IAM role) running the deployment will most likely need to be a Lake Formation administrator. As such, the entity will have implicit permissions and does not need permissions granted through this resource.One of the following is required:
- catalog
Id String - Identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.
- catalog
Resource Boolean - Whether the permissions are to be granted for the Data Catalog. Defaults to
false
. - data
Cells PermissionsFilter Data Cells Filter - Configuration block for a data cells filter resource. Detailed below.
- data
Location PermissionsData Location - Configuration block for a data location resource. Detailed below.
- database
Permissions
Database - Configuration block for a database resource. Detailed below.
- lf
Tag PermissionsLf Tag - Configuration block for an LF-tag resource. Detailed below.
- lf
Tag PermissionsPolicy Lf Tag Policy - Configuration block for an LF-tag policy resource. Detailed below.
- permissions
With List<String>Grant Options - Subset of
permissions
which the principal can pass. - table
Permissions
Table - Configuration block for a table resource. Detailed below.
- table
With PermissionsColumns Table With Columns Configuration block for a table with columns resource. Detailed below.
The following arguments are optional:
- permissions string[]
- List of permissions granted to the principal. Valid values may include
ALL
,ALTER
,ASSOCIATE
,CREATE_DATABASE
,CREATE_TABLE
,DATA_LOCATION_ACCESS
,DELETE
,DESCRIBE
,DROP
,INSERT
, andSELECT
. For details on each permission, see Lake Formation Permissions Reference. - principal string
Principal to be granted the permissions on the resource. Supported principals include
IAM_ALLOWED_PRINCIPALS
(see Default Behavior andIAMAllowedPrincipals
above), IAM roles, users, groups, Federated Users, SAML groups and users, QuickSight groups, OUs, and organizations as well as AWS account IDs for cross-account permissions. For more information, see Lake Formation Permissions Reference.NOTE: We highly recommend that the
principal
NOT be a Lake Formation administrator (granted usingaws.lakeformation.DataLakeSettings
). The entity (e.g., IAM role) running the deployment will most likely need to be a Lake Formation administrator. As such, the entity will have implicit permissions and does not need permissions granted through this resource.One of the following is required:
- catalog
Id string - Identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.
- catalog
Resource boolean - Whether the permissions are to be granted for the Data Catalog. Defaults to
false
. - data
Cells PermissionsFilter Data Cells Filter - Configuration block for a data cells filter resource. Detailed below.
- data
Location PermissionsData Location - Configuration block for a data location resource. Detailed below.
- database
Permissions
Database - Configuration block for a database resource. Detailed below.
- lf
Tag PermissionsLf Tag - Configuration block for an LF-tag resource. Detailed below.
- lf
Tag PermissionsPolicy Lf Tag Policy - Configuration block for an LF-tag policy resource. Detailed below.
- permissions
With string[]Grant Options - Subset of
permissions
which the principal can pass. - table
Permissions
Table - Configuration block for a table resource. Detailed below.
- table
With PermissionsColumns Table With Columns Configuration block for a table with columns resource. Detailed below.
The following arguments are optional:
- permissions Sequence[str]
- List of permissions granted to the principal. Valid values may include
ALL
,ALTER
,ASSOCIATE
,CREATE_DATABASE
,CREATE_TABLE
,DATA_LOCATION_ACCESS
,DELETE
,DESCRIBE
,DROP
,INSERT
, andSELECT
. For details on each permission, see Lake Formation Permissions Reference. - principal str
Principal to be granted the permissions on the resource. Supported principals include
IAM_ALLOWED_PRINCIPALS
(see Default Behavior andIAMAllowedPrincipals
above), IAM roles, users, groups, Federated Users, SAML groups and users, QuickSight groups, OUs, and organizations as well as AWS account IDs for cross-account permissions. For more information, see Lake Formation Permissions Reference.NOTE: We highly recommend that the
principal
NOT be a Lake Formation administrator (granted usingaws.lakeformation.DataLakeSettings
). The entity (e.g., IAM role) running the deployment will most likely need to be a Lake Formation administrator. As such, the entity will have implicit permissions and does not need permissions granted through this resource.One of the following is required:
- catalog_
id str - Identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.
- catalog_
resource bool - Whether the permissions are to be granted for the Data Catalog. Defaults to
false
. - data_
cells_ Permissionsfilter Data Cells Filter Args - Configuration block for a data cells filter resource. Detailed below.
