1. Packages
  2. AWS Classic
  3. API Docs
  4. lakeformation
  5. Permissions

Try AWS Native preview for resources not in the classic version.

AWS Classic v6.28.1 published on Thursday, Mar 28, 2024 by Pulumi

aws.lakeformation.Permissions

Explore with Pulumi AI

aws logo

Try AWS Native preview for resources not in the classic version.

AWS Classic v6.28.1 published on Thursday, Mar 28, 2024 by Pulumi

    Grants permissions to the principal to access metadata in the Data Catalog and data organized in underlying data storage such as Amazon S3. Permissions are granted to a principal, in a Data Catalog, relative to a Lake Formation resource, which includes the Data Catalog, databases, tables, LF-tags, and LF-tag policies. For more information, see Security and Access Control to Metadata and Data in Lake Formation.

    !> WARNING: Lake Formation permissions are not in effect by default within AWS. Using this resource will not secure your data and will result in errors if you do not change the security settings for existing resources and the default security settings for new resources. See Default Behavior and IAMAllowedPrincipals for additional details.

    NOTE: In general, the principal should NOT be a Lake Formation administrator or the entity (e.g., IAM role) that is running the deployment. Administrators have implicit permissions. These should be managed by granting or not granting administrator rights using aws.lakeformation.DataLakeSettings, not with this resource.

    Default Behavior and IAMAllowedPrincipals

    Lake Formation permissions are not in effect by default within AWS. IAMAllowedPrincipals (i.e., IAM_ALLOWED_PRINCIPALS) conflicts with individual Lake Formation permissions (i.e., non-IAMAllowedPrincipals permissions), will cause unexpected behavior, and may result in errors.

    When using Lake Formation, choose ONE of the following options as they are mutually exclusive:

    1. Use this resource (aws.lakeformation.Permissions), change the default security settings using aws.lakeformation.DataLakeSettings, and remove existing IAMAllowedPrincipals permissions
    2. Use IAMAllowedPrincipals without aws.lakeformation.Permissions

    This example shows removing the IAMAllowedPrincipals default security settings and making the caller a Lake Formation admin. Since create_database_default_permissions and create_table_default_permissions are not set in the aws.lakeformation.DataLakeSettings resource, they are cleared.

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const current = aws.getCallerIdentity({});
    const currentGetSessionContext = current.then(current => aws.iam.getSessionContext({
        arn: current.arn,
    }));
    const test = new aws.lakeformation.DataLakeSettings("test", {admins: [currentGetSessionContext.then(currentGetSessionContext => currentGetSessionContext.issuerArn)]});
    
    import pulumi
    import pulumi_aws as aws
    
    current = aws.get_caller_identity()
    current_get_session_context = aws.iam.get_session_context(arn=current.arn)
    test = aws.lakeformation.DataLakeSettings("test", admins=[current_get_session_context.issuer_arn])
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws"
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/lakeformation"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		current, err := aws.GetCallerIdentity(ctx, nil, nil)
    		if err != nil {
    			return err
    		}
    		currentGetSessionContext, err := iam.GetSessionContext(ctx, &iam.GetSessionContextArgs{
    			Arn: current.Arn,
    		}, nil)
    		if err != nil {
    			return err
    		}
    		_, err = lakeformation.NewDataLakeSettings(ctx, "test", &lakeformation.DataLakeSettingsArgs{
    			Admins: pulumi.StringArray{
    				pulumi.String(currentGetSessionContext.IssuerArn),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var current = Aws.GetCallerIdentity.Invoke();
    
        var currentGetSessionContext = Aws.Iam.GetSessionContext.Invoke(new()
        {
            Arn = current.Apply(getCallerIdentityResult => getCallerIdentityResult.Arn),
        });
    
        var test = new Aws.LakeFormation.DataLakeSettings("test", new()
        {
            Admins = new[]
            {
                currentGetSessionContext.Apply(getSessionContextResult => getSessionContextResult.IssuerArn),
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.AwsFunctions;
    import com.pulumi.aws.inputs.GetCallerIdentityArgs;
    import com.pulumi.aws.iam.IamFunctions;
    import com.pulumi.aws.iam.inputs.GetSessionContextArgs;
    import com.pulumi.aws.lakeformation.DataLakeSettings;
    import com.pulumi.aws.lakeformation.DataLakeSettingsArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var current = AwsFunctions.getCallerIdentity();
    
            final var currentGetSessionContext = IamFunctions.getSessionContext(GetSessionContextArgs.builder()
                .arn(current.applyValue(getCallerIdentityResult -> getCallerIdentityResult.arn()))
                .build());
    
            var test = new DataLakeSettings("test", DataLakeSettingsArgs.builder()        
                .admins(currentGetSessionContext.applyValue(getSessionContextResult -> getSessionContextResult.issuerArn()))
                .build());
    
        }
    }
    
    resources:
      test:
        type: aws:lakeformation:DataLakeSettings
        properties:
          admins:
            - ${currentGetSessionContext.issuerArn}
    variables:
      current:
        fn::invoke:
          Function: aws:getCallerIdentity
          Arguments: {}
      currentGetSessionContext:
        fn::invoke:
          Function: aws:iam:getSessionContext
          Arguments:
            arn: ${current.arn}
    

    To remove existing IAMAllowedPrincipals permissions, use the AWS Lake Formation Console or AWS CLI.

    IAMAllowedPrincipals is a hook to maintain backwards compatibility with AWS Glue. IAMAllowedPrincipals is a pseudo-entity group that acts like a Lake Formation principal. The group includes any IAM users and roles that are allowed access to your Data Catalog resources by your IAM policies.

    This is Lake Formation’s default behavior:

    • Lake Formation grants Super permission to IAMAllowedPrincipals on all existing AWS Glue Data Catalog resources.
    • Lake Formation enables “Use only IAM access control” for new Data Catalog resources.

    For more details, see Changing the Default Security Settings for Your Data Lake.

    Problem Using IAMAllowedPrincipals

    AWS does not support combining IAMAllowedPrincipals permissions and non-IAMAllowedPrincipals permissions. Doing so results in unexpected permissions and behaviors. For example, this configuration grants a user SELECT on a column in a table.

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const example = new aws.glue.CatalogDatabase("example", {name: "sadabate"});
    const exampleCatalogTable = new aws.glue.CatalogTable("example", {
        name: "abelt",
        databaseName: test.name,
        storageDescriptor: {
            columns: [{
                name: "event",
                type: "string",
            }],
        },
    });
    const examplePermissions = new aws.lakeformation.Permissions("example", {
        permissions: ["SELECT"],
        principal: "arn:aws:iam:us-east-1:123456789012:user/SanHolo",
        tableWithColumns: {
            databaseName: exampleCatalogTable.databaseName,
            name: exampleCatalogTable.name,
            columnNames: ["event"],
        },
    });
    
    import pulumi
    import pulumi_aws as aws
    
    example = aws.glue.CatalogDatabase("example", name="sadabate")
    example_catalog_table = aws.glue.CatalogTable("example",
        name="abelt",
        database_name=test["name"],
        storage_descriptor=aws.glue.CatalogTableStorageDescriptorArgs(
            columns=[aws.glue.CatalogTableStorageDescriptorColumnArgs(
                name="event",
                type="string",
            )],
        ))
    example_permissions = aws.lakeformation.Permissions("example",
        permissions=["SELECT"],
        principal="arn:aws:iam:us-east-1:123456789012:user/SanHolo",
        table_with_columns=aws.lakeformation.PermissionsTableWithColumnsArgs(
            database_name=example_catalog_table.database_name,
            name=example_catalog_table.name,
            column_names=["event"],
        ))
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/glue"
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/lakeformation"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := glue.NewCatalogDatabase(ctx, "example", &glue.CatalogDatabaseArgs{
    			Name: pulumi.String("sadabate"),
    		})
    		if err != nil {
    			return err
    		}
    		exampleCatalogTable, err := glue.NewCatalogTable(ctx, "example", &glue.CatalogTableArgs{
    			Name:         pulumi.String("abelt"),
    			DatabaseName: pulumi.Any(test.Name),
    			StorageDescriptor: &glue.CatalogTableStorageDescriptorArgs{
    				Columns: glue.CatalogTableStorageDescriptorColumnArray{
    					&glue.CatalogTableStorageDescriptorColumnArgs{
    						Name: pulumi.String("event"),
    						Type: pulumi.String("string"),
    					},
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		_, err = lakeformation.NewPermissions(ctx, "example", &lakeformation.PermissionsArgs{
    			Permissions: pulumi.StringArray{
    				pulumi.String("SELECT"),
    			},
    			Principal: pulumi.String("arn:aws:iam:us-east-1:123456789012:user/SanHolo"),
    			TableWithColumns: &lakeformation.PermissionsTableWithColumnsArgs{
    				DatabaseName: exampleCatalogTable.DatabaseName,
    				Name:         exampleCatalogTable.Name,
    				ColumnNames: pulumi.StringArray{
    					pulumi.String("event"),
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Aws.Glue.CatalogDatabase("example", new()
        {
            Name = "sadabate",
        });
    
