Try AWS Native preview for resources not in the classic version.
aws.lakeformation.Permissions
Explore with Pulumi AI
Try AWS Native preview for resources not in the classic version.
Grants permissions to the principal to access metadata in the Data Catalog and data organized in underlying data storage such as Amazon S3. Permissions are granted to a principal, in a Data Catalog, relative to a Lake Formation resource, which includes the Data Catalog, databases, tables, LF-tags, and LF-tag policies. For more information, see Security and Access Control to Metadata and Data in Lake Formation.
!> WARNING: Lake Formation permissions are not in effect by default within AWS. Using this resource will not secure your data and will result in errors if you do not change the security settings for existing resources and the default security settings for new resources. See Default Behavior and IAMAllowedPrincipals
for additional details.
NOTE: In general, the
principal
should NOT be a Lake Formation administrator or the entity (e.g., IAM role) that is running the deployment. Administrators have implicit permissions. These should be managed by granting or not granting administrator rights usingaws.lakeformation.DataLakeSettings
, not with this resource.
Default Behavior and IAMAllowedPrincipals
Lake Formation permissions are not in effect by default within AWS. IAMAllowedPrincipals
(i.e., IAM_ALLOWED_PRINCIPALS
) conflicts with individual Lake Formation permissions (i.e., non-IAMAllowedPrincipals
permissions), will cause unexpected behavior, and may result in errors.
When using Lake Formation, choose ONE of the following options as they are mutually exclusive:
- Use this resource (
aws.lakeformation.Permissions
), change the default security settings usingaws.lakeformation.DataLakeSettings
, and remove existingIAMAllowedPrincipals
permissions - Use
IAMAllowedPrincipals
withoutaws.lakeformation.Permissions
This example shows removing the IAMAllowedPrincipals
default security settings and making the caller a Lake Formation admin. Since create_database_default_permissions
and create_table_default_permissions
are not set in the aws.lakeformation.DataLakeSettings
resource, they are cleared.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const currentCallerIdentity = aws.getCallerIdentity({});
const currentSessionContext = currentCallerIdentity.then(currentCallerIdentity => aws.iam.getSessionContext({
arn: currentCallerIdentity.arn,
}));
const test = new aws.lakeformation.DataLakeSettings("test", {admins: [currentSessionContext.then(currentSessionContext => currentSessionContext.issuerArn)]});
import pulumi
import pulumi_aws as aws
current_caller_identity = aws.get_caller_identity()
current_session_context = aws.iam.get_session_context(arn=current_caller_identity.arn)
test = aws.lakeformation.DataLakeSettings("test", admins=[current_session_context.issuer_arn])
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var currentCallerIdentity = Aws.GetCallerIdentity.Invoke();
var currentSessionContext = Aws.Iam.GetSessionContext.Invoke(new()
{
Arn = currentCallerIdentity.Apply(getCallerIdentityResult => getCallerIdentityResult.Arn),
});
var test = new Aws.LakeFormation.DataLakeSettings("test", new()
{
Admins = new[]
{
currentSessionContext.Apply(getSessionContextResult => getSessionContextResult.IssuerArn),
},
});
});
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v5/go/aws"
"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/iam"
"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/lakeformation"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
currentCallerIdentity, err := aws.GetCallerIdentity(ctx, nil, nil)
if err != nil {
return err
}
currentSessionContext, err := iam.GetSessionContext(ctx, &iam.GetSessionContextArgs{
Arn: currentCallerIdentity.Arn,
}, nil)
if err != nil {
return err
}
_, err = lakeformation.NewDataLakeSettings(ctx, "test", &lakeformation.DataLakeSettingsArgs{
Admins: pulumi.StringArray{
*pulumi.String(currentSessionContext.IssuerArn),
},
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.AwsFunctions;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetSessionContextArgs;
import com.pulumi.aws.lakeformation.DataLakeSettings;
import com.pulumi.aws.lakeformation.DataLakeSettingsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var currentCallerIdentity = AwsFunctions.getCallerIdentity();
final var currentSessionContext = IamFunctions.getSessionContext(GetSessionContextArgs.builder()
.arn(currentCallerIdentity.applyValue(getCallerIdentityResult -> getCallerIdentityResult.arn()))
.build());
var test = new DataLakeSettings("test", DataLakeSettingsArgs.builder()
.admins(currentSessionContext.applyValue(getSessionContextResult -> getSessionContextResult.issuerArn()))
.build());
}
}
resources:
test:
type: aws:lakeformation:DataLakeSettings
properties:
admins:
- ${currentSessionContext.issuerArn}
variables:
currentCallerIdentity:
fn::invoke:
Function: aws:getCallerIdentity
Arguments: {}
currentSessionContext:
fn::invoke:
Function: aws:iam:getSessionContext
Arguments:
arn: ${currentCallerIdentity.arn}
To remove existing IAMAllowedPrincipals
permissions, use the AWS Lake Formation Console or AWS CLI.
IAMAllowedPrincipals
is a hook to maintain backwards compatibility with AWS Glue. IAMAllowedPrincipals
is a pseudo-entity group that acts like a Lake Formation principal. The group includes any IAM users and roles that are allowed access to your Data Catalog resources by your IAM policies.
This is Lake Formation’s default behavior:
- Lake Formation grants
Super
permission toIAMAllowedPrincipals
on all existing AWS Glue Data Catalog resources. - Lake Formation enables “Use only IAM access control” for new Data Catalog resources.
For more details, see Changing the Default Security Settings for Your Data Lake.
