AWS Lake Formation Permissions
This page shows how to write Terraform and CloudFormation for Lake Formation Permissions and write them securely.
aws_lakeformation_permissions (Terraform)
The Permissions in Lake Formation can be configured in Terraform with the resource name aws_lakeformation_permissions
. The following sections describe 3 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_lakeformation_permissions" "glue_lake_role1" {
principal = aws_iam_role.glue_role.arn
permissions = ["ALL", "ALTER", "CREATE_TABLE", "DESCRIBE", "DROP"]
permissions_with_grant_option = ["ALL", "ALTER", "CREATE_TABLE", "DESCRIBE", "DROP"]
database {
resource "aws_lakeformation_permissions" "lf_permission1" {
depends_on = [aws_lakeformation_data_lake_settings.admin, aws_lakeformation_resource.bucket]
count = local.permission_test == 1 ? 1 : 0
permissions = ["SELECT"]
principal = local.principal_to_grant
resource "aws_lakeformation_permissions" "glue_lake_role" {
principal = aws_iam_role.glue_role.arn
permissions = ["ALL", "ALTER", "CREATE_TABLE", "DESCRIBE", "DROP"]
permissions_with_grant_option = ["ALL", "ALTER", "CREATE_TABLE", "DESCRIBE", "DROP"]
database {
Parameters
-
catalog_id
optional - string -
catalog_resource
optional - bool -
id
optional computed - string -
permissions
required - list of string -
permissions_with_grant_option
optional computed - list of string -
principal
required - string -
data_location
list block-
arn
required - string -
catalog_id
optional computed - string
-
-
database
list block-
catalog_id
optional computed - string -
name
required - string
-
-
table
list block-
catalog_id
optional computed - string -
database_name
required - string -
name
optional computed - string -
wildcard
optional - bool
-
-
table_with_columns
list block-
catalog_id
optional computed - string -
column_names
optional - list of string -
database_name
required - string -
excluded_column_names
optional - list of string -
name
required - string
-
Explanation in Terraform Registry
Grants permissions to the principal to access metadata in the Data Catalog and data organized in underlying data storage such as Amazon S3. Permissions are granted to a principal, in a Data Catalog, relative to a Lake Formation resource, which includes the Data Catalog, databases, and tables. For more information, see Security and Access Control to Metadata and Data in Lake Formation. !> WARNING: Lake Formation permissions are not in effect by default within AWS. Using this resource will not secure your data and will result in errors if you do not change the security settings for existing resources and the default security settings for new resources. See Default Behavior and
IAMAllowedPrincipals
for additional details.NOTE: In general, the
principal
should NOT be a Lake Formation administrator or the entity (e.g., IAM role) that is running Terraform. Administrators have implicit permissions. These should be managed by granting or not granting administrator rights usingaws_lakeformation_data_lake_settings
, not with this resource.
AWS::LakeFormation::Permissions (CloudFormation)
The Permissions in LakeFormation can be configured in CloudFormation with the resource name AWS::LakeFormation::Permissions
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
An example could not be found in GitHub.
Parameters
-
DataLakePrincipal
required - DataLakePrincipal -
Resource
required - Resource -
Permissions
optional - List -
PermissionsWithGrantOption
optional - List
Explanation in CloudFormation Registry
The
AWS::LakeFormation::Permissions
resource represents the permissions that a principal has on an AWS Glue Data Catalog resource (such as AWS Glue database or AWS Glue tables). When you upload a permissions stack, the permissions are granted to the principal and when you remove the stack, the permissions are revoked from the principal. If you remove a stack, and the principal does not have the permissions referenced in the stack then AWS Lake Formation will throw an error because you can’t call revoke on non-existing permissions. To successfully remove the stack, you’ll need to regrant those permissions and then remove the stack.
Frequently asked questions
What is AWS Lake Formation Permissions?
AWS Lake Formation Permissions is a resource for Lake Formation of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS Lake Formation Permissions?
For Terraform, the cristiano-sancho-ferreira/aws-datalake-companyretail, danu165/terraform-bugs and cristiano-sancho-ferreira/aws-datalake-engenharia-dados-cloud source code examples are useful. See the Terraform Example section for further details.