        var exampleCatalogTable = new Aws.Glue.CatalogTable("example", new()
        {
            Name = "abelt",
            DatabaseName = test.Name,
            StorageDescriptor = new Aws.Glue.Inputs.CatalogTableStorageDescriptorArgs
            {
                Columns = new[]
                {
                    new Aws.Glue.Inputs.CatalogTableStorageDescriptorColumnArgs
                    {
                        Name = "event",
                        Type = "string",
                    },
                },
            },
        });
    
        var examplePermissions = new Aws.LakeFormation.Permissions("example", new()
        {
            PermissionDetails = new[]
            {
                "SELECT",
            },
            Principal = "arn:aws:iam:us-east-1:123456789012:user/SanHolo",
            TableWithColumns = new Aws.LakeFormation.Inputs.PermissionsTableWithColumnsArgs
            {
                DatabaseName = exampleCatalogTable.DatabaseName,
                Name = exampleCatalogTable.Name,
                ColumnNames = new[]
                {
                    "event",
                },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.glue.CatalogDatabase;
    import com.pulumi.aws.glue.CatalogDatabaseArgs;
    import com.pulumi.aws.glue.CatalogTable;
    import com.pulumi.aws.glue.CatalogTableArgs;
    import com.pulumi.aws.glue.inputs.CatalogTableStorageDescriptorArgs;
    import com.pulumi.aws.lakeformation.Permissions;
    import com.pulumi.aws.lakeformation.PermissionsArgs;
    import com.pulumi.aws.lakeformation.inputs.PermissionsTableWithColumnsArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new CatalogDatabase("example", CatalogDatabaseArgs.builder()        
                .name("sadabate")
                .build());
    
            var exampleCatalogTable = new CatalogTable("exampleCatalogTable", CatalogTableArgs.builder()        
                .name("abelt")
                .databaseName(test.name())
                .storageDescriptor(CatalogTableStorageDescriptorArgs.builder()
                    .columns(CatalogTableStorageDescriptorColumnArgs.builder()
                        .name("event")
                        .type("string")
                        .build())
                    .build())
                .build());
    
            var examplePermissions = new Permissions("examplePermissions", PermissionsArgs.builder()        
                .permissions("SELECT")
                .principal("arn:aws:iam:us-east-1:123456789012:user/SanHolo")
                .tableWithColumns(PermissionsTableWithColumnsArgs.builder()
                    .databaseName(exampleCatalogTable.databaseName())
                    .name(exampleCatalogTable.name())
                    .columnNames("event")
                    .build())
                .build());
    
        }
    }
    
    resources:
      example:
        type: aws:glue:CatalogDatabase
        properties:
          name: sadabate
      exampleCatalogTable:
        type: aws:glue:CatalogTable
        name: example
        properties:
          name: abelt
          databaseName: ${test.name}
          storageDescriptor:
            columns:
              - name: event
                type: string
      examplePermissions:
        type: aws:lakeformation:Permissions
        name: example
        properties:
          permissions:
            - SELECT
          principal: arn:aws:iam:us-east-1:123456789012:user/SanHolo
          tableWithColumns:
            databaseName: ${exampleCatalogTable.databaseName}
            name: ${exampleCatalogTable.name}
            columnNames:
              - event
    

    The resulting permissions depend on whether the table had IAMAllowedPrincipals (IAP) permissions or not.

    Result With IAPResult Without IAP
    SELECT column wildcard (i.e., all columns)SELECT on "event" (as expected)

    Using Lake Formation Permissions

    Lake Formation grants implicit permissions to data lake administrators, database creators, and table creators. These implicit permissions cannot be revoked per se. If this resource reads implicit permissions, it will attempt to revoke them, which causes an error when the resource is destroyed.

    There are two ways to avoid these errors. First, and the way we recommend, is to avoid using this resource with principals that have implicit permissions. A second, error-prone option, is to grant explicit permissions (and permissions_with_grant_option) to “overwrite” a principal’s implicit permissions, which you can then revoke with this resource. For more information, see Implicit Lake Formation Permissions.

    If the principal is also a data lake administrator, AWS grants implicit permissions that can cause errors using this resource. For example, AWS implicitly grants a principal/administrator permissions and permissions_with_grant_option of ALL, ALTER, DELETE, DESCRIBE, DROP, INSERT, and SELECT on a table. If you use this resource to explicitly grant the principal/administrator permissions but not permissions_with_grant_option of ALL, ALTER, DELETE, DESCRIBE, DROP, INSERT, and SELECT on the table, this resource will read the implicit permissions_with_grant_option and attempt to revoke them when the resource is destroyed. Doing so will cause an InvalidInputException: No permissions revoked error because you cannot revoke implicit permissions per se. To workaround this problem, explicitly grant the principal/administrator permissions and permissions_with_grant_option, which can then be revoked. Similarly, granting a principal/administrator permissions on a table with columns and providing column_names, will result in a InvalidInputException: Permissions modification is invalid error because you are narrowing the implicit permissions. Instead, set wildcard to true and remove the column_names.

    Example Usage

    Grant Permissions For A Lake Formation S3 Resource

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const example = new aws.lakeformation.Permissions("example", {
        principal: workflowRole.arn,
        permissions: ["DATA_LOCATION_ACCESS"],
        dataLocation: {
            arn: exampleAwsLakeformationResource.arn,
        },
    });
    
    import pulumi
    import pulumi_aws as aws
    
    example = aws.lakeformation.Permissions("example",
        principal=workflow_role["arn"],
        permissions=["DATA_LOCATION_ACCESS"],
        data_location=aws.lakeformation.PermissionsDataLocationArgs(
            arn=example_aws_lakeformation_resource["arn"],
        ))
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/lakeformation"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := lakeformation.NewPermissions(ctx, "example", &lakeformation.PermissionsArgs{
    			Principal: pulumi.Any(workflowRole.Arn),
    			Permissions: pulumi.StringArray{
    				pulumi.String("DATA_LOCATION_ACCESS"),
    			},
    			DataLocation: &lakeformation.PermissionsDataLocationArgs{
    				Arn: pulumi.Any(exampleAwsLakeformationResource.Arn),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Aws.LakeFormation.Permissions("example", new()
        {
            Principal = workflowRole.Arn,
            PermissionDetails = new[]
            {
                "DATA_LOCATION_ACCESS",
            },
            DataLocation = new Aws.LakeFormation.Inputs.PermissionsDataLocationArgs
            {
                Arn = exampleAwsLakeformationResource.Arn,
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.lakeformation.Permissions;
    import com.pulumi.aws.lakeformation.PermissionsArgs;
    import com.pulumi.aws.lakeformation.inputs.PermissionsDataLocationArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new Permissions("example", PermissionsArgs.builder()        
                .principal(workflowRole.arn())
                .permissions("DATA_LOCATION_ACCESS")
                .dataLocation(PermissionsDataLocationArgs.builder()
                    .arn(exampleAwsLakeformationResource.arn())
                    .build())
                .build());
    