Problem Using IAMAllowedPrincipals
AWS does not support combining IAMAllowedPrincipals
permissions and non-IAMAllowedPrincipals
permissions. Doing so results in unexpected permissions and behaviors. For example, this configuration grants a user SELECT
on a column in a table.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const exampleCatalogDatabase = new aws.glue.CatalogDatabase("exampleCatalogDatabase", {name: "sadabate"});
const exampleCatalogTable = new aws.glue.CatalogTable("exampleCatalogTable", {
name: "abelt",
databaseName: aws_glue_catalog_database.test.name,
storageDescriptor: {
columns: [{
name: "event",
type: "string",
}],
},
});
const examplePermissions = new aws.lakeformation.Permissions("examplePermissions", {
permissions: ["SELECT"],
principal: "arn:aws:iam:us-east-1:123456789012:user/SanHolo",
tableWithColumns: {
databaseName: exampleCatalogTable.databaseName,
name: exampleCatalogTable.name,
columnNames: ["event"],
},
});
import pulumi
import pulumi_aws as aws
example_catalog_database = aws.glue.CatalogDatabase("exampleCatalogDatabase", name="sadabate")
example_catalog_table = aws.glue.CatalogTable("exampleCatalogTable",
name="abelt",
database_name=aws_glue_catalog_database["test"]["name"],
storage_descriptor=aws.glue.CatalogTableStorageDescriptorArgs(
columns=[aws.glue.CatalogTableStorageDescriptorColumnArgs(
name="event",
type="string",
)],
))
example_permissions = aws.lakeformation.Permissions("examplePermissions",
permissions=["SELECT"],
principal="arn:aws:iam:us-east-1:123456789012:user/SanHolo",
table_with_columns=aws.lakeformation.PermissionsTableWithColumnsArgs(
database_name=example_catalog_table.database_name,
name=example_catalog_table.name,
column_names=["event"],
))
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var exampleCatalogDatabase = new Aws.Glue.CatalogDatabase("exampleCatalogDatabase", new()
{
Name = "sadabate",
});
var exampleCatalogTable = new Aws.Glue.CatalogTable("exampleCatalogTable", new()
{
Name = "abelt",
DatabaseName = aws_glue_catalog_database.Test.Name,
StorageDescriptor = new Aws.Glue.Inputs.CatalogTableStorageDescriptorArgs
{
Columns = new[]
{
new Aws.Glue.Inputs.CatalogTableStorageDescriptorColumnArgs
{
Name = "event",
Type = "string",
},
},
},
});
var examplePermissions = new Aws.LakeFormation.Permissions("examplePermissions", new()
{
PermissionDetails = new[]
{
"SELECT",
},
Principal = "arn:aws:iam:us-east-1:123456789012:user/SanHolo",
TableWithColumns = new Aws.LakeFormation.Inputs.PermissionsTableWithColumnsArgs
{
DatabaseName = exampleCatalogTable.DatabaseName,
Name = exampleCatalogTable.Name,
ColumnNames = new[]
{
"event",
},
},
});
});
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/glue"
"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/lakeformation"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := glue.NewCatalogDatabase(ctx, "exampleCatalogDatabase", &glue.CatalogDatabaseArgs{
Name: pulumi.String("sadabate"),
})
if err != nil {
return err
}
exampleCatalogTable, err := glue.NewCatalogTable(ctx, "exampleCatalogTable", &glue.CatalogTableArgs{
Name: pulumi.String("abelt"),
DatabaseName: pulumi.Any(aws_glue_catalog_database.Test.Name),
StorageDescriptor: &glue.CatalogTableStorageDescriptorArgs{
Columns: glue.CatalogTableStorageDescriptorColumnArray{
&glue.CatalogTableStorageDescriptorColumnArgs{
Name: pulumi.String("event"),
Type: pulumi.String("string"),
},
},
},
})
if err != nil {
return err
}
_, err = lakeformation.NewPermissions(ctx, "examplePermissions", &lakeformation.PermissionsArgs{
Permissions: pulumi.StringArray{
pulumi.String("SELECT"),
},
Principal: pulumi.String("arn:aws:iam:us-east-1:123456789012:user/SanHolo"),
TableWithColumns: &lakeformation.PermissionsTableWithColumnsArgs{
DatabaseName: exampleCatalogTable.DatabaseName,
Name: exampleCatalogTable.Name,
ColumnNames: pulumi.StringArray{
pulumi.String("event"),
},
},
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.glue.CatalogDatabase;
import com.pulumi.aws.glue.CatalogDatabaseArgs;
import com.pulumi.aws.glue.CatalogTable;
import com.pulumi.aws.glue.CatalogTableArgs;
import com.pulumi.aws.glue.inputs.CatalogTableStorageDescriptorArgs;
import com.pulumi.aws.lakeformation.Permissions;
import com.pulumi.aws.lakeformation.PermissionsArgs;
import com.pulumi.aws.lakeformation.inputs.PermissionsTableWithColumnsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var exampleCatalogDatabase = new CatalogDatabase("exampleCatalogDatabase", CatalogDatabaseArgs.builder()
.name("sadabate")
.build());
var exampleCatalogTable = new CatalogTable("exampleCatalogTable", CatalogTableArgs.builder()
.name("abelt")
.databaseName(aws_glue_catalog_database.test().name())
.storageDescriptor(CatalogTableStorageDescriptorArgs.builder()
.columns(CatalogTableStorageDescriptorColumnArgs.builder()
.name("event")
.type("string")
.build())
.build())
.build());
var examplePermissions = new Permissions("examplePermissions", PermissionsArgs.builder()
.permissions("SELECT")
.principal("arn:aws:iam:us-east-1:123456789012:user/SanHolo")
.tableWithColumns(PermissionsTableWithColumnsArgs.builder()
.databaseName(exampleCatalogTable.databaseName())
.name(exampleCatalogTable.name())
.columnNames("event")
.build())
.build());
}
}
resources:
exampleCatalogDatabase:
type: aws:glue:CatalogDatabase
properties:
name: sadabate
exampleCatalogTable:
type: aws:glue:CatalogTable
properties:
name: abelt
databaseName: ${aws_glue_catalog_database.test.name}
storageDescriptor:
columns:
- name: event
type: string
examplePermissions:
type: aws:lakeformation:Permissions
properties:
permissions:
- SELECT
principal: arn:aws:iam:us-east-1:123456789012:user/SanHolo
tableWithColumns:
databaseName: ${exampleCatalogTable.databaseName}
name: ${exampleCatalogTable.name}
columnNames:
- event
The resulting permissions depend on whether the table had IAMAllowedPrincipals
(IAP) permissions or not.
Result With IAP | Result Without IAP |
---|---|
SELECT column wildcard (i.e., all columns) | SELECT on "event" (as expected) |
Using Lake Formation Permissions
Lake Formation grants implicit permissions to data lake administrators, database creators, and table creators. These implicit permissions cannot be revoked per se. If this resource reads implicit permissions, it will attempt to revoke them, which causes an error when the resource is destroyed.
There are two ways to avoid these errors. First, and the way we recommend, is to avoid using this resource with principals that have implicit permissions. A second, error-prone option, is to grant explicit permissions (and permissions_with_grant_option
) to “overwrite” a principal’s implicit permissions, which you can then revoke with this resource. For more information, see Implicit Lake Formation Permissions.
