Resource: awsLakeformationPermissions
Grants permissions to the principal to access metadata in the Data Catalog and data organized in underlying data storage such as Amazon S3. Permissions are granted to a principal, in a Data Catalog, relative to a Lake Formation resource, which includes the Data Catalog, databases, tables, LF-tags, and LF-tag policies. For more information, see Security and Access Control to Metadata and Data in Lake Formation.
!> WARNING: Lake Formation permissions are not in effect by default within AWS. Using this resource will not secure your data and will result in errors if you do not change the security settings for existing resources and the default security settings for new resources. See Default Behavior and iamAllowedPrincipals
for additional details.
\~> NOTE: In general, the principal
should NOT be a Lake Formation administrator or the entity (e.g., IAM role) that is running Terraform. Administrators have implicit permissions. These should be managed by granting or not granting administrator rights using awsLakeformationDataLakeSettings
, not with this resource.
Default Behavior and iamAllowedPrincipals
Lake Formation permissions are not in effect by default within AWS. iamAllowedPrincipals
(i.e., IAM_ALLOWED_PRINCIPALS
) conflicts with individual Lake Formation permissions (i.e., non-iamAllowedPrincipals
permissions), will cause unexpected behavior, and may result in errors.
When using Lake Formation, choose ONE of the following options as they are mutually exclusive:
- Use this resource (
awsLakeformationPermissions
), change the default security settings usingawsLakeformationDataLakeSettings
, and remove existingiamAllowedPrincipals
permissions - Use
iamAllowedPrincipals
withoutawsLakeformationPermissions
This example shows removing the iamAllowedPrincipals
default security settings and making the caller a Lake Formation admin. Since createDatabaseDefaultPermissions
and createTableDefaultPermissions
are not set in the awsLakeformationDataLakeSettings
resource, they are cleared.
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const dataAwsCallerIdentityCurrent =
new aws.dataAwsCallerIdentity.DataAwsCallerIdentity(this, "current", {});
const dataAwsIamSessionContextCurrent =
new aws.dataAwsIamSessionContext.DataAwsIamSessionContext(this, "current_1", {
arn: dataAwsCallerIdentityCurrent.arn,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
dataAwsIamSessionContextCurrent.overrideLogicalId("current");
new aws.lakeformationDataLakeSettings.LakeformationDataLakeSettings(
this,
"test",
{
admins: [dataAwsIamSessionContextCurrent.issuerArn],
}
);
To remove existing iamAllowedPrincipals
permissions, use the AWS Lake Formation Console or AWS CLI.
iamAllowedPrincipals
is a hook to maintain backwards compatibility with AWS Glue. iamAllowedPrincipals
is a pseudo-entity group that acts like a Lake Formation principal. The group includes any IAM users and roles that are allowed access to your Data Catalog resources by your IAM policies.
This is Lake Formation's default behavior:
- Lake Formation grants
super
permission toiamAllowedPrincipals
on all existing AWS Glue Data Catalog resources. - Lake Formation enables "Use only IAM access control" for new Data Catalog resources.
For more details, see Changing the Default Security Settings for Your Data Lake.
Problem Using iamAllowedPrincipals
AWS does not support combining iamAllowedPrincipals
permissions and non-iamAllowedPrincipals
permissions. Doing so results in unexpected permissions and behaviors. For example, this configuration grants a user select
on a column in a table.
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.glueCatalogDatabase.GlueCatalogDatabase(this, "example", {
name: "sadabate",
});
const awsGlueCatalogTableExample = new aws.glueCatalogTable.GlueCatalogTable(
this,
"example_1",
{
databaseName: "${aws_glue_catalog_database.test.name}",
name: "abelt",
storageDescriptor: {
columns: [
{
name: "event",
type: "string",
},
],
},
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsGlueCatalogTableExample.overrideLogicalId("example");
const awsLakeformationPermissionsExample =
new aws.lakeformationPermissions.LakeformationPermissions(this, "example_2", {
permissions: ["SELECT"],
principal: "arn:aws:iam:us-east-1:123456789012:user/SanHolo",
tableWithColumns: {
columnNames: ["event"],
databaseName: awsGlueCatalogTableExample.databaseName,
name: awsGlueCatalogTableExample.name,
},
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsLakeformationPermissionsExample.overrideLogicalId("example");
The resulting permissions depend on whether the table had iamAllowedPrincipals
(IAP) permissions or not.
Result With IAP | Result Without IAP |
---|---|
select column wildcard (i.e., all columns) | select on "event" (as expected) |
Using Lake Formation Permissions
Lake Formation grants implicit permissions to data lake administrators, database creators, and table creators. These implicit permissions cannot be revoked per se. If this resource reads implicit permissions, it will attempt to revoke them, which causes an error when the resource is destroyed.
There are two ways to avoid these errors. First, and the way we recommend, is to avoid using this resource with principals that have implicit permissions. A second, error-prone option, is to grant explicit permissions (and permissionsWithGrantOption
) to "overwrite" a principal's implicit permissions, which you can then revoke with this resource. For more information, see Implicit Lake Formation Permissions.
If the principal
is also a data lake administrator, AWS grants implicit permissions that can cause errors using this resource. For example, AWS implicitly grants a principal
/administrator permissions
and permissionsWithGrantOption
of all
, alter
, delete
, describe
, drop
, insert
, and select
on a table. If you use this resource to explicitly grant the principal
/administrator permissions
but not permissionsWithGrantOption
of all
, alter
, delete
, describe
, drop
, insert
, and select
on the table, this resource will read the implicit permissionsWithGrantOption
and attempt to revoke them when the resource is destroyed. Doing so will cause an invalidInputException:NoPermissionsRevoked
error because you cannot revoke implicit permissions per se. To workaround this problem, explicitly grant the principal
/administrator permissions
and permissionsWithGrantOption
, which can then be revoked. Similarly, granting a principal
/administrator permissions on a table with columns and providing columnNames
, will result in a invalidInputException:PermissionsModificationIsInvalid
error because you are narrowing the implicit permissions. Instead, set wildcard
to true
and remove the columnNames
.