        }
    }
    
    resources:
      example:
        type: aws:lakeformation:Permissions
        properties:
          principal: ${workflowRole.arn}
          permissions:
            - DATA_LOCATION_ACCESS
          dataLocation:
            arn: ${exampleAwsLakeformationResource.arn}
    

    Grant Permissions For A Glue Catalog Database

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const example = new aws.lakeformation.Permissions("example", {
        principal: workflowRole.arn,
        permissions: [
            "CREATE_TABLE",
            "ALTER",
            "DROP",
        ],
        database: {
            name: exampleAwsGlueCatalogDatabase.name,
            catalogId: "110376042874",
        },
    });
    
    import pulumi
    import pulumi_aws as aws
    
    example = aws.lakeformation.Permissions("example",
        principal=workflow_role["arn"],
        permissions=[
            "CREATE_TABLE",
            "ALTER",
            "DROP",
        ],
        database=aws.lakeformation.PermissionsDatabaseArgs(
            name=example_aws_glue_catalog_database["name"],
            catalog_id="110376042874",
        ))
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/lakeformation"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := lakeformation.NewPermissions(ctx, "example", &lakeformation.PermissionsArgs{
    			Principal: pulumi.Any(workflowRole.Arn),
    			Permissions: pulumi.StringArray{
    				pulumi.String("CREATE_TABLE"),
    				pulumi.String("ALTER"),
    				pulumi.String("DROP"),
    			},
    			Database: &lakeformation.PermissionsDatabaseArgs{
    				Name:      pulumi.Any(exampleAwsGlueCatalogDatabase.Name),
    				CatalogId: pulumi.String("110376042874"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Aws.LakeFormation.Permissions("example", new()
        {
            Principal = workflowRole.Arn,
            PermissionDetails = new[]
            {
                "CREATE_TABLE",
                "ALTER",
                "DROP",
            },
            Database = new Aws.LakeFormation.Inputs.PermissionsDatabaseArgs
            {
                Name = exampleAwsGlueCatalogDatabase.Name,
                CatalogId = "110376042874",
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.lakeformation.Permissions;
    import com.pulumi.aws.lakeformation.PermissionsArgs;
    import com.pulumi.aws.lakeformation.inputs.PermissionsDatabaseArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new Permissions("example", PermissionsArgs.builder()        
                .principal(workflowRole.arn())
                .permissions(            
                    "CREATE_TABLE",
                    "ALTER",
                    "DROP")
                .database(PermissionsDatabaseArgs.builder()
                    .name(exampleAwsGlueCatalogDatabase.name())
                    .catalogId("110376042874")
                    .build())
                .build());
    
        }
    }
    
    resources:
      example:
        type: aws:lakeformation:Permissions
        properties:
          principal: ${workflowRole.arn}
          permissions:
            - CREATE_TABLE
            - ALTER
            - DROP
          database:
            name: ${exampleAwsGlueCatalogDatabase.name}
            catalogId: '110376042874'
    

    Grant Permissions Using Tag-Based Access Control

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const test = new aws.lakeformation.Permissions("test", {
        principal: salesRole.arn,
        permissions: [
            "CREATE_TABLE",
            "ALTER",
            "DROP",
        ],
        lfTagPolicy: {
            resourceType: "DATABASE",
            expressions: [
                {
                    key: "Team",
                    values: ["Sales"],
                },
                {
                    key: "Environment",
                    values: [
                        "Dev",
                        "Production",
                    ],
                },
            ],
        },
    });
    
    import pulumi
    import pulumi_aws as aws
    
    test = aws.lakeformation.Permissions("test",
        principal=sales_role["arn"],
        permissions=[
            "CREATE_TABLE",
            "ALTER",
            "DROP",
        ],
        lf_tag_policy=aws.lakeformation.PermissionsLfTagPolicyArgs(
            resource_type="DATABASE",
            expressions=[
                aws.lakeformation.PermissionsLfTagPolicyExpressionArgs(
                    key="Team",
                    values=["Sales"],
                ),
                aws.lakeformation.PermissionsLfTagPolicyExpressionArgs(
                    key="Environment",
                    values=[
                        "Dev",
                        "Production",
                    ],
                ),
            ],
        ))
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/lakeformation"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := lakeformation.NewPermissions(ctx, "test", &lakeformation.PermissionsArgs{
    			Principal: pulumi.Any(salesRole.Arn),
    			Permissions: pulumi.StringArray{
    				pulumi.String("CREATE_TABLE"),
    				pulumi.String("ALTER"),
    				pulumi.String("DROP"),
    			},
    			LfTagPolicy: &lakeformation.PermissionsLfTagPolicyArgs{
    				ResourceType: pulumi.String("DATABASE"),
    				Expressions: lakeformation.PermissionsLfTagPolicyExpressionArray{
    					&lakeformation.PermissionsLfTagPolicyExpressionArgs{
    						Key: pulumi.String("Team"),
    						Values: pulumi.StringArray{
    							pulumi.String("Sales"),
    						},
    					},
    					&lakeformation.PermissionsLfTagPolicyExpressionArgs{
    						Key: pulumi.String("Environment"),
    						Values: pulumi.StringArray{
    							pulumi.String("Dev"),
    							pulumi.String("Production"),
    						},
    					},
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var test = new Aws.LakeFormation.Permissions("test", new()
        {
            Principal = salesRole.Arn,
            PermissionDetails = new[]
            {
                "CREATE_TABLE",
                "ALTER",
                "DROP",
            },
            LfTagPolicy = new Aws.LakeFormation.Inputs.PermissionsLfTagPolicyArgs
            {
                ResourceType = "DATABASE",
                Expressions = new[]
                {
                    new Aws.LakeFormation.Inputs.PermissionsLfTagPolicyExpressionArgs
                    {
                        Key = "Team",
                        Values = new[]
                        {
                            "Sales",
                        },
                    },
                    new Aws.LakeFormation.Inputs.PermissionsLfTagPolicyExpressionArgs
                    {
                        Key = "Environment",
                        Values = new[]
                        {
                            "Dev",
                            "Production",
                        },
                    },
                },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.lakeformation.Permissions;
    import com.pulumi.aws.lakeformation.PermissionsArgs;
    import com.pulumi.aws.lakeformation.inputs.PermissionsLfTagPolicyArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var test = new Permissions("test", PermissionsArgs.builder()        
                .principal(salesRole.arn())
                .permissions(            
                    "CREATE_TABLE",
                    "ALTER",
                    "DROP")
                .lfTagPolicy(PermissionsLfTagPolicyArgs.builder()
                    .resourceType("DATABASE")
                    .expressions(                
                        PermissionsLfTagPolicyExpressionArgs.builder()
                            .key("Team")
                            .values("Sales")
                            .build(),
                        PermissionsLfTagPolicyExpressionArgs.builder()
                            .key("Environment")
                            .values(                        
                                "Dev",
                                "Production")
                            .build())
                    .build())
                .build());
    
        }
    }
    
    resources:
      test:
        type: aws:lakeformation:Permissions
        properties:
          principal: ${salesRole.arn}
          permissions:
            - CREATE_TABLE
            - ALTER
            - DROP
          lfTagPolicy:
            resourceType: DATABASE
            expressions:
              - key: Team
                values:
                  - Sales
              - key: Environment
                values:
                  - Dev
                  - Production
    