If the principal
is also a data lake administrator, AWS grants implicit permissions that can cause errors using this resource. For example, AWS implicitly grants a principal
/administrator permissions
and permissions_with_grant_option
of ALL
, ALTER
, DELETE
, DESCRIBE
, DROP
, INSERT
, and SELECT
on a table. If you use this resource to explicitly grant the principal
/administrator permissions
but not permissions_with_grant_option
of ALL
, ALTER
, DELETE
, DESCRIBE
, DROP
, INSERT
, and SELECT
on the table, this resource will read the implicit permissions_with_grant_option
and attempt to revoke them when the resource is destroyed. Doing so will cause an InvalidInputException: No permissions revoked
error because you cannot revoke implicit permissions per se. To workaround this problem, explicitly grant the principal
/administrator permissions
and permissions_with_grant_option
, which can then be revoked. Similarly, granting a principal
/administrator permissions on a table with columns and providing column_names
, will result in a InvalidInputException: Permissions modification is invalid
error because you are narrowing the implicit permissions. Instead, set wildcard
to true
and remove the column_names
.
Example Usage
Grant Permissions For A Lake Formation S3 Resource
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.LakeFormation.Permissions("example", new()
{
Principal = aws_iam_role.Workflow_role.Arn,
PermissionDetails = new[]
{
"ALL",
},
DataLocation = new Aws.LakeFormation.Inputs.PermissionsDataLocationArgs
{
Arn = aws_lakeformation_resource.Example.Arn,
},
});
});
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/lakeformation"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := lakeformation.NewPermissions(ctx, "example", &lakeformation.PermissionsArgs{
Principal: pulumi.Any(aws_iam_role.Workflow_role.Arn),
Permissions: pulumi.StringArray{
pulumi.String("ALL"),
},
DataLocation: &lakeformation.PermissionsDataLocationArgs{
Arn: pulumi.Any(aws_lakeformation_resource.Example.Arn),
},
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.lakeformation.Permissions;
import com.pulumi.aws.lakeformation.PermissionsArgs;
import com.pulumi.aws.lakeformation.inputs.PermissionsDataLocationArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Permissions("example", PermissionsArgs.builder()
.principal(aws_iam_role.workflow_role().arn())
.permissions("ALL")
.dataLocation(PermissionsDataLocationArgs.builder()
.arn(aws_lakeformation_resource.example().arn())
.build())
.build());
}
}
import pulumi
import pulumi_aws as aws
example = aws.lakeformation.Permissions("example",
principal=aws_iam_role["workflow_role"]["arn"],
permissions=["ALL"],
data_location=aws.lakeformation.PermissionsDataLocationArgs(
arn=aws_lakeformation_resource["example"]["arn"],
))
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.lakeformation.Permissions("example", {
principal: aws_iam_role.workflow_role.arn,
permissions: ["ALL"],
dataLocation: {
arn: aws_lakeformation_resource.example.arn,
},
});
resources:
example:
type: aws:lakeformation:Permissions
properties:
principal: ${aws_iam_role.workflow_role.arn}
permissions:
- ALL
dataLocation:
arn: ${aws_lakeformation_resource.example.arn}
Grant Permissions For A Glue Catalog Database
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.LakeFormation.Permissions("example", new()
{
Principal = aws_iam_role.Workflow_role.Arn,
PermissionDetails = new[]
{
"CREATE_TABLE",
"ALTER",
"DROP",
},
Database = new Aws.LakeFormation.Inputs.PermissionsDatabaseArgs
{
Name = aws_glue_catalog_database.Example.Name,
CatalogId = "110376042874",
},
});
});
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/lakeformation"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := lakeformation.NewPermissions(ctx, "example", &lakeformation.PermissionsArgs{
Principal: pulumi.Any(aws_iam_role.Workflow_role.Arn),
Permissions: pulumi.StringArray{
pulumi.String("CREATE_TABLE"),
pulumi.String("ALTER"),
pulumi.String("DROP"),
},
Database: &lakeformation.PermissionsDatabaseArgs{
Name: pulumi.Any(aws_glue_catalog_database.Example.Name),
CatalogId: pulumi.String("110376042874"),
},
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.lakeformation.Permissions;
import com.pulumi.aws.lakeformation.PermissionsArgs;
import com.pulumi.aws.lakeformation.inputs.PermissionsDatabaseArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Permissions("example", PermissionsArgs.builder()
.principal(aws_iam_role.workflow_role().arn())
.permissions(
"CREATE_TABLE",
"ALTER",
"DROP")
.database(PermissionsDatabaseArgs.builder()
.name(aws_glue_catalog_database.example().name())
.catalogId("110376042874")
.build())
.build());
}
}
import pulumi
import pulumi_aws as aws
example = aws.lakeformation.Permissions("example",
principal=aws_iam_role["workflow_role"]["arn"],
permissions=[
"CREATE_TABLE",
"ALTER",
"DROP",
],
database=aws.lakeformation.PermissionsDatabaseArgs(
name=aws_glue_catalog_database["example"]["name"],
catalog_id="110376042874",
))
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.lakeformation.Permissions("example", {
principal: aws_iam_role.workflow_role.arn,
permissions: [
"CREATE_TABLE",
"ALTER",
"DROP",
],
database: {
name: aws_glue_catalog_database.example.name,
catalogId: "110376042874",
},
});
resources:
example:
type: aws:lakeformation:Permissions
properties:
principal: ${aws_iam_role.workflow_role.arn}
permissions:
- CREATE_TABLE
- ALTER
- DROP
database:
name: ${aws_glue_catalog_database.example.name}
catalogId: '110376042874'
Grant Permissions Using Tag-Based Access Control
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var test = new Aws.LakeFormation.Permissions("test", new()
{
Principal = aws_iam_role.Sales_role.Arn,
PermissionDetails = new[]
{
"CREATE_TABLE",
"ALTER",
"DROP",
},
LfTagPolicy = new Aws.LakeFormation.Inputs.PermissionsLfTagPolicyArgs
{
ResourceType = "DATABASE",
Expressions = new[]
{
new Aws.LakeFormation.Inputs.PermissionsLfTagPolicyExpressionArgs
{
Key = "Team",
Values = new[]
{
"Sales",
},
},
new Aws.LakeFormation.Inputs.PermissionsLfTagPolicyExpressionArgs
{
Key = "Environment",
Values = new[]
{
"Dev",
"Production",
},
},
},
},
});
});
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/lakeformation"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := lakeformation.NewPermissions(ctx, "test", &lakeformation.PermissionsArgs{
Principal: pulumi.Any(aws_iam_role.Sales_role.Arn),
Permissions: pulumi.StringArray{
pulumi.String("CREATE_TABLE"),
