AWS Lake Formation Permissions
This page shows how to write Terraform and CloudFormation for Lake Formation Permissions and write them securely.
aws_lakeformation_permissions (Terraform)
The Permissions in Lake Formation can be configured in Terraform with the resource name aws_lakeformation_permissions. The following sections describe 3 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_lakeformation_permissions" "glue_lake_role1" {
principal = aws_iam_role.glue_role.arn
permissions = ["ALL", "ALTER", "CREATE_TABLE", "DESCRIBE", "DROP"]
permissions_with_grant_option = ["ALL", "ALTER", "CREATE_TABLE", "DESCRIBE", "DROP"]
database {
resource "aws_lakeformation_permissions" "lf_permission1" {
depends_on = [aws_lakeformation_data_lake_settings.admin, aws_lakeformation_resource.bucket]
count = local.permission_test == 1 ? 1 : 0
permissions = ["SELECT"]
principal = local.principal_to_grant
resource "aws_lakeformation_permissions" "glue_lake_role" {
principal = aws_iam_role.glue_role.arn
permissions = ["ALL", "ALTER", "CREATE_TABLE", "DESCRIBE", "DROP"]
permissions_with_grant_option = ["ALL", "ALTER", "CREATE_TABLE", "DESCRIBE", "DROP"]
database {
Parameters
-
catalog_idoptional - string -
catalog_resourceoptional - bool -
idoptional computed - string -
permissionsrequired - list of string -
permissions_with_grant_optionoptional computed - list of string -
principalrequired - string -
data_locationlist block-
arnrequired - string -
catalog_idoptional computed - string
-
-
databaselist block-
catalog_idoptional computed - string -
namerequired - string
-
-
tablelist block-
catalog_idoptional computed - string -
database_namerequired - string -
nameoptional computed - string -
wildcardoptional - bool
-
-
table_with_columnslist block-
catalog_idoptional computed - string -
column_namesoptional - list of string -
database_namerequired - string -
excluded_column_namesoptional - list of string -
namerequired - string
-
Explanation in Terraform Registry
Grants permissions to the principal to access metadata in the Data Catalog and data organized in underlying data storage such as Amazon S3. Permissions are granted to a principal, in a Data Catalog, relative to a Lake Formation resource, which includes the Data Catalog, databases, and tables. For more information, see Security and Access Control to Metadata and Data in Lake Formation. !> WARNING: Lake Formation permissions are not in effect by default within AWS. Using this resource will not secure your data and will result in errors if you do not change the security settings for existing resources and the default security settings for new resources. See Default Behavior and
IAMAllowedPrincipalsfor additional details.NOTE: In general, the
principalshould NOT be a Lake Formation administrator or the entity (e.g., IAM role) that is running Terraform. Administrators have implicit permissions. These should be managed by granting or not granting administrator rights usingaws_lakeformation_data_lake_settings, not with this resource.
AWS::LakeFormation::Permissions (CloudFormation)
The Permissions in LakeFormation can be configured in CloudFormation with the resource name AWS::LakeFormation::Permissions. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
An example could not be found in GitHub.
Parameters
-
DataLakePrincipalrequired - DataLakePrincipal -
Resourcerequired - Resource -
Permissionsoptional - List -
PermissionsWithGrantOptionoptional - List
Explanation in CloudFormation Registry
The
AWS::LakeFormation::Permissionsresource represents the permissions that a principal has on an AWS Glue Data Catalog resource (such as AWS Glue database or AWS Glue tables). When you upload a permissions stack, the permissions are granted to the principal and when you remove the stack, the permissions are revoked from the principal. If you remove a stack, and the principal does not have the permissions referenced in the stack then AWS Lake Formation will throw an error because you can’t call revoke on non-existing permissions. To successfully remove the stack, you’ll need to regrant those permissions and then remove the stack.
Frequently asked questions
What is AWS Lake Formation Permissions?
AWS Lake Formation Permissions is a resource for Lake Formation of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS Lake Formation Permissions?
For Terraform, the cristiano-sancho-ferreira/aws-datalake-companyretail, danu165/terraform-bugs and cristiano-sancho-ferreira/aws-datalake-engenharia-dados-cloud source code examples are useful. See the Terraform Example section for further details.