    Create Permissions Resource

    new Permissions(name: string, args: PermissionsArgs, opts?: CustomResourceOptions);
    @overload
    def Permissions(resource_name: str,
                    opts: Optional[ResourceOptions] = None,
                    catalog_id: Optional[str] = None,
                    catalog_resource: Optional[bool] = None,
                    data_cells_filter: Optional[PermissionsDataCellsFilterArgs] = None,
                    data_location: Optional[PermissionsDataLocationArgs] = None,
                    database: Optional[PermissionsDatabaseArgs] = None,
                    lf_tag: Optional[PermissionsLfTagArgs] = None,
                    lf_tag_policy: Optional[PermissionsLfTagPolicyArgs] = None,
                    permissions: Optional[Sequence[str]] = None,
                    permissions_with_grant_options: Optional[Sequence[str]] = None,
                    principal: Optional[str] = None,
                    table: Optional[PermissionsTableArgs] = None,
                    table_with_columns: Optional[PermissionsTableWithColumnsArgs] = None)
    @overload
    def Permissions(resource_name: str,
                    args: PermissionsArgs,
                    opts: Optional[ResourceOptions] = None)
    func NewPermissions(ctx *Context, name string, args PermissionsArgs, opts ...ResourceOption) (*Permissions, error)
    public Permissions(string name, PermissionsArgs args, CustomResourceOptions? opts = null)
    public Permissions(String name, PermissionsArgs args)
    public Permissions(String name, PermissionsArgs args, CustomResourceOptions options)
    
    type: aws:lakeformation:Permissions
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    
    name string
    The unique name of the resource.
    args PermissionsArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args PermissionsArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args PermissionsArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args PermissionsArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args PermissionsArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Permissions Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The Permissions resource accepts the following input properties:

    PermissionDetails List<string>
    List of permissions granted to the principal. Valid values may include ALL, ALTER, ASSOCIATE, CREATE_DATABASE, CREATE_TABLE, DATA_LOCATION_ACCESS, DELETE, DESCRIBE, DROP, INSERT, and SELECT. For details on each permission, see Lake Formation Permissions Reference.
    Principal string

    Principal to be granted the permissions on the resource. Supported principals include IAM_ALLOWED_PRINCIPALS (see Default Behavior and IAMAllowedPrincipals above), IAM roles, users, groups, SAML groups and users, QuickSight groups, OUs, and organizations as well as AWS account IDs for cross-account permissions. For more information, see Lake Formation Permissions Reference.

    NOTE: We highly recommend that the principal NOT be a Lake Formation administrator (granted using aws.lakeformation.DataLakeSettings). The entity (e.g., IAM role) running the deployment will most likely need to be a Lake Formation administrator. As such, the entity will have implicit permissions and does not need permissions granted through this resource.

    One of the following is required:

    CatalogId string
    Identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.
    CatalogResource bool
    Whether the permissions are to be granted for the Data Catalog. Defaults to false.
    DataCellsFilter PermissionsDataCellsFilter
    Configuration block for a data cells filter resource. Detailed below.
    DataLocation PermissionsDataLocation
    Configuration block for a data location resource. Detailed below.
    Database PermissionsDatabase
    Configuration block for a database resource. Detailed below.
    LfTag PermissionsLfTag
    Configuration block for an LF-tag resource. Detailed below.
    LfTagPolicy PermissionsLfTagPolicy
    Configuration block for an LF-tag policy resource. Detailed below.
    PermissionsWithGrantOptions List<string>
    Subset of permissions which the principal can pass.
    Table PermissionsTable
    Configuration block for a table resource. Detailed below.
    TableWithColumns PermissionsTableWithColumns

    Configuration block for a table with columns resource. Detailed below.

    The following arguments are optional:

    Permissions []string
    List of permissions granted to the principal. Valid values may include ALL, ALTER, ASSOCIATE, CREATE_DATABASE, CREATE_TABLE, DATA_LOCATION_ACCESS, DELETE, DESCRIBE, DROP, INSERT, and SELECT. For details on each permission, see Lake Formation Permissions Reference.
    Principal string

    Principal to be granted the permissions on the resource. Supported principals include IAM_ALLOWED_PRINCIPALS (see Default Behavior and IAMAllowedPrincipals above), IAM roles, users, groups, SAML groups and users, QuickSight groups, OUs, and organizations as well as AWS account IDs for cross-account permissions. For more information, see Lake Formation Permissions Reference.

    NOTE: We highly recommend that the principal NOT be a Lake Formation administrator (granted using aws.lakeformation.DataLakeSettings). The entity (e.g., IAM role) running the deployment will most likely need to be a Lake Formation administrator. As such, the entity will have implicit permissions and does not need permissions granted through this resource.

    One of the following is required:

    CatalogId string
    Identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.
    CatalogResource bool
    Whether the permissions are to be granted for the Data Catalog. Defaults to false.
    DataCellsFilter PermissionsDataCellsFilterArgs
    Configuration block for a data cells filter resource. Detailed below.
    DataLocation PermissionsDataLocationArgs
    Configuration block for a data location resource. Detailed below.
    Database PermissionsDatabaseArgs
    Configuration block for a database resource. Detailed below.
    LfTag PermissionsLfTagArgs
    Configuration block for an LF-tag resource. Detailed below.
    LfTagPolicy PermissionsLfTagPolicyArgs
    Configuration block for an LF-tag policy resource. Detailed below.
    PermissionsWithGrantOptions []string
    Subset of permissions which the principal can pass.
    Table PermissionsTableArgs
    Configuration block for a table resource. Detailed below.
    TableWithColumns PermissionsTableWithColumnsArgs

    Configuration block for a table with columns resource. Detailed below.

    The following arguments are optional:

    permissions List<String>
    List of permissions granted to the principal. Valid values may include ALL, ALTER, ASSOCIATE, CREATE_DATABASE, CREATE_TABLE, DATA_LOCATION_ACCESS, DELETE, DESCRIBE, DROP, INSERT, and SELECT. For details on each permission, see Lake Formation Permissions Reference.
    principal String

    Principal to be granted the permissions on the resource. Supported principals include IAM_ALLOWED_PRINCIPALS (see Default Behavior and IAMAllowedPrincipals above), IAM roles, users, groups, SAML groups and users, QuickSight groups, OUs, and organizations as well as AWS account IDs for cross-account permissions. For more information, see Lake Formation Permissions Reference.

    NOTE: We highly recommend that the principal NOT be a Lake Formation administrator (granted using aws.lakeformation.DataLakeSettings). The entity (e.g., IAM role) running the deployment will most likely need to be a Lake Formation administrator. As such, the entity will have implicit permissions and does not need permissions granted through this resource.

    One of the following is required:

    catalogId String
    Identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.
    catalogResource Boolean
    Whether the permissions are to be granted for the Data Catalog. Defaults to false.
    dataCellsFilter PermissionsDataCellsFilter
    Configuration block for a data cells filter resource. Detailed below.
    dataLocation PermissionsDataLocation
    Configuration block for a data location resource. Detailed below.
    database PermissionsDatabase
    Configuration block for a database resource. Detailed below.
    lfTag PermissionsLfTag
    Configuration block for an LF-tag resource. Detailed below.
    lfTagPolicy PermissionsLfTagPolicy
    Configuration block for an LF-tag policy resource. Detailed below.
    permissionsWithGrantOptions List<String>
    Subset of permissions which the principal can pass.
    table PermissionsTable
    Configuration block for a table resource. Detailed below.
    tableWithColumns PermissionsTableWithColumns

    Configuration block for a table with columns resource. Detailed below.

    The following arguments are optional:

    permissions string[]
    List of permissions granted to the principal. Valid values may include ALL, ALTER, ASSOCIATE, CREATE_DATABASE, CREATE_TABLE, DATA_LOCATION_ACCESS, DELETE, DESCRIBE, DROP, INSERT, and SELECT. For details on each permission, see Lake Formation Permissions Reference.
    principal string

    Principal to be granted the permissions on the resource. Supported principals include IAM_ALLOWED_PRINCIPALS (see Default Behavior and IAMAllowedPrincipals above), IAM roles, users, groups, SAML groups and users, QuickSight groups, OUs, and organizations as well as AWS account IDs for cross-account permissions. For more information, see Lake Formation Permissions Reference.

    NOTE: We highly recommend that the principal NOT be a Lake Formation administrator (granted using aws.lakeformation.DataLakeSettings). The entity (e.g., IAM role) running the deployment will most likely need to be a Lake Formation administrator. As such, the entity will have implicit permissions and does not need permissions granted through this resource.