- data_
location PermissionsData Location Args - Configuration block for a data location resource. Detailed below.
- database
Permissions
Database Args - Configuration block for a database resource. Detailed below.
- lf_
tag PermissionsLf Tag Args - Configuration block for an LF-tag resource. Detailed below.
- lf_
tag_ Permissionspolicy Lf Tag Policy Args - Configuration block for an LF-tag policy resource. Detailed below.
- permissions_
with_ Sequence[str]grant_ options - Subset of
permissions
which the principal can pass. - table
Permissions
Table Args - Configuration block for a table resource. Detailed below.
- table_
with_ Permissionscolumns Table With Columns Args Configuration block for a table with columns resource. Detailed below.
The following arguments are optional:
- permissions List<String>
- List of permissions granted to the principal. Valid values may include
ALL
,ALTER
,ASSOCIATE
,CREATE_DATABASE
,CREATE_TABLE
,DATA_LOCATION_ACCESS
,DELETE
,DESCRIBE
,DROP
,INSERT
, andSELECT
. For details on each permission, see Lake Formation Permissions Reference. - principal String
Principal to be granted the permissions on the resource. Supported principals include
IAM_ALLOWED_PRINCIPALS
(see Default Behavior andIAMAllowedPrincipals
above), IAM roles, users, groups, Federated Users, SAML groups and users, QuickSight groups, OUs, and organizations as well as AWS account IDs for cross-account permissions. For more information, see Lake Formation Permissions Reference.NOTE: We highly recommend that the
principal
NOT be a Lake Formation administrator (granted usingaws.lakeformation.DataLakeSettings
). The entity (e.g., IAM role) running the deployment will most likely need to be a Lake Formation administrator. As such, the entity will have implicit permissions and does not need permissions granted through this resource.One of the following is required:
- catalog
Id String - Identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.
- catalog
Resource Boolean - Whether the permissions are to be granted for the Data Catalog. Defaults to
false
. - data
Cells Property MapFilter - Configuration block for a data cells filter resource. Detailed below.
- data
Location Property Map - Configuration block for a data location resource. Detailed below.
- database Property Map
- Configuration block for a database resource. Detailed below.
- lf
Tag Property Map - Configuration block for an LF-tag resource. Detailed below.
- lf
Tag Property MapPolicy - Configuration block for an LF-tag policy resource. Detailed below.
- permissions
With List<String>Grant Options - Subset of
permissions
which the principal can pass. - table Property Map
- Configuration block for a table resource. Detailed below.
- table
With Property MapColumns Configuration block for a table with columns resource. Detailed below.
The following arguments are optional:
Outputs
All input properties are implicitly available as output properties. Additionally, the Permissions resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing Permissions Resource
Get an existing Permissions resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: PermissionsState, opts?: CustomResourceOptions): Permissions
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
catalog_id: Optional[str] = None,
catalog_resource: Optional[bool] = None,
data_cells_filter: Optional[PermissionsDataCellsFilterArgs] = None,
data_location: Optional[PermissionsDataLocationArgs] = None,
database: Optional[PermissionsDatabaseArgs] = None,
lf_tag: Optional[PermissionsLfTagArgs] = None,
lf_tag_policy: Optional[PermissionsLfTagPolicyArgs] = None,
permissions: Optional[Sequence[str]] = None,
permissions_with_grant_options: Optional[Sequence[str]] = None,
principal: Optional[str] = None,
table: Optional[PermissionsTableArgs] = None,
table_with_columns: Optional[PermissionsTableWithColumnsArgs] = None) -> Permissions
func GetPermissions(ctx *Context, name string, id IDInput, state *PermissionsState, opts ...ResourceOption) (*Permissions, error)
public static Permissions Get(string name, Input<string> id, PermissionsState? state, CustomResourceOptions? opts = null)
public static Permissions get(String name, Output<String> id, PermissionsState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Catalog
Id string - Identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.
- Catalog
Resource bool - Whether the permissions are to be granted for the Data Catalog. Defaults to
false
. - Data
Cells PermissionsFilter Data Cells Filter - Configuration block for a data cells filter resource. Detailed below.
- Data
Location PermissionsData Location - Configuration block for a data location resource. Detailed below.
- Database
Permissions
Database - Configuration block for a database resource. Detailed below.
