AWS Lake Formation

2024/12/03 - AWS Lake Formation - 16 updated api methods

Changes  This release added two new LakeFormation Permissions (CREATE_CATALOG, SUPER_USER) and added Id field for CatalogResource. It also added new conditon and expression field.

AddLFTagsToResource (updated) Link ¶
Changes (request)
{'Resource': {'Catalog': {'Id': 'string'}}}

Attaches one or more LF-tags to an existing resource.

See also: AWS API Documentation

Request Syntax

client.add_lf_tags_to_resource(
    CatalogId='string',
    Resource={
        'Catalog': {
            'Id': 'string'
        },
        'Database': {
            'CatalogId': 'string',
            'Name': 'string'
        },
        'Table': {
            'CatalogId': 'string',
            'DatabaseName': 'string',
            'Name': 'string',
            'TableWildcard': {}

        },
        'TableWithColumns': {
            'CatalogId': 'string',
            'DatabaseName': 'string',
            'Name': 'string',
            'ColumnNames': [
                'string',
            ],
            'ColumnWildcard': {
                'ExcludedColumnNames': [
                    'string',
                ]
            }
        },
        'DataLocation': {
            'CatalogId': 'string',
            'ResourceArn': 'string'
        },
        'DataCellsFilter': {
            'TableCatalogId': 'string',
            'DatabaseName': 'string',
            'TableName': 'string',
            'Name': 'string'
        },
        'LFTag': {
            'CatalogId': 'string',
            'TagKey': 'string',
            'TagValues': [
                'string',
            ]
        },
        'LFTagPolicy': {
            'CatalogId': 'string',
            'ResourceType': 'DATABASE'|'TABLE',
            'Expression': [
                {
                    'TagKey': 'string',
                    'TagValues': [
                        'string',
                    ]
                },
            ],
            'ExpressionName': 'string'
        },
        'LFTagExpression': {
            'CatalogId': 'string',
            'Name': 'string'
        }
    },
    LFTags=[
        {
            'CatalogId': 'string',
            'TagKey': 'string',
            'TagValues': [
                'string',
            ]
        },
    ]
)
type CatalogId:

string

param CatalogId:

The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

type Resource:

dict

param Resource:

[REQUIRED]

The database, table, or column resource to which to attach an LF-tag.

  • Catalog (dict) --

    The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

    • Id (string) --

      An identifier for the catalog resource.

  • Database (dict) --

    The database for the resource. Unique to the Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database permissions to a principal.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, it is the account ID of the caller.

    • Name (string) -- [REQUIRED]

      The name of the database resource. Unique to the Data Catalog.

  • Table (dict) --

    The table for the resource. A table is a metadata definition that represents your data. You can Grant and Revoke table privileges to a principal.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, it is the account ID of the caller.

    • DatabaseName (string) -- [REQUIRED]

      The name of the database for the table. Unique to a Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database privileges to a principal.

    • Name (string) --

      The name of the table.

    • TableWildcard (dict) --

      A wildcard object representing every table under a database.

      At least one of TableResource$Name or TableResource$TableWildcard is required.

  • TableWithColumns (dict) --

    The table with columns for the resource. A principal with permissions to this resource can select metadata from the columns of a table in the Data Catalog and the underlying data in Amazon S3.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, it is the account ID of the caller.

    • DatabaseName (string) -- [REQUIRED]

      The name of the database for the table with columns resource. Unique to the Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database privileges to a principal.

    • Name (string) -- [REQUIRED]

      The name of the table resource. A table is a metadata definition that represents your data. You can Grant and Revoke table privileges to a principal.

    • ColumnNames (list) --

      The list of column names for the table. At least one of ColumnNames or ColumnWildcard is required.

      • (string) --

    • ColumnWildcard (dict) --

      A wildcard specified by a ColumnWildcard object. At least one of ColumnNames or ColumnWildcard is required.

      • ExcludedColumnNames (list) --

        Excludes column names. Any column with this name will be excluded.

        • (string) --

  • DataLocation (dict) --

    The location of an Amazon S3 path where permissions are granted or revoked.

    • CatalogId (string) --

      The identifier for the Data Catalog where the location is registered with Lake Formation. By default, it is the account ID of the caller.

    • ResourceArn (string) -- [REQUIRED]

      The Amazon Resource Name (ARN) that uniquely identifies the data location resource.

  • DataCellsFilter (dict) --

    A data cell filter.

    • TableCatalogId (string) --

      The ID of the catalog to which the table belongs.

    • DatabaseName (string) --

      A database in the Glue Data Catalog.

    • TableName (string) --

      The name of the table.

    • Name (string) --

      The name of the data cells filter.

  • LFTag (dict) --

    The LF-tag key and values attached to a resource.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

    • TagKey (string) -- [REQUIRED]

      The key-name for the LF-tag.

    • TagValues (list) -- [REQUIRED]

      A list of possible values an attribute can take.