    One of the following is required:

    catalogId string
    Identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.
    catalogResource boolean
    Whether the permissions are to be granted for the Data Catalog. Defaults to false.
    dataCellsFilter PermissionsDataCellsFilter
    Configuration block for a data cells filter resource. Detailed below.
    dataLocation PermissionsDataLocation
    Configuration block for a data location resource. Detailed below.
    database PermissionsDatabase
    Configuration block for a database resource. Detailed below.
    lfTag PermissionsLfTag
    Configuration block for an LF-tag resource. Detailed below.
    lfTagPolicy PermissionsLfTagPolicy
    Configuration block for an LF-tag policy resource. Detailed below.
    permissionsWithGrantOptions string[]
    Subset of permissions which the principal can pass.
    table PermissionsTable
    Configuration block for a table resource. Detailed below.
    tableWithColumns PermissionsTableWithColumns

    Configuration block for a table with columns resource. Detailed below.

    The following arguments are optional:

    permissions Sequence[str]
    List of permissions granted to the principal. Valid values may include ALL, ALTER, ASSOCIATE, CREATE_DATABASE, CREATE_TABLE, DATA_LOCATION_ACCESS, DELETE, DESCRIBE, DROP, INSERT, and SELECT. For details on each permission, see Lake Formation Permissions Reference.
    principal str

    Principal to be granted the permissions on the resource. Supported principals include IAM_ALLOWED_PRINCIPALS (see Default Behavior and IAMAllowedPrincipals above), IAM roles, users, groups, SAML groups and users, QuickSight groups, OUs, and organizations as well as AWS account IDs for cross-account permissions. For more information, see Lake Formation Permissions Reference.

    NOTE: We highly recommend that the principal NOT be a Lake Formation administrator (granted using aws.lakeformation.DataLakeSettings). The entity (e.g., IAM role) running the deployment will most likely need to be a Lake Formation administrator. As such, the entity will have implicit permissions and does not need permissions granted through this resource.

    One of the following is required:

    catalog_id str
    Identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.
    catalog_resource bool
    Whether the permissions are to be granted for the Data Catalog. Defaults to false.
    data_cells_filter PermissionsDataCellsFilterArgs
    Configuration block for a data cells filter resource. Detailed below.
    data_location PermissionsDataLocationArgs
    Configuration block for a data location resource. Detailed below.
    database PermissionsDatabaseArgs
    Configuration block for a database resource. Detailed below.
    lf_tag PermissionsLfTagArgs
    Configuration block for an LF-tag resource. Detailed below.
    lf_tag_policy PermissionsLfTagPolicyArgs
    Configuration block for an LF-tag policy resource. Detailed below.
    permissions_with_grant_options Sequence[str]
    Subset of permissions which the principal can pass.
    table PermissionsTableArgs
    Configuration block for a table resource. Detailed below.
    table_with_columns PermissionsTableWithColumnsArgs

    Configuration block for a table with columns resource. Detailed below.

    The following arguments are optional:

    permissions List<String>
    List of permissions granted to the principal. Valid values may include ALL, ALTER, ASSOCIATE, CREATE_DATABASE, CREATE_TABLE, DATA_LOCATION_ACCESS, DELETE, DESCRIBE, DROP, INSERT, and SELECT. For details on each permission, see Lake Formation Permissions Reference.
    principal String

    Principal to be granted the permissions on the resource. Supported principals include IAM_ALLOWED_PRINCIPALS (see Default Behavior and IAMAllowedPrincipals above), IAM roles, users, groups, SAML groups and users, QuickSight groups, OUs, and organizations as well as AWS account IDs for cross-account permissions. For more information, see Lake Formation Permissions Reference.

    NOTE: We highly recommend that the principal NOT be a Lake Formation administrator (granted using aws.lakeformation.DataLakeSettings). The entity (e.g., IAM role) running the deployment will most likely need to be a Lake Formation administrator. As such, the entity will have implicit permissions and does not need permissions granted through this resource.

    One of the following is required:

    catalogId String
    Identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.
    catalogResource Boolean
    Whether the permissions are to be granted for the Data Catalog. Defaults to false.
    dataCellsFilter Property Map
    Configuration block for a data cells filter resource. Detailed below.
    dataLocation Property Map
    Configuration block for a data location resource. Detailed below.
    database Property Map
    Configuration block for a database resource. Detailed below.
    lfTag Property Map
    Configuration block for an LF-tag resource. Detailed below.
    lfTagPolicy Property Map
    Configuration block for an LF-tag policy resource. Detailed below.
    permissionsWithGrantOptions List<String>
    Subset of permissions which the principal can pass.
    table Property Map
    Configuration block for a table resource. Detailed below.
    tableWithColumns Property Map

    Configuration block for a table with columns resource. Detailed below.

    The following arguments are optional:

    Outputs

    All input properties are implicitly available as output properties. Additionally, the Permissions resource produces the following output properties:

    Id string
    The provider-assigned unique ID for this managed resource.
    Id string
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.
    id string
    The provider-assigned unique ID for this managed resource.
    id str
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.

    Look up Existing Permissions Resource

    Get an existing Permissions resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: PermissionsState, opts?: CustomResourceOptions): Permissions
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            catalog_id: Optional[str] = None,
            catalog_resource: Optional[bool] = None,
            data_cells_filter: Optional[PermissionsDataCellsFilterArgs] = None,
            data_location: Optional[PermissionsDataLocationArgs] = None,
            database: Optional[PermissionsDatabaseArgs] = None,
            lf_tag: Optional[PermissionsLfTagArgs] = None,
            lf_tag_policy: Optional[PermissionsLfTagPolicyArgs] = None,
            permissions: Optional[Sequence[str]] = None,
            permissions_with_grant_options: Optional[Sequence[str]] = None,
            principal: Optional[str] = None,
            table: Optional[PermissionsTableArgs] = None,
            table_with_columns: Optional[PermissionsTableWithColumnsArgs] = None) -> Permissions
    func GetPermissions(ctx *Context, name string, id IDInput, state *PermissionsState, opts ...ResourceOption) (*Permissions, error)
    public static Permissions Get(string name, Input<string> id, PermissionsState? state, CustomResourceOptions? opts = null)
    public static Permissions get(String name, Output<String> id, PermissionsState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    CatalogId string
    Identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.
    CatalogResource bool
    Whether the permissions are to be granted for the Data Catalog. Defaults to false.
    DataCellsFilter PermissionsDataCellsFilter
    Configuration block for a data cells filter resource. Detailed below.
    DataLocation PermissionsDataLocation
    Configuration block for a data location resource. Detailed below.
    Database PermissionsDatabase
    Configuration block for a database resource. Detailed below.
    LfTag PermissionsLfTag
    Configuration block for an LF-tag resource. Detailed below.
    LfTagPolicy PermissionsLfTagPolicy
    Configuration block for an LF-tag policy resource. Detailed below.
    PermissionDetails List<string>
    List of permissions granted to the principal. Valid values may include ALL, ALTER, ASSOCIATE, CREATE_DATABASE, CREATE_TABLE, DATA_LOCATION_ACCESS, DELETE, DESCRIBE, DROP, INSERT, and SELECT. For details on each permission, see Lake Formation Permissions Reference.
    PermissionsWithGrantOptions List<string>
    Subset of permissions which the principal can pass.
    Principal string

    Principal to be granted the permissions on the resource. Supported principals include IAM_ALLOWED_PRINCIPALS (see Default Behavior and IAMAllowedPrincipals above), IAM roles, users, groups, SAML groups and users, QuickSight groups, OUs, and organizations as well as AWS account IDs for cross-account permissions. For more information, see Lake Formation Permissions Reference.

    NOTE: We highly recommend that the principal NOT be a Lake Formation administrator (granted using aws.lakeformation.DataLakeSettings). The entity (e.g., IAM role) running the deployment will most likely need to be a Lake Formation administrator. As such, the entity will have implicit permissions and does not need permissions granted through this resource.