- Lf
Tag PermissionsLf Tag - Configuration block for an LF-tag resource. Detailed below.
- Lf
Tag PermissionsPolicy Lf Tag Policy - Configuration block for an LF-tag policy resource. Detailed below.
- Permission
Details List<string> - List of permissions granted to the principal. Valid values may include
ALL
,ALTER
,ASSOCIATE
,CREATE_DATABASE
,CREATE_TABLE
,DATA_LOCATION_ACCESS
,DELETE
,DESCRIBE
,DROP
,INSERT
, andSELECT
. For details on each permission, see Lake Formation Permissions Reference. - Permissions
With List<string>Grant Options - Subset of
permissions
which the principal can pass. - Principal string
Principal to be granted the permissions on the resource. Supported principals include
IAM_ALLOWED_PRINCIPALS
(see Default Behavior andIAMAllowedPrincipals
above), IAM roles, users, groups, Federated Users, SAML groups and users, QuickSight groups, OUs, and organizations as well as AWS account IDs for cross-account permissions. For more information, see Lake Formation Permissions Reference.NOTE: We highly recommend that the
principal
NOT be a Lake Formation administrator (granted usingaws.lakeformation.DataLakeSettings
). The entity (e.g., IAM role) running the deployment will most likely need to be a Lake Formation administrator. As such, the entity will have implicit permissions and does not need permissions granted through this resource.One of the following is required:
- Table
Permissions
Table - Configuration block for a table resource. Detailed below.
- Table
With PermissionsColumns Table With Columns Configuration block for a table with columns resource. Detailed below.
The following arguments are optional:
- Catalog
Id string - Identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.
- Catalog
Resource bool - Whether the permissions are to be granted for the Data Catalog. Defaults to
false
. - Data
Cells PermissionsFilter Data Cells Filter Args - Configuration block for a data cells filter resource. Detailed below.
- Data
Location PermissionsData Location Args - Configuration block for a data location resource. Detailed below.
- Database
Permissions
Database Args - Configuration block for a database resource. Detailed below.
- Lf
Tag PermissionsLf Tag Args - Configuration block for an LF-tag resource. Detailed below.
- Lf
Tag PermissionsPolicy Lf Tag Policy Args - Configuration block for an LF-tag policy resource. Detailed below.
- Permissions []string
- List of permissions granted to the principal. Valid values may include
ALL
,ALTER
,ASSOCIATE
,CREATE_DATABASE
,CREATE_TABLE
,DATA_LOCATION_ACCESS
,DELETE
,DESCRIBE
,DROP
,INSERT
, andSELECT
. For details on each permission, see Lake Formation Permissions Reference. - Permissions
With []stringGrant Options - Subset of
permissions
which the principal can pass. - Principal string
Principal to be granted the permissions on the resource. Supported principals include
IAM_ALLOWED_PRINCIPALS
(see Default Behavior andIAMAllowedPrincipals
above), IAM roles, users, groups, Federated Users, SAML groups and users, QuickSight groups, OUs, and organizations as well as AWS account IDs for cross-account permissions. For more information, see Lake Formation Permissions Reference.NOTE: We highly recommend that the
principal
NOT be a Lake Formation administrator (granted usingaws.lakeformation.DataLakeSettings
). The entity (e.g., IAM role) running the deployment will most likely need to be a Lake Formation administrator. As such, the entity will have implicit permissions and does not need permissions granted through this resource.One of the following is required:
- Table
Permissions
Table Args - Configuration block for a table resource. Detailed below.
- Table
With PermissionsColumns Table With Columns Args Configuration block for a table with columns resource. Detailed below.
The following arguments are optional:
- catalog
Id String - Identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.
- catalog
Resource Boolean - Whether the permissions are to be granted for the Data Catalog. Defaults to
false
. - data
Cells PermissionsFilter Data Cells Filter - Configuration block for a data cells filter resource. Detailed below.
- data
Location PermissionsData Location - Configuration block for a data location resource. Detailed below.
- database
Permissions
Database - Configuration block for a database resource. Detailed below.
- lf
Tag PermissionsLf Tag - Configuration block for an LF-tag resource. Detailed below.
- lf
Tag PermissionsPolicy Lf Tag Policy - Configuration block for an LF-tag policy resource. Detailed below.