      • (string) --

  • LFTagPolicy (dict) --

    A list of LF-tag conditions or saved LF-Tag expressions that define a resource's LF-tag policy.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

    • ResourceType (string) -- [REQUIRED]

      The resource type for which the LF-tag policy applies.

    • Expression (list) --

      A list of LF-tag conditions or a saved expression that apply to the resource's LF-tag policy.

      • (dict) --

        A structure that allows an admin to grant user permissions on certain conditions. For example, granting a role access to all columns that do not have the LF-tag 'PII' in tables that have the LF-tag 'Prod'.

        • TagKey (string) -- [REQUIRED]

          The key-name for the LF-tag.

        • TagValues (list) -- [REQUIRED]

          A list of possible values an attribute can take.

          The maximum number of values that can be defined for a LF-Tag is 1000. A single API call supports 50 values. You can use multiple API calls to add more values.

          • (string) --

    • ExpressionName (string) --

      If provided, permissions are granted to the Data Catalog resources whose assigned LF-Tags match the expression body of the saved expression under the provided ExpressionName.

  • LFTagExpression (dict) --

    LF-Tag expression resource. A logical expression composed of one or more LF-Tag key:value pairs.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, the account ID.

    • Name (string) -- [REQUIRED]

      The name of the LF-Tag expression to grant permissions on.

type LFTags:

list

param LFTags:

[REQUIRED]

The LF-tags to attach to the resource.

  • (dict) --

    A structure containing an LF-tag key-value pair.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

    • TagKey (string) -- [REQUIRED]

      The key-name for the LF-tag.

    • TagValues (list) -- [REQUIRED]

      A list of possible values an attribute can take.

      • (string) --

rtype:

dict

returns:

Response Syntax

{
    'Failures': [
        {
            'LFTag': {
                'CatalogId': 'string',
                'TagKey': 'string',
                'TagValues': [
                    'string',
                ]
            },
            'Error': {
                'ErrorCode': 'string',
                'ErrorMessage': 'string'
            }
        },
    ]
}

Response Structure

  • (dict) --

    • Failures (list) --

      A list of failures to tag the resource.

      • (dict) --

        A structure containing an error related to a TagResource or UnTagResource operation.

        • LFTag (dict) --

          The key-name of the LF-tag.

          • CatalogId (string) --

            The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

          • TagKey (string) --

            The key-name for the LF-tag.

          • TagValues (list) --

            A list of possible values an attribute can take.

            • (string) --

        • Error (dict) --

          An error that occurred with the attachment or detachment of the LF-tag.

          • ErrorCode (string) --

            The code associated with this error.

          • ErrorMessage (string) --

            A message describing the error.

BatchGrantPermissions (updated) Link ¶
Changes (request, response)
Request
{'Entries': {'Permissions': {'CREATE_CATALOG', 'SUPER_USER'},
             'PermissionsWithGrantOption': {'CREATE_CATALOG', 'SUPER_USER'},
             'Resource': {'Catalog': {'Id': 'string'}}}}
Response
{'Failures': {'RequestEntry': {'Permissions': {'CREATE_CATALOG', 'SUPER_USER'},
                               'PermissionsWithGrantOption': {'CREATE_CATALOG',
                                                              'SUPER_USER'},
                               'Resource': {'Catalog': {'Id': 'string'}}}}}

Batch operation to grant permissions to the principal.

See also: AWS API Documentation

Request Syntax

client.batch_grant_permissions(
    CatalogId='string',
    Entries=[
        {
            'Id': 'string',
            'Principal': {
                'DataLakePrincipalIdentifier': 'string'
            },
            'Resource': {
                'Catalog': {
                    'Id': 'string'
                },
                'Database': {
                    'CatalogId': 'string',
                    'Name': 'string'
                },
                'Table': {
                    'CatalogId': 'string',
                    'DatabaseName': 'string',
                    'Name': 'string',
                    'TableWildcard': {}