    One of the following is required:

    Table PermissionsTable
    Configuration block for a table resource. Detailed below.
    TableWithColumns PermissionsTableWithColumns

    Configuration block for a table with columns resource. Detailed below.

    The following arguments are optional:

    CatalogId string
    Identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.
    CatalogResource bool
    Whether the permissions are to be granted for the Data Catalog. Defaults to false.
    DataCellsFilter PermissionsDataCellsFilterArgs
    Configuration block for a data cells filter resource. Detailed below.
    DataLocation PermissionsDataLocationArgs
    Configuration block for a data location resource. Detailed below.
    Database PermissionsDatabaseArgs
    Configuration block for a database resource. Detailed below.
    LfTag PermissionsLfTagArgs
    Configuration block for an LF-tag resource. Detailed below.
    LfTagPolicy PermissionsLfTagPolicyArgs
    Configuration block for an LF-tag policy resource. Detailed below.
    Permissions []string
    List of permissions granted to the principal. Valid values may include ALL, ALTER, ASSOCIATE, CREATE_DATABASE, CREATE_TABLE, DATA_LOCATION_ACCESS, DELETE, DESCRIBE, DROP, INSERT, and SELECT. For details on each permission, see Lake Formation Permissions Reference.
    PermissionsWithGrantOptions []string
    Subset of permissions which the principal can pass.
    Principal string

    Principal to be granted the permissions on the resource. Supported principals include IAM_ALLOWED_PRINCIPALS (see Default Behavior and IAMAllowedPrincipals above), IAM roles, users, groups, SAML groups and users, QuickSight groups, OUs, and organizations as well as AWS account IDs for cross-account permissions. For more information, see Lake Formation Permissions Reference.

    NOTE: We highly recommend that the principal NOT be a Lake Formation administrator (granted using aws.lakeformation.DataLakeSettings). The entity (e.g., IAM role) running the deployment will most likely need to be a Lake Formation administrator. As such, the entity will have implicit permissions and does not need permissions granted through this resource.

    One of the following is required:

    Table PermissionsTableArgs
    Configuration block for a table resource. Detailed below.
    TableWithColumns PermissionsTableWithColumnsArgs

    Configuration block for a table with columns resource. Detailed below.

    The following arguments are optional:

    catalogId String
    Identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.
    catalogResource Boolean
    Whether the permissions are to be granted for the Data Catalog. Defaults to false.
    dataCellsFilter PermissionsDataCellsFilter
    Configuration block for a data cells filter resource. Detailed below.
    dataLocation PermissionsDataLocation
    Configuration block for a data location resource. Detailed below.
    database PermissionsDatabase
    Configuration block for a database resource. Detailed below.
    lfTag PermissionsLfTag
    Configuration block for an LF-tag resource. Detailed below.
    lfTagPolicy PermissionsLfTagPolicy
    Configuration block for an LF-tag policy resource. Detailed below.
    permissions List<String>
    List of permissions granted to the principal. Valid values may include ALL, ALTER, ASSOCIATE, CREATE_DATABASE, CREATE_TABLE, DATA_LOCATION_ACCESS, DELETE, DESCRIBE, DROP, INSERT, and SELECT. For details on each permission, see Lake Formation Permissions Reference.
    permissionsWithGrantOptions List<String>
    Subset of permissions which the principal can pass.
    principal String

    Principal to be granted the permissions on the resource. Supported principals include IAM_ALLOWED_PRINCIPALS (see Default Behavior and IAMAllowedPrincipals above), IAM roles, users, groups, SAML groups and users, QuickSight groups, OUs, and organizations as well as AWS account IDs for cross-account permissions. For more information, see Lake Formation Permissions Reference.

    NOTE: We highly recommend that the principal NOT be a Lake Formation administrator (granted using aws.lakeformation.DataLakeSettings). The entity (e.g., IAM role) running the deployment will most likely need to be a Lake Formation administrator. As such, the entity will have implicit permissions and does not need permissions granted through this resource.

    One of the following is required:

    table PermissionsTable
    Configuration block for a table resource. Detailed below.
    tableWithColumns PermissionsTableWithColumns

    Configuration block for a table with columns resource. Detailed below.

    The following arguments are optional:

    catalogId string
    Identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.
    catalogResource boolean
    Whether the permissions are to be granted for the Data Catalog. Defaults to false.
    dataCellsFilter PermissionsDataCellsFilter
    Configuration block for a data cells filter resource. Detailed below.
    dataLocation PermissionsDataLocation
    Configuration block for a data location resource. Detailed below.
    database PermissionsDatabase
    Configuration block for a database resource. Detailed below.
    lfTag PermissionsLfTag
    Configuration block for an LF-tag resource. Detailed below.
    lfTagPolicy PermissionsLfTagPolicy
    Configuration block for an LF-tag policy resource. Detailed below.
    permissions string[]
    List of permissions granted to the principal. Valid values may include ALL, ALTER, ASSOCIATE, CREATE_DATABASE, CREATE_TABLE, DATA_LOCATION_ACCESS, DELETE, DESCRIBE, DROP, INSERT, and SELECT. For details on each permission, see Lake Formation Permissions Reference.
    permissionsWithGrantOptions string[]
    Subset of permissions which the principal can pass.
    principal string

    Principal to be granted the permissions on the resource. Supported principals include IAM_ALLOWED_PRINCIPALS (see Default Behavior and IAMAllowedPrincipals above), IAM roles, users, groups, SAML groups and users, QuickSight groups, OUs, and organizations as well as AWS account IDs for cross-account permissions. For more information, see Lake Formation Permissions Reference.

    NOTE: We highly recommend that the principal NOT be a Lake Formation administrator (granted using aws.lakeformation.DataLakeSettings). The entity (e.g., IAM role) running the deployment will most likely need to be a Lake Formation administrator. As such, the entity will have implicit permissions and does not need permissions granted through this resource.

    One of the following is required:

    table PermissionsTable
    Configuration block for a table resource. Detailed below.
    tableWithColumns PermissionsTableWithColumns

    Configuration block for a table with columns resource. Detailed below.

    The following arguments are optional:

    catalog_id str
    Identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.
    catalog_resource bool
    Whether the permissions are to be granted for the Data Catalog. Defaults to false.
    data_cells_filter PermissionsDataCellsFilterArgs
    Configuration block for a data cells filter resource. Detailed below.
    data_location PermissionsDataLocationArgs
    Configuration block for a data location resource. Detailed below.
    database PermissionsDatabaseArgs
    Configuration block for a database resource. Detailed below.
    lf_tag PermissionsLfTagArgs
    Configuration block for an LF-tag resource. Detailed below.
    lf_tag_policy PermissionsLfTagPolicyArgs
    Configuration block for an LF-tag policy resource. Detailed below.
    permissions Sequence[str]
    List of permissions granted to the principal. Valid values may include ALL, ALTER, ASSOCIATE, CREATE_DATABASE, CREATE_TABLE, DATA_LOCATION_ACCESS, DELETE, DESCRIBE, DROP, INSERT, and SELECT. For details on each permission, see Lake Formation Permissions Reference.
    permissions_with_grant_options Sequence[str]
    Subset of permissions which the principal can pass.
    principal str

    Principal to be granted the permissions on the resource. Supported principals include IAM_ALLOWED_PRINCIPALS (see Default Behavior and IAMAllowedPrincipals above), IAM roles, users, groups, SAML groups and users, QuickSight groups, OUs, and organizations as well as AWS account IDs for cross-account permissions. For more information, see Lake Formation Permissions Reference.

    NOTE: We highly recommend that the principal NOT be a Lake Formation administrator (granted using aws.lakeformation.DataLakeSettings). The entity (e.g., IAM role) running the deployment will most likely need to be a Lake Formation administrator. As such, the entity will have implicit permissions and does not need permissions granted through this resource.

    One of the following is required:

    table PermissionsTableArgs
    Configuration block for a table resource. Detailed below.
    table_with_columns PermissionsTableWithColumnsArgs

    Configuration block for a table with columns resource. Detailed below.