- permissions List<String>
- List of permissions granted to the principal. Valid values may include
ALL
,ALTER
,ASSOCIATE
,CREATE_DATABASE
,CREATE_TABLE
,DATA_LOCATION_ACCESS
,DELETE
,DESCRIBE
,DROP
,INSERT
, andSELECT
. For details on each permission, see Lake Formation Permissions Reference. - permissions
With List<String>Grant Options - Subset of
permissions
which the principal can pass. - principal String
Principal to be granted the permissions on the resource. Supported principals include
IAM_ALLOWED_PRINCIPALS
(see Default Behavior andIAMAllowedPrincipals
above), IAM roles, users, groups, Federated Users, SAML groups and users, QuickSight groups, OUs, and organizations as well as AWS account IDs for cross-account permissions. For more information, see Lake Formation Permissions Reference.NOTE: We highly recommend that the
principal
NOT be a Lake Formation administrator (granted usingaws.lakeformation.DataLakeSettings
). The entity (e.g., IAM role) running the deployment will most likely need to be a Lake Formation administrator. As such, the entity will have implicit permissions and does not need permissions granted through this resource.One of the following is required:
- table
Permissions
Table - Configuration block for a table resource. Detailed below.
- table
With PermissionsColumns Table With Columns Configuration block for a table with columns resource. Detailed below.
The following arguments are optional:
- catalog
Id string - Identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.
- catalog
Resource boolean - Whether the permissions are to be granted for the Data Catalog. Defaults to
false
. - data
Cells PermissionsFilter Data Cells Filter - Configuration block for a data cells filter resource. Detailed below.
- data
Location PermissionsData Location - Configuration block for a data location resource. Detailed below.
- database
Permissions
Database - Configuration block for a database resource. Detailed below.
- lf
Tag PermissionsLf Tag - Configuration block for an LF-tag resource. Detailed below.
- lf
Tag PermissionsPolicy Lf Tag Policy - Configuration block for an LF-tag policy resource. Detailed below.
- permissions string[]
- List of permissions granted to the principal. Valid values may include
ALL
,ALTER
,ASSOCIATE
,CREATE_DATABASE
,CREATE_TABLE
,DATA_LOCATION_ACCESS
,DELETE
,DESCRIBE
,DROP
,INSERT
, andSELECT
. For details on each permission, see Lake Formation Permissions Reference. - permissions
With string[]Grant Options - Subset of
permissions
which the principal can pass. - principal string
Principal to be granted the permissions on the resource. Supported principals include
IAM_ALLOWED_PRINCIPALS
(see Default Behavior andIAMAllowedPrincipals
above), IAM roles, users, groups, Federated Users, SAML groups and users, QuickSight groups, OUs, and organizations as well as AWS account IDs for cross-account permissions. For more information, see Lake Formation Permissions Reference.NOTE: We highly recommend that the
principal
NOT be a Lake Formation administrator (granted usingaws.lakeformation.DataLakeSettings
). The entity (e.g., IAM role) running the deployment will most likely need to be a Lake Formation administrator. As such, the entity will have implicit permissions and does not need permissions granted through this resource.One of the following is required:
- table
Permissions
Table - Configuration block for a table resource. Detailed below.
- table
With PermissionsColumns Table With Columns Configuration block for a table with columns resource. Detailed below.
The following arguments are optional:
- catalog_
id str - Identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.
- catalog_
resource bool - Whether the permissions are to be granted for the Data Catalog. Defaults to
false
. - data_
cells_ Permissionsfilter Data Cells Filter Args - Configuration block for a data cells filter resource. Detailed below.
- data_
location PermissionsData Location Args - Configuration block for a data location resource. Detailed below.
- database
Permissions
Database Args - Configuration block for a database resource. Detailed below.
- lf_
tag PermissionsLf Tag Args - Configuration block for an LF-tag resource. Detailed below.
- lf_
tag_ Permissionspolicy Lf Tag Policy Args - Configuration block for an LF-tag policy resource. Detailed below.
