Data Source: awsLakeformationPermissions
Get permissions for a principal to access metadata in the Data Catalog and data organized in underlying data storage such as Amazon S3. Permissions are granted to a principal, in a Data Catalog, relative to a Lake Formation resource, which includes the Data Catalog, databases, tables, LF-tags, and LF-tag policies. For more information, see Security and Access Control to Metadata and Data in Lake Formation.
\~> NOTE: This data source deals with explicitly granted permissions. Lake Formation grants implicit permissions to data lake administrators, database creators, and table creators. For more information, see Implicit Lake Formation Permissions.
Example Usage
Permissions For A Lake Formation S3 Resource
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.dataAwsLakeformationPermissions.DataAwsLakeformationPermissions(
this,
"test",
{
dataLocation: {
arn: "${aws_lakeformation_resource.test.arn}",
},
principal: "${aws_iam_role.workflow_role.arn}",
}
);
Permissions For A Glue Catalog Database
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.dataAwsLakeformationPermissions.DataAwsLakeformationPermissions(
this,
"test",
{
database: {
catalogId: "110376042874",
name: "${aws_glue_catalog_database.test.name}",
},
principal: "${aws_iam_role.workflow_role.arn}",
}
);
Permissions For Tag-Based Access Control
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.dataAwsLakeformationPermissions.DataAwsLakeformationPermissions(
this,
"test",
{
lfTagPolicy: {
expression: [
{
key: "Team",
values: ["Sales"],
},
{
key: "Environment",
values: ["Dev", "Production"],
},
],
resourceType: "DATABASE",
},
principal: "${aws_iam_role.workflow_role.arn}",
}
);
Argument Reference
The following arguments are required:
principal– (Required) Principal to be granted the permissions on the resource. Supported principals are IAM users or IAM roles.
One of the following is required:
catalogResource- Whether the permissions are to be granted for the Data Catalog. Defaults tofalse.dataLocation- Configuration block for a data location resource. Detailed below.database- Configuration block for a database resource. Detailed below.lfTag- (Optional) Configuration block for an LF-tag resource. Detailed below.lfTagPolicy- (Optional) Configuration block for an LF-tag policy resource. Detailed below.table- Configuration block for a table resource. Detailed below.tableWithColumns- Configuration block for a table with columns resource. Detailed below.
The following arguments are optional:
catalogId– (Optional) Identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.
dataLocation
The following argument is required:
arn– (Required) ARN that uniquely identifies the data location resource.
The following argument is optional:
catalogId- (Optional) Identifier for the Data Catalog where the location is registered with Lake Formation. By default, it is the account ID of the caller.
database
The following argument is required:
name– (Required) Name of the database resource. Unique to the Data Catalog.
The following argument is optional:
catalogId- (Optional) Identifier for the Data Catalog. By default, it is the account ID of the caller.
lfTag
The following arguments are required:
key– (Required) Key-name for the tag.values- (Required) List of possible values an attribute can take.
The following argument is optional:
catalogId- (Optional) Identifier for the Data Catalog. By default, it is the account ID of the caller.
lfTagPolicy
The following arguments are required:
resourceType– (Required) Resource type for which the tag policy applies. Valid values aredatabaseandtable.expression- (Required) List of tag conditions that apply to the resource's tag policy. Configuration block for tag conditions that apply to the policy. Seeexpressionbelow.
The following argument is optional:
catalogId- (Optional) Identifier for the Data Catalog. By default, it is the account ID of the caller.
expression
key– (Required) Key-name of an LF-Tag.values- (Required) List of possible values of an LF-Tag.
table
The following argument is required:
databaseName– (Required) Name of the database for the table. Unique to a Data Catalog.
The following arguments are optional:
catalogId- (Optional) Identifier for the Data Catalog. By default, it is the account ID of the caller.name- (Optional) Name of the table. At least one ofnameorwildcardis required.wildcard- (Optional) Whether to use a wildcard representing every table under a database. At least one ofnameorwildcardis required. Defaults tofalse.
tableWithColumns
The following arguments are required:
databaseName– (Required) Name of the database for the table with columns resource. Unique to the Data Catalog.name– (Required) Name of the table resource.
The following arguments are optional:
catalogId- (Optional) Identifier for the Data Catalog. By default, it is the account ID of the caller.columnNames- (Optional) Set of column names for the table. At least one ofcolumnNamesorexcludedColumnNamesis required.excludedColumnNames- (Optional) Set of column names for the table to exclude. At least one ofcolumnNamesorexcludedColumnNamesis required.
Attributes Reference
In addition to the above arguments, the following attribute is exported:
permissions– List of permissions granted to the principal. For details on permissions, see Lake Formation Permissions Reference.permissionsWithGrantOption- Subset ofpermissionswhich the principal can pass.