pulumi.String("ALTER"),
pulumi.String("DROP"),
},
LfTagPolicy: &lakeformation.PermissionsLfTagPolicyArgs{
ResourceType: pulumi.String("DATABASE"),
Expressions: lakeformation.PermissionsLfTagPolicyExpressionArray{
&lakeformation.PermissionsLfTagPolicyExpressionArgs{
Key: pulumi.String("Team"),
Values: pulumi.StringArray{
pulumi.String("Sales"),
},
},
&lakeformation.PermissionsLfTagPolicyExpressionArgs{
Key: pulumi.String("Environment"),
Values: pulumi.StringArray{
pulumi.String("Dev"),
pulumi.String("Production"),
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.lakeformation.Permissions;
import com.pulumi.aws.lakeformation.PermissionsArgs;
import com.pulumi.aws.lakeformation.inputs.PermissionsLfTagPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var test = new Permissions("test", PermissionsArgs.builder()
.principal(aws_iam_role.sales_role().arn())
.permissions(
"CREATE_TABLE",
"ALTER",
"DROP")
.lfTagPolicy(PermissionsLfTagPolicyArgs.builder()
.resourceType("DATABASE")
.expressions(
PermissionsLfTagPolicyExpressionArgs.builder()
.key("Team")
.values("Sales")
.build(),
PermissionsLfTagPolicyExpressionArgs.builder()
.key("Environment")
.values(
"Dev",
"Production")
.build())
.build())
.build());
}
}
import pulumi
import pulumi_aws as aws
test = aws.lakeformation.Permissions("test",
principal=aws_iam_role["sales_role"]["arn"],
permissions=[
"CREATE_TABLE",
"ALTER",
"DROP",
],
lf_tag_policy=aws.lakeformation.PermissionsLfTagPolicyArgs(
resource_type="DATABASE",
expressions=[
aws.lakeformation.PermissionsLfTagPolicyExpressionArgs(
key="Team",
values=["Sales"],
),
aws.lakeformation.PermissionsLfTagPolicyExpressionArgs(
key="Environment",
values=[
"Dev",
"Production",
],
),
],
))
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const test = new aws.lakeformation.Permissions("test", {
principal: aws_iam_role.sales_role.arn,
permissions: [
"CREATE_TABLE",
"ALTER",
"DROP",
],
lfTagPolicy: {
resourceType: "DATABASE",
expressions: [
{
key: "Team",
values: ["Sales"],
},
{
key: "Environment",
values: [
"Dev",
"Production",
],
},
],
},
});
resources:
test:
type: aws:lakeformation:Permissions
properties:
principal: ${aws_iam_role.sales_role.arn}
permissions:
- CREATE_TABLE
- ALTER
- DROP
lfTagPolicy:
resourceType: DATABASE
expressions:
- key: Team
values:
- Sales
- key: Environment
values:
- Dev
- Production
Create Permissions Resource
new Permissions(name: string, args: PermissionsArgs, opts?: CustomResourceOptions);
@overload
def Permissions(resource_name: str,
opts: Optional[ResourceOptions] = None,
catalog_id: Optional[str] = None,
catalog_resource: Optional[bool] = None,
data_location: Optional[PermissionsDataLocationArgs] = None,
database: Optional[PermissionsDatabaseArgs] = None,
lf_tag: Optional[PermissionsLfTagArgs] = None,
lf_tag_policy: Optional[PermissionsLfTagPolicyArgs] = None,
permissions: Optional[Sequence[str]] = None,
permissions_with_grant_options: Optional[Sequence[str]] = None,
principal: Optional[str] = None,
table: Optional[PermissionsTableArgs] = None,
table_with_columns: Optional[PermissionsTableWithColumnsArgs] = None)
@overload
def Permissions(resource_name: str,
args: PermissionsArgs,
opts: Optional[ResourceOptions] = None)
func NewPermissions(ctx *Context, name string, args PermissionsArgs, opts ...ResourceOption) (*Permissions, error)
public Permissions(string name, PermissionsArgs args, CustomResourceOptions? opts = null)
public Permissions(String name, PermissionsArgs args)
public Permissions(String name, PermissionsArgs args, CustomResourceOptions options)
type: aws:lakeformation:Permissions
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args PermissionsArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args PermissionsArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args PermissionsArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args PermissionsArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args PermissionsArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Permissions Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The Permissions resource accepts the following input properties:
- Permission
Details List<string> List of permissions granted to the principal. Valid values may include
ALL
,ALTER
,ASSOCIATE
,CREATE_DATABASE
,CREATE_TABLE
,DATA_LOCATION_ACCESS
,DELETE
,DESCRIBE
,DROP
,INSERT
, andSELECT
. For details on each permission, see Lake Formation Permissions Reference.- Principal string
Principal to be granted the permissions on the resource. Supported principals include
IAM_ALLOWED_PRINCIPALS
(see Default Behavior andIAMAllowedPrincipals
above), IAM roles, users, groups, SAML groups and users, QuickSight groups, OUs, and organizations as well as AWS account IDs for cross-account permissions. For more information, see Lake Formation Permissions Reference.- Catalog
Id string Identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.
- Catalog
Resource bool Whether the permissions are to be granted for the Data Catalog. Defaults to
false
.- Data
Location PermissionsData Location Args Configuration block for a data location resource. Detailed below.
- Database
Permissions
Database Args Configuration block for a database resource. Detailed below.
- Lf
Tag PermissionsLf Tag Args Configuration block for an LF-tag resource. Detailed below.
- Lf
Tag PermissionsPolicy Lf Tag Policy Args Configuration block for an LF-tag policy resource. Detailed below.
- Permissions
With List<string>Grant Options Subset of
permissions
which the principal can pass.- Table
Permissions
Table Args Configuration block for a table resource. Detailed below.
- Table
With PermissionsColumns Table With Columns Args Configuration block for a table with columns resource. Detailed below.
- Permissions []string
List of permissions granted to the principal. Valid values may include
ALL
,ALTER
,ASSOCIATE
,CREATE_DATABASE
,CREATE_TABLE
,DATA_LOCATION_ACCESS
,DELETE
,DESCRIBE
,DROP
,INSERT
, andSELECT
. For details on each permission, see Lake Formation Permissions Reference.- Principal string
Principal to be granted the permissions on the resource. Supported principals include
IAM_ALLOWED_PRINCIPALS
(see Default Behavior andIAMAllowedPrincipals
above), IAM roles, users, groups, SAML groups and users, QuickSight groups, OUs, and organizations as well as AWS account IDs for cross-account permissions. For more information, see Lake Formation Permissions Reference.- Catalog
Id string Identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.