- permissions Sequence[str]
- List of permissions granted to the principal. Valid values may include
ALL
,ALTER
,ASSOCIATE
,CREATE_DATABASE
,CREATE_TABLE
,DATA_LOCATION_ACCESS
,DELETE
,DESCRIBE
,DROP
,INSERT
, andSELECT
. For details on each permission, see Lake Formation Permissions Reference. - permissions_
with_ Sequence[str]grant_ options - Subset of
permissions
which the principal can pass. - principal str
Principal to be granted the permissions on the resource. Supported principals include
IAM_ALLOWED_PRINCIPALS
(see Default Behavior andIAMAllowedPrincipals
above), IAM roles, users, groups, Federated Users, SAML groups and users, QuickSight groups, OUs, and organizations as well as AWS account IDs for cross-account permissions. For more information, see Lake Formation Permissions Reference.NOTE: We highly recommend that the
principal
NOT be a Lake Formation administrator (granted usingaws.lakeformation.DataLakeSettings
). The entity (e.g., IAM role) running the deployment will most likely need to be a Lake Formation administrator. As such, the entity will have implicit permissions and does not need permissions granted through this resource.One of the following is required:
- table
Permissions
Table Args - Configuration block for a table resource. Detailed below.
- table_
with_ Permissionscolumns Table With Columns Args Configuration block for a table with columns resource. Detailed below.
The following arguments are optional:
- catalog
Id String - Identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.
- catalog
Resource Boolean - Whether the permissions are to be granted for the Data Catalog. Defaults to
false
. - data
Cells Property MapFilter - Configuration block for a data cells filter resource. Detailed below.
- data
Location Property Map - Configuration block for a data location resource. Detailed below.
- database Property Map
- Configuration block for a database resource. Detailed below.
- lf
Tag Property Map - Configuration block for an LF-tag resource. Detailed below.
- lf
Tag Property MapPolicy - Configuration block for an LF-tag policy resource. Detailed below.
- permissions List<String>
- List of permissions granted to the principal. Valid values may include
ALL
,ALTER
,ASSOCIATE
,CREATE_DATABASE
,CREATE_TABLE
,DATA_LOCATION_ACCESS
,DELETE
,DESCRIBE
,DROP
,INSERT
, andSELECT
. For details on each permission, see Lake Formation Permissions Reference. - permissions
With List<String>Grant Options - Subset of
permissions
which the principal can pass. - principal String
Principal to be granted the permissions on the resource. Supported principals include
IAM_ALLOWED_PRINCIPALS
(see Default Behavior andIAMAllowedPrincipals
above), IAM roles, users, groups, Federated Users, SAML groups and users, QuickSight groups, OUs, and organizations as well as AWS account IDs for cross-account permissions. For more information, see Lake Formation Permissions Reference.NOTE: We highly recommend that the
principal
NOT be a Lake Formation administrator (granted usingaws.lakeformation.DataLakeSettings
). The entity (e.g., IAM role) running the deployment will most likely need to be a Lake Formation administrator. As such, the entity will have implicit permissions and does not need permissions granted through this resource.One of the following is required:
- table Property Map
- Configuration block for a table resource. Detailed below.
- table
With Property MapColumns Configuration block for a table with columns resource. Detailed below.
The following arguments are optional:
Supporting Types
PermissionsDataCellsFilter, PermissionsDataCellsFilterArgs
- Database
Name string - The name of the database.
- Name string
- The name of the data cells filter.
- Table
Catalog stringId - The ID of the Data Catalog.
- Table
Name string - The name of the table.
- Database
Name string - The name of the database.
- Name string
- The name of the data cells filter.
- Table
Catalog stringId - The ID of the Data Catalog.
- Table
Name string - The name of the table.
- database
Name String - The name of the database.
- name String
- The name of the data cells filter.
- table
Catalog StringId - The ID of the Data Catalog.
- table
Name String - The name of the table.
- database
Name string - The name of the database.
- name string
- The name of the data cells filter.
- table
Catalog stringId - The ID of the Data Catalog.
- table
Name string - The name of the table.
- database_
name str - The name of the database.
- name str
- The name of the data cells filter.
- table_
catalog_ strid - The ID of the Data Catalog.
- table_
name str - The name of the table.
- database
Name String - The name of the database.
- name String
- The name of the data cells filter.
- table
Catalog StringId - The ID of the Data Catalog.
- table
Name String - The name of the table.
PermissionsDataLocation, PermissionsDataLocationArgs
- arn str
Amazon Resource Name (ARN) that uniquely identifies the data location resource.
The following argument is optional:
- catalog_
id str - Identifier for the Data Catalog where the location is registered with Lake Formation. By default, it is the account ID of the caller.
PermissionsDatabase, PermissionsDatabaseArgs
- name str
Name of the database resource. Unique to the Data Catalog.