    The following arguments are optional:

    catalogId String
    Identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.
    catalogResource Boolean
    Whether the permissions are to be granted for the Data Catalog. Defaults to false.
    dataCellsFilter Property Map
    Configuration block for a data cells filter resource. Detailed below.
    dataLocation Property Map
    Configuration block for a data location resource. Detailed below.
    database Property Map
    Configuration block for a database resource. Detailed below.
    lfTag Property Map
    Configuration block for an LF-tag resource. Detailed below.
    lfTagPolicy Property Map
    Configuration block for an LF-tag policy resource. Detailed below.
    permissions List<String>
    List of permissions granted to the principal. Valid values may include ALL, ALTER, ASSOCIATE, CREATE_DATABASE, CREATE_TABLE, DATA_LOCATION_ACCESS, DELETE, DESCRIBE, DROP, INSERT, and SELECT. For details on each permission, see Lake Formation Permissions Reference.
    permissionsWithGrantOptions List<String>
    Subset of permissions which the principal can pass.
    principal String

    Principal to be granted the permissions on the resource. Supported principals include IAM_ALLOWED_PRINCIPALS (see Default Behavior and IAMAllowedPrincipals above), IAM roles, users, groups, SAML groups and users, QuickSight groups, OUs, and organizations as well as AWS account IDs for cross-account permissions. For more information, see Lake Formation Permissions Reference.

    NOTE: We highly recommend that the principal NOT be a Lake Formation administrator (granted using aws.lakeformation.DataLakeSettings). The entity (e.g., IAM role) running the deployment will most likely need to be a Lake Formation administrator. As such, the entity will have implicit permissions and does not need permissions granted through this resource.

    One of the following is required:

    table Property Map
    Configuration block for a table resource. Detailed below.
    tableWithColumns Property Map

    Configuration block for a table with columns resource. Detailed below.

    The following arguments are optional:

    Supporting Types

    PermissionsDataCellsFilter, PermissionsDataCellsFilterArgs

    DatabaseName string
    The name of the database.
    Name string
    The name of the data cells filter.
    TableCatalogId string
    The ID of the Data Catalog.
    TableName string
    The name of the table.
    DatabaseName string
    The name of the database.
    Name string
    The name of the data cells filter.
    TableCatalogId string
    The ID of the Data Catalog.
    TableName string
    The name of the table.
    databaseName String
    The name of the database.
    name String
    The name of the data cells filter.
    tableCatalogId String
    The ID of the Data Catalog.
    tableName String
    The name of the table.
    databaseName string
    The name of the database.
    name string
    The name of the data cells filter.
    tableCatalogId string
    The ID of the Data Catalog.
    tableName string
    The name of the table.
    database_name str
    The name of the database.
    name str
    The name of the data cells filter.
    table_catalog_id str
    The ID of the Data Catalog.
    table_name str
    The name of the table.
    databaseName String
    The name of the database.
    name String
    The name of the data cells filter.
    tableCatalogId String
    The ID of the Data Catalog.
    tableName String
    The name of the table.

    PermissionsDataLocation, PermissionsDataLocationArgs

    Arn string

    Amazon Resource Name (ARN) that uniquely identifies the data location resource.

    The following argument is optional:

    CatalogId string
    Identifier for the Data Catalog where the location is registered with Lake Formation. By default, it is the account ID of the caller.
    Arn string

    Amazon Resource Name (ARN) that uniquely identifies the data location resource.

    The following argument is optional:

    CatalogId string
    Identifier for the Data Catalog where the location is registered with Lake Formation. By default, it is the account ID of the caller.
    arn String

    Amazon Resource Name (ARN) that uniquely identifies the data location resource.

    The following argument is optional:

    catalogId String
    Identifier for the Data Catalog where the location is registered with Lake Formation. By default, it is the account ID of the caller.
    arn string

    Amazon Resource Name (ARN) that uniquely identifies the data location resource.

    The following argument is optional:

    catalogId string
    Identifier for the Data Catalog where the location is registered with Lake Formation. By default, it is the account ID of the caller.
    arn str

    Amazon Resource Name (ARN) that uniquely identifies the data location resource.

    The following argument is optional:

    catalog_id str
    Identifier for the Data Catalog where the location is registered with Lake Formation. By default, it is the account ID of the caller.
    arn String

    Amazon Resource Name (ARN) that uniquely identifies the data location resource.

    The following argument is optional:

    catalogId String
    Identifier for the Data Catalog where the location is registered with Lake Formation. By default, it is the account ID of the caller.

    PermissionsDatabase, PermissionsDatabaseArgs

    Name string

    Name of the database resource. Unique to the Data Catalog.

    The following argument is optional:

    CatalogId string
    Identifier for the Data Catalog. By default, it is the account ID of the caller.
    Name string

    Name of the database resource. Unique to the Data Catalog.

    The following argument is optional:

    CatalogId string
    Identifier for the Data Catalog. By default, it is the account ID of the caller.
    name String

    Name of the database resource. Unique to the Data Catalog.

    The following argument is optional:

    catalogId String
    Identifier for the Data Catalog. By default, it is the account ID of the caller.
    name string

    Name of the database resource. Unique to the Data Catalog.

    The following argument is optional:

    catalogId string
    Identifier for the Data Catalog. By default, it is the account ID of the caller.
    name str

    Name of the database resource. Unique to the Data Catalog.

    The following argument is optional:

    catalog_id str
    Identifier for the Data Catalog. By default, it is the account ID of the caller.
    name String

    Name of the database resource. Unique to the Data Catalog.

    The following argument is optional:

    catalogId String
    Identifier for the Data Catalog. By default, it is the account ID of the caller.

    PermissionsLfTag, PermissionsLfTagArgs

    Key string
    The key-name for the tag.
    Values List<string>

    A list of possible values an attribute can take.

    The following argument is optional:

    CatalogId string
    Identifier for the Data Catalog. By default, it is the account ID of the caller.
    Key string
    The key-name for the tag.
    Values []string

    A list of possible values an attribute can take.

    The following argument is optional:

    CatalogId string
    Identifier for the Data Catalog. By default, it is the account ID of the caller.
    key String
    The key-name for the tag.
    values List<String>

    A list of possible values an attribute can take.

    The following argument is optional:

    catalogId String
    Identifier for the Data Catalog. By default, it is the account ID of the caller.
    key string
    The key-name for the tag.
    values string[]

    A list of possible values an attribute can take.

    The following argument is optional:

    catalogId string
    Identifier for the Data Catalog. By default, it is the account ID of the caller.
    key str
    The key-name for the tag.
    values Sequence[str]

    A list of possible values an attribute can take.

    The following argument is optional:

    catalog_id str
    Identifier for the Data Catalog. By default, it is the account ID of the caller.
    key String
    The key-name for the tag.
    values List<String>

    A list of possible values an attribute can take.

    The following argument is optional:

    catalogId String
    Identifier for the Data Catalog. By default, it is the account ID of the caller.

    PermissionsLfTagPolicy, PermissionsLfTagPolicyArgs

    Expressions List<PermissionsLfTagPolicyExpression>

    A list of tag conditions that apply to the resource's tag policy. Configuration block for tag conditions that apply to the policy. See expression below.

    The following argument is optional:

    ResourceType string
    The resource type for which the tag policy applies. Valid values are DATABASE and TABLE.
    CatalogId string
    Identifier for the Data Catalog. By default, it is the account ID of the caller.
    Expressions []PermissionsLfTagPolicyExpression

    A list of tag conditions that apply to the resource's tag policy. Configuration block for tag conditions that apply to the policy. See expression below.

    The following argument is optional:

    ResourceType string
    The resource type for which the tag policy applies. Valid values are DATABASE and TABLE.
    CatalogId string
    Identifier for the Data Catalog. By default, it is the account ID of the caller.
    expressions List<PermissionsLfTagPolicyExpression>

    A list of tag conditions that apply to the resource's tag policy. Configuration block for tag conditions that apply to the policy. See expression below.