- Catalog
Resource bool Whether the permissions are to be granted for the Data Catalog. Defaults to
false
.- Data
Location PermissionsData Location Args Configuration block for a data location resource. Detailed below.
- Database
Permissions
Database Args Configuration block for a database resource. Detailed below.
- Lf
Tag PermissionsLf Tag Args Configuration block for an LF-tag resource. Detailed below.
- Lf
Tag PermissionsPolicy Lf Tag Policy Args Configuration block for an LF-tag policy resource. Detailed below.
- Permissions
With []stringGrant Options Subset of
permissions
which the principal can pass.- Table
Permissions
Table Args Configuration block for a table resource. Detailed below.
- Table
With PermissionsColumns Table With Columns Args Configuration block for a table with columns resource. Detailed below.
- permissions List<String>
List of permissions granted to the principal. Valid values may include
ALL
,ALTER
,ASSOCIATE
,CREATE_DATABASE
,CREATE_TABLE
,DATA_LOCATION_ACCESS
,DELETE
,DESCRIBE
,DROP
,INSERT
, andSELECT
. For details on each permission, see Lake Formation Permissions Reference.- principal String
Principal to be granted the permissions on the resource. Supported principals include
IAM_ALLOWED_PRINCIPALS
(see Default Behavior andIAMAllowedPrincipals
above), IAM roles, users, groups, SAML groups and users, QuickSight groups, OUs, and organizations as well as AWS account IDs for cross-account permissions. For more information, see Lake Formation Permissions Reference.- catalog
Id String Identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.
- catalog
Resource Boolean Whether the permissions are to be granted for the Data Catalog. Defaults to
false
.- data
Location PermissionsData Location Args Configuration block for a data location resource. Detailed below.
- database
Permissions
Database Args Configuration block for a database resource. Detailed below.
- lf
Tag PermissionsLf Tag Args Configuration block for an LF-tag resource. Detailed below.
- lf
Tag PermissionsPolicy Lf Tag Policy Args Configuration block for an LF-tag policy resource. Detailed below.
- permissions
With List<String>Grant Options Subset of
permissions
which the principal can pass.- table
Permissions
Table Args Configuration block for a table resource. Detailed below.
- table
With PermissionsColumns Table With Columns Args Configuration block for a table with columns resource. Detailed below.
- permissions string[]
List of permissions granted to the principal. Valid values may include
ALL
,ALTER
,ASSOCIATE
,CREATE_DATABASE
,CREATE_TABLE
,DATA_LOCATION_ACCESS
,DELETE
,DESCRIBE
,DROP
,INSERT
, andSELECT
. For details on each permission, see Lake Formation Permissions Reference.- principal string
Principal to be granted the permissions on the resource. Supported principals include
IAM_ALLOWED_PRINCIPALS
(see Default Behavior andIAMAllowedPrincipals
above), IAM roles, users, groups, SAML groups and users, QuickSight groups, OUs, and organizations as well as AWS account IDs for cross-account permissions. For more information, see Lake Formation Permissions Reference.- catalog
Id string Identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.
- catalog
Resource boolean Whether the permissions are to be granted for the Data Catalog. Defaults to
false
.- data
Location PermissionsData Location Args Configuration block for a data location resource. Detailed below.
- database
Permissions
Database Args Configuration block for a database resource. Detailed below.
- lf
Tag PermissionsLf Tag Args Configuration block for an LF-tag resource. Detailed below.
- lf
Tag PermissionsPolicy Lf Tag Policy Args Configuration block for an LF-tag policy resource. Detailed below.
- permissions
With string[]Grant Options Subset of
permissions
which the principal can pass.- table
Permissions
Table Args Configuration block for a table resource. Detailed below.
- table
With PermissionsColumns Table With Columns Args Configuration block for a table with columns resource. Detailed below.
- permissions Sequence[str]
List of permissions granted to the principal. Valid values may include
ALL
,ALTER
,ASSOCIATE
,CREATE_DATABASE
,CREATE_TABLE
,DATA_LOCATION_ACCESS
,DELETE
,DESCRIBE
,DROP
,INSERT
, andSELECT
. For details on each permission, see Lake Formation Permissions Reference.- principal str
Principal to be granted the permissions on the resource. Supported principals include
IAM_ALLOWED_PRINCIPALS
(see Default Behavior andIAMAllowedPrincipals
above), IAM roles, users, groups, SAML groups and users, QuickSight groups, OUs, and organizations as well as AWS account IDs for cross-account permissions. For more information, see Lake Formation Permissions Reference.- catalog_
id str Identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.
- catalog_
resource bool Whether the permissions are to be granted for the Data Catalog. Defaults to
false
.- data_
location PermissionsData Location Args Configuration block for a data location resource. Detailed below.
- database
Permissions
Database Args Configuration block for a database resource. Detailed below.
- lf_
tag PermissionsLf Tag Args Configuration block for an LF-tag resource. Detailed below.
- lf_
tag_ Permissionspolicy Lf Tag Policy Args Configuration block for an LF-tag policy resource. Detailed below.
- permissions_
with_ Sequence[str]grant_ options Subset of
permissions
which the principal can pass.- table
Permissions
Table Args Configuration block for a table resource. Detailed below.
- table_
with_ Permissionscolumns Table With Columns Args Configuration block for a table with columns resource. Detailed below.
- permissions List<String>
List of permissions granted to the principal. Valid values may include
ALL
,ALTER
,ASSOCIATE
,CREATE_DATABASE
,CREATE_TABLE
,DATA_LOCATION_ACCESS
,DELETE
,DESCRIBE
,DROP
,INSERT
, andSELECT
. For details on each permission, see Lake Formation Permissions Reference.- principal String
Principal to be granted the permissions on the resource. Supported principals include
IAM_ALLOWED_PRINCIPALS
(see Default Behavior andIAMAllowedPrincipals
above), IAM roles, users, groups, SAML groups and users, QuickSight groups, OUs, and organizations as well as AWS account IDs for cross-account permissions. For more information, see Lake Formation Permissions Reference.- catalog
Id String Identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.
- catalog
Resource Boolean Whether the permissions are to be granted for the Data Catalog. Defaults to
false
.- data
Location Property Map Configuration block for a data location resource. Detailed below.