The following argument is optional:
- catalog_
id str - Identifier for the Data Catalog. By default, it is the account ID of the caller.
PermissionsLfTag, PermissionsLfTagArgs
- key str
- The key-name for the tag.
- values Sequence[str]
A list of possible values an attribute can take.
The following argument is optional:
- catalog_
id str - Identifier for the Data Catalog. By default, it is the account ID of the caller.
PermissionsLfTagPolicy, PermissionsLfTagPolicyArgs
- Expressions
List<Permissions
Lf Tag Policy Expression> A list of tag conditions that apply to the resource's tag policy. Configuration block for tag conditions that apply to the policy. See
expression
below.The following argument is optional:
- Resource
Type string - The resource type for which the tag policy applies. Valid values are
DATABASE
andTABLE
. - Catalog
Id string - Identifier for the Data Catalog. By default, it is the account ID of the caller.
- Expressions
[]Permissions
Lf Tag Policy Expression A list of tag conditions that apply to the resource's tag policy. Configuration block for tag conditions that apply to the policy. See
expression
below.The following argument is optional:
- Resource
Type string - The resource type for which the tag policy applies. Valid values are
DATABASE
andTABLE
. - Catalog
Id string - Identifier for the Data Catalog. By default, it is the account ID of the caller.
- expressions
List<Permissions
Lf Tag Policy Expression> A list of tag conditions that apply to the resource's tag policy. Configuration block for tag conditions that apply to the policy. See
expression
below.The following argument is optional:
- resource
Type String - The resource type for which the tag policy applies. Valid values are
DATABASE
andTABLE
. - catalog
Id String - Identifier for the Data Catalog. By default, it is the account ID of the caller.
- expressions
Permissions
Lf Tag Policy Expression[] A list of tag conditions that apply to the resource's tag policy. Configuration block for tag conditions that apply to the policy. See
expression
below.The following argument is optional:
- resource
Type string - The resource type for which the tag policy applies. Valid values are
DATABASE
andTABLE
. - catalog
Id string - Identifier for the Data Catalog. By default, it is the account ID of the caller.
- expressions
Sequence[Permissions
Lf Tag Policy Expression] A list of tag conditions that apply to the resource's tag policy. Configuration block for tag conditions that apply to the policy. See
expression
below.The following argument is optional:
- resource_
type str - The resource type for which the tag policy applies. Valid values are
DATABASE
andTABLE
. - catalog_
id str - Identifier for the Data Catalog. By default, it is the account ID of the caller.
- expressions List<Property Map>
A list of tag conditions that apply to the resource's tag policy. Configuration block for tag conditions that apply to the policy. See
expression
below.The following argument is optional:
- resource
Type String - The resource type for which the tag policy applies. Valid values are
DATABASE
andTABLE
. - catalog
Id String - Identifier for the Data Catalog. By default, it is the account ID of the caller.
PermissionsLfTagPolicyExpression, PermissionsLfTagPolicyExpressionArgs
PermissionsTable, PermissionsTableArgs
- Database
Name string - Name of the database for the table. Unique to a Data Catalog.
- Catalog
Id string - Identifier for the Data Catalog. By default, it is the account ID of the caller.
- Name string
- Name of the table.
- Wildcard bool
Whether to use a wildcard representing every table under a database. Defaults to
false
.The following arguments are optional:
- Database
Name string - Name of the database for the table. Unique to a Data Catalog.
- Catalog
Id string - Identifier for the Data Catalog. By default, it is the account ID of the caller.
- Name string
- Name of the table.
- Wildcard bool
Whether to use a wildcard representing every table under a database. Defaults to
false
.The following arguments are optional:
- database
Name String - Name of the database for the table. Unique to a Data Catalog.
- catalog
Id String - Identifier for the Data Catalog. By default, it is the account ID of the caller.
- name String
- Name of the table.
- wildcard Boolean
Whether to use a wildcard representing every table under a database. Defaults to
false
.The following arguments are optional:
- database
Name string - Name of the database for the table. Unique to a Data Catalog.
- catalog
Id string - Identifier for the Data Catalog. By default, it is the account ID of the caller.
- name string
- Name of the table.
- wildcard boolean
Whether to use a wildcard representing every table under a database. Defaults to
false
.The following arguments are optional:
- database_
name str - Name of the database for the table. Unique to a Data Catalog.
- catalog_
id str - Identifier for the Data Catalog. By default, it is the account ID of the caller.