    The following argument is optional:

    resourceType String
    The resource type for which the tag policy applies. Valid values are DATABASE and TABLE.
    catalogId String
    Identifier for the Data Catalog. By default, it is the account ID of the caller.
    expressions PermissionsLfTagPolicyExpression[]

    A list of tag conditions that apply to the resource's tag policy. Configuration block for tag conditions that apply to the policy. See expression below.

    The following argument is optional:

    resourceType string
    The resource type for which the tag policy applies. Valid values are DATABASE and TABLE.
    catalogId string
    Identifier for the Data Catalog. By default, it is the account ID of the caller.
    expressions Sequence[PermissionsLfTagPolicyExpression]

    A list of tag conditions that apply to the resource's tag policy. Configuration block for tag conditions that apply to the policy. See expression below.

    The following argument is optional:

    resource_type str
    The resource type for which the tag policy applies. Valid values are DATABASE and TABLE.
    catalog_id str
    Identifier for the Data Catalog. By default, it is the account ID of the caller.
    expressions List<Property Map>

    A list of tag conditions that apply to the resource's tag policy. Configuration block for tag conditions that apply to the policy. See expression below.

    The following argument is optional:

    resourceType String
    The resource type for which the tag policy applies. Valid values are DATABASE and TABLE.
    catalogId String
    Identifier for the Data Catalog. By default, it is the account ID of the caller.

    PermissionsLfTagPolicyExpression, PermissionsLfTagPolicyExpressionArgs

    Key string
    The key-name of an LF-Tag.
    Values List<string>
    A list of possible values of an LF-Tag.
    Key string
    The key-name of an LF-Tag.
    Values []string
    A list of possible values of an LF-Tag.
    key String
    The key-name of an LF-Tag.
    values List<String>
    A list of possible values of an LF-Tag.
    key string
    The key-name of an LF-Tag.
    values string[]
    A list of possible values of an LF-Tag.
    key str
    The key-name of an LF-Tag.
    values Sequence[str]
    A list of possible values of an LF-Tag.
    key String
    The key-name of an LF-Tag.
    values List<String>
    A list of possible values of an LF-Tag.

    PermissionsTable, PermissionsTableArgs

    DatabaseName string
    Name of the database for the table. Unique to a Data Catalog.
    CatalogId string
    Identifier for the Data Catalog. By default, it is the account ID of the caller.
    Name string
    Name of the table.
    Wildcard bool

    Whether to use a wildcard representing every table under a database. Defaults to false.

    The following arguments are optional:

    DatabaseName string
    Name of the database for the table. Unique to a Data Catalog.
    CatalogId string
    Identifier for the Data Catalog. By default, it is the account ID of the caller.
    Name string
    Name of the table.
    Wildcard bool

    Whether to use a wildcard representing every table under a database. Defaults to false.

    The following arguments are optional:

    databaseName String
    Name of the database for the table. Unique to a Data Catalog.
    catalogId String
    Identifier for the Data Catalog. By default, it is the account ID of the caller.
    name String
    Name of the table.
    wildcard Boolean

    Whether to use a wildcard representing every table under a database. Defaults to false.

    The following arguments are optional:

    databaseName string
    Name of the database for the table. Unique to a Data Catalog.
    catalogId string
    Identifier for the Data Catalog. By default, it is the account ID of the caller.
    name string
    Name of the table.
    wildcard boolean

    Whether to use a wildcard representing every table under a database. Defaults to false.

    The following arguments are optional:

    database_name str
    Name of the database for the table. Unique to a Data Catalog.
    catalog_id str
    Identifier for the Data Catalog. By default, it is the account ID of the caller.
    name str
    Name of the table.
    wildcard bool

    Whether to use a wildcard representing every table under a database. Defaults to false.

    The following arguments are optional:

    databaseName String
    Name of the database for the table. Unique to a Data Catalog.
    catalogId String
    Identifier for the Data Catalog. By default, it is the account ID of the caller.
    name String
    Name of the table.
    wildcard Boolean

    Whether to use a wildcard representing every table under a database. Defaults to false.

    The following arguments are optional:

    PermissionsTableWithColumns, PermissionsTableWithColumnsArgs

    DatabaseName string
    Name of the database for the table with columns resource. Unique to the Data Catalog.
    Name string
    Name of the table resource.
    CatalogId string
    Identifier for the Data Catalog. By default, it is the account ID of the caller.
    ColumnNames List<string>
    Set of column names for the table.
    ExcludedColumnNames List<string>
    Set of column names for the table to exclude. If excluded_column_names is included, wildcard must be set to true to avoid the provider reporting a difference.
    Wildcard bool

    Whether to use a column wildcard. If excluded_column_names is included, wildcard must be set to true to avoid the provider reporting a difference.

    The following arguments are optional:

    DatabaseName string
    Name of the database for the table with columns resource. Unique to the Data Catalog.
    Name string
    Name of the table resource.
    CatalogId string
    Identifier for the Data Catalog. By default, it is the account ID of the caller.
    ColumnNames []string
    Set of column names for the table.
    ExcludedColumnNames []string
    Set of column names for the table to exclude. If excluded_column_names is included, wildcard must be set to true to avoid the provider reporting a difference.
    Wildcard bool

    Whether to use a column wildcard. If excluded_column_names is included, wildcard must be set to true to avoid the provider reporting a difference.

    The following arguments are optional:

    databaseName String
    Name of the database for the table with columns resource. Unique to the Data Catalog.
    name String
    Name of the table resource.
    catalogId String
    Identifier for the Data Catalog. By default, it is the account ID of the caller.
    columnNames List<String>
    Set of column names for the table.
    excludedColumnNames List<String>
    Set of column names for the table to exclude. If excluded_column_names is included, wildcard must be set to true to avoid the provider reporting a difference.
    wildcard Boolean

    Whether to use a column wildcard. If excluded_column_names is included, wildcard must be set to true to avoid the provider reporting a difference.

    The following arguments are optional:

    databaseName string
    Name of the database for the table with columns resource. Unique to the Data Catalog.
    name string
    Name of the table resource.
    catalogId string
    Identifier for the Data Catalog. By default, it is the account ID of the caller.
    columnNames string[]
    Set of column names for the table.
    excludedColumnNames string[]
    Set of column names for the table to exclude. If excluded_column_names is included, wildcard must be set to true to avoid the provider reporting a difference.
    wildcard boolean

    Whether to use a column wildcard. If excluded_column_names is included, wildcard must be set to true to avoid the provider reporting a difference.

    The following arguments are optional:

    database_name str
    Name of the database for the table with columns resource. Unique to the Data Catalog.
    name str
    Name of the table resource.
    catalog_id str
    Identifier for the Data Catalog. By default, it is the account ID of the caller.
    column_names Sequence[str]
    Set of column names for the table.
    excluded_column_names Sequence[str]
    Set of column names for the table to exclude. If excluded_column_names is included, wildcard must be set to true to avoid the provider reporting a difference.
    wildcard bool

    Whether to use a column wildcard. If excluded_column_names is included, wildcard must be set to true to avoid the provider reporting a difference.

    The following arguments are optional:

    databaseName String
    Name of the database for the table with columns resource. Unique to the Data Catalog.
    name String
    Name of the table resource.
    catalogId String
    Identifier for the Data Catalog. By default, it is the account ID of the caller.
    columnNames List<String>
    Set of column names for the table.
    excludedColumnNames List<String>
    Set of column names for the table to exclude. If excluded_column_names is included, wildcard must be set to true to avoid the provider reporting a difference.
    wildcard Boolean

    Whether to use a column wildcard. If excluded_column_names is included, wildcard must be set to true to avoid the provider reporting a difference.

    The following arguments are optional:

    Package Details

    Repository
    AWS Classic pulumi/pulumi-aws
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the aws Terraform Provider.
    aws logo

    Try AWS Native preview for resources not in the classic version.

    AWS Classic v6.28.1 published on Thursday, Mar 28, 2024 by Pulumi