AWS Lake Formation Permissions

This page shows how to write Terraform and CloudFormation for Lake Formation Permissions and write them securely.

aws_lakeformation_permissions (Terraform)

The Permissions in Lake Formation can be configured in Terraform with the resource name aws_lakeformation_permissions. The following sections describe 3 examples of how to use the resource and its parameters.

Example Usage from GitHub

github-iconcristiano-sancho-ferreira/aws-datalake-companyretail
resource "aws_lakeformation_permissions" "glue_lake_role1" {
  principal                     = aws_iam_role.glue_role.arn
  permissions                   = ["ALL", "ALTER", "CREATE_TABLE", "DESCRIBE", "DROP"]
  permissions_with_grant_option = ["ALL", "ALTER", "CREATE_TABLE", "DESCRIBE", "DROP"]

  database {
github-icondanu165/terraform-bugs
resource "aws_lakeformation_permissions" "lf_permission1" {
  depends_on  = [aws_lakeformation_data_lake_settings.admin, aws_lakeformation_resource.bucket]
  count       = local.permission_test == 1 ? 1 : 0
  permissions = ["SELECT"]
  principal   = local.principal_to_grant

github-iconcristiano-sancho-ferreira/aws-datalake-engenharia-dados-cloud
resource "aws_lakeformation_permissions" "glue_lake_role" {
  principal   = aws_iam_role.glue_role.arn
  permissions = ["ALL", "ALTER", "CREATE_TABLE", "DESCRIBE", "DROP"]
  permissions_with_grant_option = ["ALL", "ALTER", "CREATE_TABLE", "DESCRIBE", "DROP"]

  database {

Parameters

Explanation in Terraform Registry

Grants permissions to the principal to access metadata in the Data Catalog and data organized in underlying data storage such as Amazon S3. Permissions are granted to a principal, in a Data Catalog, relative to a Lake Formation resource, which includes the Data Catalog, databases, and tables. For more information, see Security and Access Control to Metadata and Data in Lake Formation. !> WARNING: Lake Formation permissions are not in effect by default within AWS. Using this resource will not secure your data and will result in errors if you do not change the security settings for existing resources and the default security settings for new resources. See Default Behavior and IAMAllowedPrincipals for additional details.

NOTE: In general, the principal should NOT be a Lake Formation administrator or the entity (e.g., IAM role) that is running Terraform. Administrators have implicit permissions. These should be managed by granting or not granting administrator rights using aws_lakeformation_data_lake_settings, not with this resource.

AWS::LakeFormation::Permissions (CloudFormation)

The Permissions in LakeFormation can be configured in CloudFormation with the resource name AWS::LakeFormation::Permissions. The following sections describe how to use the resource and its parameters.

Parameters

Explanation in CloudFormation Registry

The AWS::LakeFormation::Permissions resource represents the permissions that a principal has on an AWS Glue Data Catalog resource (such as AWS Glue database or AWS Glue tables). When you upload a permissions stack, the permissions are granted to the principal and when you remove the stack, the permissions are revoked from the principal. If you remove a stack, and the principal does not have the permissions referenced in the stack then AWS Lake Formation will throw an error because you can’t call revoke on non-existing permissions. To successfully remove the stack, you’ll need to regrant those permissions and then remove the stack.

Frequently asked questions

What is AWS Lake Formation Permissions?

AWS Lake Formation Permissions is a resource for Lake Formation of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS Lake Formation Permissions?

For Terraform, the cristiano-sancho-ferreira/aws-datalake-companyretail, danu165/terraform-bugs and cristiano-sancho-ferreira/aws-datalake-engenharia-dados-cloud source code examples are useful. See the Terraform Example section for further details.