Example Usage
Grant Permissions For A Lake Formation S3 Resource
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.lakeformationPermissions.LakeformationPermissions(this, "example", {
dataLocation: {
arn: "${aws_lakeformation_resource.example.arn}",
},
permissions: ["ALL"],
principal: "${aws_iam_role.workflow_role.arn}",
});
Grant Permissions For A Glue Catalog Database
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.lakeformationPermissions.LakeformationPermissions(this, "example", {
database: {
catalogId: "110376042874",
name: "${aws_glue_catalog_database.example.name}",
},
permissions: ["CREATE_TABLE", "ALTER", "DROP"],
principal: "${aws_iam_role.workflow_role.arn}",
});
Grant Permissions Using Tag-Based Access Control
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.lakeformationPermissions.LakeformationPermissions(this, "test", {
lfTagPolicy: {
expression: [
{
key: "Team",
values: ["Sales"],
},
{
key: "Environment",
values: ["Dev", "Production"],
},
],
resourceType: "DATABASE",
},
permissions: ["CREATE_TABLE", "ALTER", "DROP"],
principal: "${aws_iam_role.sales_role.arn}",
});
Argument Reference
The following arguments are required:
permissions
– (Required) List of permissions granted to the principal. Valid values may includeall
,alter
,associate
,CREATE_DATABASE
,CREATE_TABLE
,DATA_LOCATION_ACCESS
,delete
,describe
,drop
,insert
, andselect
. For details on each permission, see Lake Formation Permissions Reference.principal
– (Required) Principal to be granted the permissions on the resource. Supported principals includeIAM_ALLOWED_PRINCIPALS
(see Default Behavior andiamAllowedPrincipals
above), IAM roles, users, groups, SAML groups and users, QuickSight groups, OUs, and organizations as well as AWS account IDs for cross-account permissions. For more information, see Lake Formation Permissions Reference.
\~> NOTE: We highly recommend that the principal
NOT be a Lake Formation administrator (granted using awsLakeformationDataLakeSettings
). The entity (e.g., IAM role) running Terraform will most likely need to be a Lake Formation administrator. As such, the entity will have implicit permissions and does not need permissions granted through this resource.
One of the following is required:
catalogResource
- (Optional) Whether the permissions are to be granted for the Data Catalog. Defaults tofalse
.dataLocation
- (Optional) Configuration block for a data location resource. Detailed below.database
- (Optional) Configuration block for a database resource. Detailed below.lfTag
- (Optional) Configuration block for an LF-tag resource. Detailed below.lfTagPolicy
- (Optional) Configuration block for an LF-tag policy resource. Detailed below.table
- (Optional) Configuration block for a table resource. Detailed below.tableWithColumns
- (Optional) Configuration block for a table with columns resource. Detailed below.
The following arguments are optional:
catalogId
– (Optional) Identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.permissionsWithGrantOption
- (Optional) Subset ofpermissions
which the principal can pass.
dataLocation
The following argument is required:
arn
– (Required) Amazon Resource Name (ARN) that uniquely identifies the data location resource.
The following argument is optional:
catalogId
- (Optional) Identifier for the Data Catalog where the location is registered with Lake Formation. By default, it is the account ID of the caller.
database
The following argument is required:
name
– (Required) Name of the database resource. Unique to the Data Catalog.
The following argument is optional:
catalogId
- (Optional) Identifier for the Data Catalog. By default, it is the account ID of the caller.
lfTag
The following arguments are required:
key
– (Required) The key-name for the tag.values
- (Required) A list of possible values an attribute can take.
The following argument is optional:
catalogId
- (Optional) Identifier for the Data Catalog. By default, it is the account ID of the caller.
lfTagPolicy
The following arguments are required:
resourceType
– (Required) The resource type for which the tag policy applies. Valid values aredatabase
andtable
.expression
- (Required) A list of tag conditions that apply to the resource's tag policy. Configuration block for tag conditions that apply to the policy. Seeexpression
below.
The following argument is optional:
catalogId
- (Optional) Identifier for the Data Catalog. By default, it is the account ID of the caller.
expression
key
– (Required) The key-name of an LF-Tag.values
- (Required) A list of possible values of an LF-Tag.
table
The following argument is required:
databaseName
– (Required) Name of the database for the table. Unique to a Data Catalog.name
- (Required, at least one ofname
orwildcard
) Name of the table.wildcard
- (Required, at least one ofname
orwildcard
) Whether to use a wildcard representing every table under a database. Defaults tofalse
.
The following arguments are optional:
catalogId
- (Optional) Identifier for the Data Catalog. By default, it is the account ID of the caller.
tableWithColumns
The following arguments are required:
columnNames
- (Required, at least one ofcolumnNames
orwildcard
) Set of column names for the table.databaseName
– (Required) Name of the database for the table with columns resource. Unique to the Data Catalog.name
– (Required) Name of the table resource.wildcard
- (Required, at least one ofcolumnNames
orwildcard
) Whether to use a column wildcard. IfexcludedColumnNames
is included,wildcard
must be set totrue
to avoid Terraform reporting a difference.
The following arguments are optional:
catalogId
- (Optional) Identifier for the Data Catalog. By default, it is the account ID of the caller.excludedColumnNames
- (Optional) Set of column names for the table to exclude. IfexcludedColumnNames
is included,wildcard
must be set totrue
to avoid Terraform reporting a difference.
Attributes Reference
No additional attributes are exported.