- database Property Map
Configuration block for a database resource. Detailed below.
- lf
Tag Property Map Configuration block for an LF-tag resource. Detailed below.
- lf
Tag Property MapPolicy Configuration block for an LF-tag policy resource. Detailed below.
- permissions
With List<String>Grant Options Subset of
permissions
which the principal can pass.- table Property Map
Configuration block for a table resource. Detailed below.
- table
With Property MapColumns Configuration block for a table with columns resource. Detailed below.
Outputs
All input properties are implicitly available as output properties. Additionally, the Permissions resource produces the following output properties:
- Id string
The provider-assigned unique ID for this managed resource.
- Id string
The provider-assigned unique ID for this managed resource.
- id String
The provider-assigned unique ID for this managed resource.
- id string
The provider-assigned unique ID for this managed resource.
- id str
The provider-assigned unique ID for this managed resource.
- id String
The provider-assigned unique ID for this managed resource.
Look up Existing Permissions Resource
Get an existing Permissions resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: PermissionsState, opts?: CustomResourceOptions): Permissions
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
catalog_id: Optional[str] = None,
catalog_resource: Optional[bool] = None,
data_location: Optional[PermissionsDataLocationArgs] = None,
database: Optional[PermissionsDatabaseArgs] = None,
lf_tag: Optional[PermissionsLfTagArgs] = None,
lf_tag_policy: Optional[PermissionsLfTagPolicyArgs] = None,
permissions: Optional[Sequence[str]] = None,
permissions_with_grant_options: Optional[Sequence[str]] = None,
principal: Optional[str] = None,
table: Optional[PermissionsTableArgs] = None,
table_with_columns: Optional[PermissionsTableWithColumnsArgs] = None) -> Permissions
func GetPermissions(ctx *Context, name string, id IDInput, state *PermissionsState, opts ...ResourceOption) (*Permissions, error)
public static Permissions Get(string name, Input<string> id, PermissionsState? state, CustomResourceOptions? opts = null)
public static Permissions get(String name, Output<String> id, PermissionsState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Catalog
Id string Identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.
- Catalog
Resource bool Whether the permissions are to be granted for the Data Catalog. Defaults to
false
.- Data
Location PermissionsData Location Args Configuration block for a data location resource. Detailed below.
- Database
Permissions
Database Args Configuration block for a database resource. Detailed below.
- Lf
Tag PermissionsLf Tag Args Configuration block for an LF-tag resource. Detailed below.
- Lf
Tag PermissionsPolicy Lf Tag Policy Args Configuration block for an LF-tag policy resource. Detailed below.
- Permission
Details List<string> List of permissions granted to the principal. Valid values may include
ALL
,ALTER
,ASSOCIATE
,CREATE_DATABASE
,CREATE_TABLE
,DATA_LOCATION_ACCESS
,DELETE
,DESCRIBE
,DROP
,INSERT
, andSELECT
. For details on each permission, see Lake Formation Permissions Reference.- Permissions
With List<string>Grant Options Subset of
permissions
which the principal can pass.- Principal string
Principal to be granted the permissions on the resource. Supported principals include
IAM_ALLOWED_PRINCIPALS
(see Default Behavior andIAMAllowedPrincipals
above), IAM roles, users, groups, SAML groups and users, QuickSight groups, OUs, and organizations as well as AWS account IDs for cross-account permissions. For more information, see Lake Formation Permissions Reference.- Table
Permissions
Table Args Configuration block for a table resource. Detailed below.
- Table
With PermissionsColumns Table With Columns Args Configuration block for a table with columns resource. Detailed below.
- Catalog
Id string Identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.
- Catalog
Resource bool Whether the permissions are to be granted for the Data Catalog. Defaults to
false
.- Data
Location PermissionsData Location Args Configuration block for a data location resource. Detailed below.
- Database
Permissions
Database Args Configuration block for a database resource. Detailed below.
- Lf
Tag PermissionsLf Tag Args Configuration block for an LF-tag resource. Detailed below.
- Lf
Tag PermissionsPolicy Lf Tag Policy Args Configuration block for an LF-tag policy resource. Detailed below.
- Permissions []string
List of permissions granted to the principal. Valid values may include
ALL
,ALTER
,ASSOCIATE
,CREATE_DATABASE
,CREATE_TABLE
,DATA_LOCATION_ACCESS
,DELETE
,DESCRIBE
,DROP
,INSERT
, andSELECT
. For details on each permission, see Lake Formation Permissions Reference.- Permissions
With []stringGrant Options Subset of
permissions
which the principal can pass.- Principal string
Principal to be granted the permissions on the resource. Supported principals include
IAM_ALLOWED_PRINCIPALS
(see Default Behavior andIAMAllowedPrincipals
above), IAM roles, users, groups, SAML groups and users, QuickSight groups, OUs, and organizations as well as AWS account IDs for cross-account permissions. For more information, see Lake Formation Permissions Reference.- Table
Permissions
Table Args Configuration block for a table resource. Detailed below.
- Table
With PermissionsColumns Table With Columns Args Configuration block for a table with columns resource. Detailed below.
- catalog
Id String Identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.
- catalog
Resource Boolean Whether the permissions are to be granted for the Data Catalog. Defaults to
false
.- data
Location PermissionsData Location Args Configuration block for a data location resource. Detailed below.
- database
Permissions
Database Args Configuration block for a database resource. Detailed below.
- lf
Tag PermissionsLf Tag Args Configuration block for an LF-tag resource. Detailed below.
- lf
Tag PermissionsPolicy Lf Tag Policy Args Configuration block for an LF-tag policy resource. Detailed below.
- permissions List<String>
List of permissions granted to the principal. Valid values may include
ALL
,ALTER
,ASSOCIATE
,CREATE_DATABASE
,CREATE_TABLE
,DATA_LOCATION_ACCESS
,DELETE
,DESCRIBE
,DROP
,INSERT
, andSELECT
. For details on each permission, see Lake Formation Permissions Reference.- permissions
With List<String>Grant Options Subset of
permissions
which the principal can pass.- principal String
Principal to be granted the permissions on the resource. Supported principals include
IAM_ALLOWED_PRINCIPALS
(see Default Behavior andIAMAllowedPrincipals
above), IAM roles, users, groups, SAML groups and users, QuickSight groups, OUs, and organizations as well as AWS account IDs for cross-account permissions. For more information, see Lake Formation Permissions Reference.- table
Permissions
Table Args Configuration block for a table resource. Detailed below.
