Skip to content

Resource: awsLakeformationDataLakeSettings

Manages Lake Formation principals designated as data lake administrators and lists of principal permission entries for default create database and default create table permissions.

\~> NOTE: Lake Formation introduces fine-grained access control for data in your data lake. Part of the changes include the iamAllowedPrincipals principal in order to make Lake Formation backwards compatible with existing IAM and Glue permissions. For more information, see Changing the Default Security Settings for Your Data Lake and Upgrading AWS Glue Data Permissions to the AWS Lake Formation Model.

Example Usage

Data Lake Admins

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.lakeformationDataLakeSettings.LakeformationDataLakeSettings(
  this,
  "example",
  {
    admins: ["${aws_iam_user.test.arn}", "${aws_iam_role.test.arn}"],
  }
);

Create Default Permissions

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.lakeformationDataLakeSettings.LakeformationDataLakeSettings(
  this,
  "example",
  {
    admins: ["${aws_iam_user.test.arn}", "${aws_iam_role.test.arn}"],
    createDatabaseDefaultPermissions: [
      {
        permissions: ["SELECT", "ALTER", "DROP"],
        principal: "${aws_iam_user.test.arn}",
      },
    ],
    createTableDefaultPermissions: [
      {
        permissions: ["ALL"],
        principal: "${aws_iam_role.test.arn}",
      },
    ],
  }
);

Argument Reference

The following arguments are optional:

  • admins – (Optional) Set of ARNs of AWS Lake Formation principals (IAM users or roles).
  • catalogId – (Optional) Identifier for the Data Catalog. By default, the account ID.
  • createDatabaseDefaultPermissions - (Optional) Up to three configuration blocks of principal permissions for default create database permissions. Detailed below.
  • createTableDefaultPermissions - (Optional) Up to three configuration blocks of principal permissions for default create table permissions. Detailed below.
  • trustedResourceOwners – (Optional) List of the resource-owning account IDs that the caller's account can use to share their user access details (user ARNs).

\~> NOTE: Although optional, not including admins, createDatabaseDefaultPermissions, createTableDefaultPermissions, and/or trustedResourceOwners results in the setting being cleared.

createDatabaseDefaultPermissions

The following arguments are optional:

  • permissions - (Optional) List of permissions that are granted to the principal. Valid values may include all, select, alter, drop, delete, insert, describe, and CREATE_TABLE. For more details, see Lake Formation Permissions Reference.
  • principal - (Optional) Principal who is granted permissions. To enforce metadata and underlying data access control only by IAM on new databases and tables set principal to IAM_ALLOWED_PRINCIPALS and permissions to ["all"].

createTableDefaultPermissions

The following arguments are optional:

  • permissions - (Optional) List of permissions that are granted to the principal. Valid values may include all, select, alter, drop, delete, insert, and describe. For more details, see Lake Formation Permissions Reference.
  • principal - (Optional) Principal who is granted permissions. To enforce metadata and underlying data access control only by IAM on new databases and tables set principal to IAM_ALLOWED_PRINCIPALS and permissions to ["all"].

Attributes Reference

No additional attributes are exported.