- name str
- Name of the table.
- wildcard bool
Whether to use a wildcard representing every table under a database. Defaults to
false
.The following arguments are optional:
- database
Name String - Name of the database for the table. Unique to a Data Catalog.
- catalog
Id String - Identifier for the Data Catalog. By default, it is the account ID of the caller.
- name String
- Name of the table.
- wildcard Boolean
Whether to use a wildcard representing every table under a database. Defaults to
false
.The following arguments are optional:
PermissionsTableWithColumns, PermissionsTableWithColumnsArgs
- Database
Name string - Name of the database for the table with columns resource. Unique to the Data Catalog.
- Name string
- Name of the table resource.
- Catalog
Id string - Identifier for the Data Catalog. By default, it is the account ID of the caller.
- Column
Names List<string> - Set of column names for the table.
- Excluded
Column List<string>Names - Set of column names for the table to exclude. If
excluded_column_names
is included,wildcard
must be set totrue
to avoid the provider reporting a difference. - Wildcard bool
Whether to use a column wildcard. If
excluded_column_names
is included,wildcard
must be set totrue
to avoid the provider reporting a difference.The following arguments are optional:
- Database
Name string - Name of the database for the table with columns resource. Unique to the Data Catalog.
- Name string
- Name of the table resource.
- Catalog
Id string - Identifier for the Data Catalog. By default, it is the account ID of the caller.
- Column
Names []string - Set of column names for the table.
- Excluded
Column []stringNames - Set of column names for the table to exclude. If
excluded_column_names
is included,wildcard
must be set totrue
to avoid the provider reporting a difference. - Wildcard bool
Whether to use a column wildcard. If
excluded_column_names
is included,wildcard
must be set totrue
to avoid the provider reporting a difference.The following arguments are optional:
- database
Name String - Name of the database for the table with columns resource. Unique to the Data Catalog.
- name String
- Name of the table resource.
- catalog
Id String - Identifier for the Data Catalog. By default, it is the account ID of the caller.
- column
Names List<String> - Set of column names for the table.
- excluded
Column List<String>Names - Set of column names for the table to exclude. If
excluded_column_names
is included,wildcard
must be set totrue
to avoid the provider reporting a difference. - wildcard Boolean
Whether to use a column wildcard. If
excluded_column_names
is included,wildcard
must be set totrue
to avoid the provider reporting a difference.The following arguments are optional:
- database
Name string - Name of the database for the table with columns resource. Unique to the Data Catalog.
- name string
- Name of the table resource.
- catalog
Id string - Identifier for the Data Catalog. By default, it is the account ID of the caller.
- column
Names string[] - Set of column names for the table.
- excluded
Column string[]Names - Set of column names for the table to exclude. If
excluded_column_names
is included,wildcard
must be set totrue
to avoid the provider reporting a difference. - wildcard boolean
Whether to use a column wildcard. If
excluded_column_names
is included,wildcard
must be set totrue
to avoid the provider reporting a difference.The following arguments are optional:
- database_
name str - Name of the database for the table with columns resource. Unique to the Data Catalog.
- name str
- Name of the table resource.
- catalog_
id str - Identifier for the Data Catalog. By default, it is the account ID of the caller.
- column_
names Sequence[str] - Set of column names for the table.
- excluded_
column_ Sequence[str]names - Set of column names for the table to exclude. If
excluded_column_names
is included,wildcard
must be set totrue
to avoid the provider reporting a difference. - wildcard bool
Whether to use a column wildcard. If
excluded_column_names
is included,wildcard
must be set totrue
to avoid the provider reporting a difference.The following arguments are optional:
- database
Name String - Name of the database for the table with columns resource. Unique to the Data Catalog.
- name String
- Name of the table resource.
- catalog
Id String - Identifier for the Data Catalog. By default, it is the account ID of the caller.
- column
Names List<String> - Set of column names for the table.
- excluded
Column List<String>Names - Set of column names for the table to exclude. If
excluded_column_names
is included,wildcard
must be set totrue
to avoid the provider reporting a difference. - wildcard Boolean
Whether to use a column wildcard. If
excluded_column_names
is included,wildcard
must be set totrue
to avoid the provider reporting a difference.The following arguments are optional:
Package Details
- Repository
- AWS Classic pulumi/pulumi-aws
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
aws
Terraform Provider.