- table
With PermissionsColumns Table With Columns Args Configuration block for a table with columns resource. Detailed below.
- catalog
Id string Identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.
- catalog
Resource boolean Whether the permissions are to be granted for the Data Catalog. Defaults to
false
.- data
Location PermissionsData Location Args Configuration block for a data location resource. Detailed below.
- database
Permissions
Database Args Configuration block for a database resource. Detailed below.
- lf
Tag PermissionsLf Tag Args Configuration block for an LF-tag resource. Detailed below.
- lf
Tag PermissionsPolicy Lf Tag Policy Args Configuration block for an LF-tag policy resource. Detailed below.
- permissions string[]
List of permissions granted to the principal. Valid values may include
ALL
,ALTER
,ASSOCIATE
,CREATE_DATABASE
,CREATE_TABLE
,DATA_LOCATION_ACCESS
,DELETE
,DESCRIBE
,DROP
,INSERT
, andSELECT
. For details on each permission, see Lake Formation Permissions Reference.- permissions
With string[]Grant Options Subset of
permissions
which the principal can pass.- principal string
Principal to be granted the permissions on the resource. Supported principals include
IAM_ALLOWED_PRINCIPALS
(see Default Behavior andIAMAllowedPrincipals
above), IAM roles, users, groups, SAML groups and users, QuickSight groups, OUs, and organizations as well as AWS account IDs for cross-account permissions. For more information, see Lake Formation Permissions Reference.- table
Permissions
Table Args Configuration block for a table resource. Detailed below.
- table
With PermissionsColumns Table With Columns Args Configuration block for a table with columns resource. Detailed below.
- catalog_
id str Identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.
- catalog_
resource bool Whether the permissions are to be granted for the Data Catalog. Defaults to
false
.- data_
location PermissionsData Location Args Configuration block for a data location resource. Detailed below.
- database
Permissions
Database Args Configuration block for a database resource. Detailed below.
- lf_
tag PermissionsLf Tag Args Configuration block for an LF-tag resource. Detailed below.
- lf_
tag_ Permissionspolicy Lf Tag Policy Args Configuration block for an LF-tag policy resource. Detailed below.
- permissions Sequence[str]
List of permissions granted to the principal. Valid values may include
ALL
,ALTER
,ASSOCIATE
,CREATE_DATABASE
,CREATE_TABLE
,DATA_LOCATION_ACCESS
,DELETE
,DESCRIBE
,DROP
,INSERT
, andSELECT
. For details on each permission, see Lake Formation Permissions Reference.- permissions_
with_ Sequence[str]grant_ options Subset of
permissions
which the principal can pass.- principal str
Principal to be granted the permissions on the resource. Supported principals include
IAM_ALLOWED_PRINCIPALS
(see Default Behavior andIAMAllowedPrincipals
above), IAM roles, users, groups, SAML groups and users, QuickSight groups, OUs, and organizations as well as AWS account IDs for cross-account permissions. For more information, see Lake Formation Permissions Reference.- table
Permissions
Table Args Configuration block for a table resource. Detailed below.
- table_
with_ Permissionscolumns Table With Columns Args Configuration block for a table with columns resource. Detailed below.
- catalog
Id String Identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.
- catalog
Resource Boolean Whether the permissions are to be granted for the Data Catalog. Defaults to
false
.- data
Location Property Map Configuration block for a data location resource. Detailed below.
- database Property Map
Configuration block for a database resource. Detailed below.
- lf
Tag Property Map Configuration block for an LF-tag resource. Detailed below.
- lf
Tag Property MapPolicy Configuration block for an LF-tag policy resource. Detailed below.
- permissions List<String>
List of permissions granted to the principal. Valid values may include
ALL
,ALTER
,ASSOCIATE
,CREATE_DATABASE
,CREATE_TABLE
,DATA_LOCATION_ACCESS
,DELETE
,DESCRIBE
,DROP
,INSERT
, andSELECT
. For details on each permission, see Lake Formation Permissions Reference.- permissions
With List<String>Grant Options Subset of
permissions
which the principal can pass.- principal String
Principal to be granted the permissions on the resource. Supported principals include
IAM_ALLOWED_PRINCIPALS
(see Default Behavior andIAMAllowedPrincipals
above), IAM roles, users, groups, SAML groups and users, QuickSight groups, OUs, and organizations as well as AWS account IDs for cross-account permissions. For more information, see Lake Formation Permissions Reference.- table Property Map
Configuration block for a table resource. Detailed below.
- table
With Property MapColumns Configuration block for a table with columns resource. Detailed below.
Supporting Types
PermissionsDataLocation
- arn str
Amazon Resource Name (ARN) that uniquely identifies the data location resource.
- catalog_
id str Identifier for the Data Catalog where the location is registered with Lake Formation. By default, it is the account ID of the caller.
PermissionsDatabase
- name str
Name of the database resource. Unique to the Data Catalog.
- catalog_
id str Identifier for the Data Catalog. By default, it is the account ID of the caller.
PermissionsLfTag
- key str
The key-name for the tag.
- values Sequence[str]
A list of possible values an attribute can take.
- catalog_
id str Identifier for the Data Catalog. By default, it is the account ID of the caller.
PermissionsLfTagPolicy
- Expressions
List<Permissions
Lf Tag Policy Expression> A list of tag conditions that apply to the resource's tag policy. Configuration block for tag conditions that apply to the policy. See
expression
below.- Resource
Type string The resource type for which the tag policy applies. Valid values are
DATABASE
andTABLE
.- Catalog
Id string Identifier for the Data Catalog. By default, it is the account ID of the caller.
- Expressions
[]Permissions
Lf Tag Policy Expression A list of tag conditions that apply to the resource's tag policy. Configuration block for tag conditions that apply to the policy. See
expression
below.- Resource
Type string The resource type for which the tag policy applies. Valid values are
DATABASE
andTABLE
.- Catalog
Id string Identifier for the Data Catalog. By default, it is the account ID of the caller.
- expressions
List<Permissions
Lf Tag Policy Expression> A list of tag conditions that apply to the resource's tag policy. Configuration block for tag conditions that apply to the policy. See
expression
below.- resource
Type String The resource type for which the tag policy applies. Valid values are
DATABASE
andTABLE
.- catalog
Id String Identifier for the Data Catalog. By default, it is the account ID of the caller.
- expressions
Permissions
Lf Tag Policy Expression[] A list of tag conditions that apply to the resource's tag policy. Configuration block for tag conditions that apply to the policy. See
expression
below.- resource
Type string The resource type for which the tag policy applies. Valid values are
DATABASE
andTABLE
.- catalog
Id string Identifier for the Data Catalog. By default, it is the account ID of the caller.
- expressions
Sequence[Permissions
Lf Tag Policy Expression] A list of tag conditions that apply to the resource's tag policy. Configuration block for tag conditions that apply to the policy. See
expression
below.- resource_
type str The resource type for which the tag policy applies. Valid values are
DATABASE
andTABLE
.- catalog_
id str Identifier for the Data Catalog. By default, it is the account ID of the caller.
- expressions List<Property Map>
A list of tag conditions that apply to the resource's tag policy. Configuration block for tag conditions that apply to the policy. See
expression
below.- resource
Type String The resource type for which the tag policy applies. Valid values are
DATABASE
andTABLE
.- catalog
Id String Identifier for the Data Catalog. By default, it is the account ID of the caller.
PermissionsLfTagPolicyExpression
PermissionsTable
- Database
Name string Name of the database for the table. Unique to a Data Catalog.
- Catalog
Id string Identifier for the Data Catalog. By default, it is the account ID of the caller.
- Name string
Name of the table.
- Wildcard bool
Whether to use a wildcard representing every table under a database. Defaults to
false
.
- Database
Name string Name of the database for the table. Unique to a Data Catalog.
- Catalog
Id string Identifier for the Data Catalog. By default, it is the account ID of the caller.
- Name string
Name of the table.
- Wildcard bool
Whether to use a wildcard representing every table under a database. Defaults to
false
.
- database
Name String Name of the database for the table. Unique to a Data Catalog.
- catalog
Id String Identifier for the Data Catalog. By default, it is the account ID of the caller.
- name String
Name of the table.
- wildcard Boolean
Whether to use a wildcard representing every table under a database. Defaults to
false
.
- database
Name string Name of the database for the table. Unique to a Data Catalog.
- catalog
Id string Identifier for the Data Catalog. By default, it is the account ID of the caller.
- name string
Name of the table.
- wildcard boolean
Whether to use a wildcard representing every table under a database. Defaults to
false
.
- database_
name str Name of the database for the table. Unique to a Data Catalog.
- catalog_
id str Identifier for the Data Catalog. By default, it is the account ID of the caller.
- name str
Name of the table.
- wildcard bool
Whether to use a wildcard representing every table under a database. Defaults to
false
.
- database
Name String Name of the database for the table. Unique to a Data Catalog.
- catalog
Id String Identifier for the Data Catalog. By default, it is the account ID of the caller.
- name String
Name of the table.
- wildcard Boolean
Whether to use a wildcard representing every table under a database. Defaults to
false
.
PermissionsTableWithColumns
- Database
Name string Name of the database for the table with columns resource. Unique to the Data Catalog.
- Name string
Name of the table resource.
- Catalog
Id string Identifier for the Data Catalog. By default, it is the account ID of the caller.
- Column
Names List<string> Set of column names for the table.
- Excluded
Column List<string>Names Set of column names for the table to exclude. If
excluded_column_names
is included,wildcard
must be set totrue
to avoid the provider reporting a difference.- Wildcard bool
Whether to use a column wildcard. If
excluded_column_names
is included,wildcard
must be set totrue
to avoid the provider reporting a difference.
- Database
Name string Name of the database for the table with columns resource. Unique to the Data Catalog.
- Name string
Name of the table resource.
- Catalog
Id string Identifier for the Data Catalog. By default, it is the account ID of the caller.
- Column
Names []string Set of column names for the table.
- Excluded
Column []stringNames Set of column names for the table to exclude. If
excluded_column_names
is included,wildcard
must be set totrue
to avoid the provider reporting a difference.- Wildcard bool
Whether to use a column wildcard. If
excluded_column_names
is included,wildcard
must be set totrue
to avoid the provider reporting a difference.
- database
Name String Name of the database for the table with columns resource. Unique to the Data Catalog.
- name String
Name of the table resource.
- catalog
Id String Identifier for the Data Catalog. By default, it is the account ID of the caller.
- column
Names List<String> Set of column names for the table.
- excluded
Column List<String>Names Set of column names for the table to exclude. If
excluded_column_names
is included,wildcard
must be set totrue
to avoid the provider reporting a difference.- wildcard Boolean
Whether to use a column wildcard. If
excluded_column_names
is included,wildcard
must be set totrue
to avoid the provider reporting a difference.
- database
Name string Name of the database for the table with columns resource. Unique to the Data Catalog.
- name string
Name of the table resource.
- catalog
Id string Identifier for the Data Catalog. By default, it is the account ID of the caller.
- column
Names string[] Set of column names for the table.
- excluded
Column string[]Names Set of column names for the table to exclude. If
excluded_column_names
is included,wildcard
must be set totrue
to avoid the provider reporting a difference.- wildcard boolean
Whether to use a column wildcard. If
excluded_column_names
is included,wildcard
must be set totrue
to avoid the provider reporting a difference.
- database_
name str Name of the database for the table with columns resource. Unique to the Data Catalog.
- name str
Name of the table resource.
- catalog_
id str Identifier for the Data Catalog. By default, it is the account ID of the caller.
- column_
names Sequence[str] Set of column names for the table.
- excluded_
column_ Sequence[str]names Set of column names for the table to exclude. If
excluded_column_names
is included,wildcard
must be set totrue
to avoid the provider reporting a difference.- wildcard bool
Whether to use a column wildcard. If
excluded_column_names
is included,wildcard
must be set totrue
to avoid the provider reporting a difference.
- database
Name String Name of the database for the table with columns resource. Unique to the Data Catalog.
- name String
Name of the table resource.
- catalog
Id String Identifier for the Data Catalog. By default, it is the account ID of the caller.
- column
Names List<String> Set of column names for the table.
- excluded
Column List<String>Names Set of column names for the table to exclude. If
excluded_column_names
is included,wildcard
must be set totrue
to avoid the provider reporting a difference.- wildcard Boolean
Whether to use a column wildcard. If
excluded_column_names
is included,wildcard
must be set totrue
to avoid the provider reporting a difference.
Package Details
- Repository
- AWS Classic pulumi/pulumi-aws
- License
- Apache-2.0
- Notes
This Pulumi package is based on the
aws
Terraform Provider.
Try AWS Native preview for resources not in the classic version.