                },
                'TableWithColumns': {
                    'CatalogId': 'string',
                    'DatabaseName': 'string',
                    'Name': 'string',
                    'ColumnNames': [
                        'string',
                    ],
                    'ColumnWildcard': {
                        'ExcludedColumnNames': [
                            'string',
                        ]
                    }
                },
                'DataLocation': {
                    'CatalogId': 'string',
                    'ResourceArn': 'string'
                },
                'DataCellsFilter': {
                    'TableCatalogId': 'string',
                    'DatabaseName': 'string',
                    'TableName': 'string',
                    'Name': 'string'
                },
                'LFTag': {
                    'CatalogId': 'string',
                    'TagKey': 'string',
                    'TagValues': [
                        'string',
                    ]
                },
                'LFTagPolicy': {
                    'CatalogId': 'string',
                    'ResourceType': 'DATABASE'|'TABLE',
                    'Expression': [
                        {
                            'TagKey': 'string',
                            'TagValues': [
                                'string',
                            ]
                        },
                    ],
                    'ExpressionName': 'string'
                },
                'LFTagExpression': {
                    'CatalogId': 'string',
                    'Name': 'string'
                }
            },
            'Permissions': [
                'ALL'|'SELECT'|'ALTER'|'DROP'|'DELETE'|'INSERT'|'DESCRIBE'|'CREATE_DATABASE'|'CREATE_TABLE'|'DATA_LOCATION_ACCESS'|'CREATE_LF_TAG'|'ASSOCIATE'|'GRANT_WITH_LF_TAG_EXPRESSION'|'CREATE_LF_TAG_EXPRESSION'|'CREATE_CATALOG'|'SUPER_USER',
            ],
            'PermissionsWithGrantOption': [
                'ALL'|'SELECT'|'ALTER'|'DROP'|'DELETE'|'INSERT'|'DESCRIBE'|'CREATE_DATABASE'|'CREATE_TABLE'|'DATA_LOCATION_ACCESS'|'CREATE_LF_TAG'|'ASSOCIATE'|'GRANT_WITH_LF_TAG_EXPRESSION'|'CREATE_LF_TAG_EXPRESSION'|'CREATE_CATALOG'|'SUPER_USER',
            ]
        },
    ]
)
type CatalogId:

string

param CatalogId:

The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

type Entries:

list

param Entries:

[REQUIRED]

A list of up to 20 entries for resource permissions to be granted by batch operation to the principal.

  • (dict) --

    A permission to a resource granted by batch operation to the principal.

    • Id (string) -- [REQUIRED]

      A unique identifier for the batch permissions request entry.

    • Principal (dict) --

      The principal to be granted a permission.

      • DataLakePrincipalIdentifier (string) --

        An identifier for the Lake Formation principal.

    • Resource (dict) --

      The resource to which the principal is to be granted a permission.

      • Catalog (dict) --

        The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

        • Id (string) --

          An identifier for the catalog resource.

      • Database (dict) --

        The database for the resource. Unique to the Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database permissions to a principal.

        • CatalogId (string) --

          The identifier for the Data Catalog. By default, it is the account ID of the caller.

        • Name (string) -- [REQUIRED]

          The name of the database resource. Unique to the Data Catalog.

      • Table (dict) --

        The table for the resource. A table is a metadata definition that represents your data. You can Grant and Revoke table privileges to a principal.

        • CatalogId (string) --

          The identifier for the Data Catalog. By default, it is the account ID of the caller.

        • DatabaseName (string) -- [REQUIRED]

          The name of the database for the table. Unique to a Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database privileges to a principal.

        • Name (string) --

          The name of the table.

        • TableWildcard (dict) --

          A wildcard object representing every table under a database.

          At least one of TableResource$Name or TableResource$TableWildcard is required.

      • TableWithColumns (dict) --

        The table with columns for the resource. A principal with permissions to this resource can select metadata from the columns of a table in the Data Catalog and the underlying data in Amazon S3.

        • CatalogId (string) --

          The identifier for the Data Catalog. By default, it is the account ID of the caller.

        • DatabaseName (string) -- [REQUIRED]

          The name of the database for the table with columns resource. Unique to the Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database privileges to a principal.

        • Name (string) -- [REQUIRED]

          The name of the table resource. A table is a metadata definition that represents your data. You can Grant and Revoke table privileges to a principal.

        • ColumnNames (list) --

          The list of column names for the table. At least one of ColumnNames or ColumnWildcard is required.

          • (string) --

        • ColumnWildcard (dict) --

          A wildcard specified by a ColumnWildcard object. At least one of ColumnNames or ColumnWildcard is required.

          • ExcludedColumnNames (list) --

            Excludes column names. Any column with this name will be excluded.

            • (string) --

      • DataLocation (dict) --

        The location of an Amazon S3 path where permissions are granted or revoked.

        • CatalogId (string) --

          The identifier for the Data Catalog where the location is registered with Lake Formation. By default, it is the account ID of the caller.

        • ResourceArn (string) -- [REQUIRED]

          The Amazon Resource Name (ARN) that uniquely identifies the data location resource.

      • DataCellsFilter (dict) --

        A data cell filter.

        • TableCatalogId (string) --

          The ID of the catalog to which the table belongs.

        • DatabaseName (string) --

          A database in the Glue Data Catalog.

        • TableName (string) --

          The name of the table.

        • Name (string) --

          The name of the data cells filter.

      • LFTag (dict) --

        The LF-tag key and values attached to a resource.

        • CatalogId (string) --

          The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

        • TagKey (string) -- [REQUIRED]

          The key-name for the LF-tag.

        • TagValues (list) -- [REQUIRED]

          A list of possible values an attribute can take.

          • (string) --

      • LFTagPolicy (dict) --

        A list of LF-tag conditions or saved LF-Tag expressions that define a resource's LF-tag policy.

        • CatalogId (string) --

          The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

        • ResourceType (string) -- [REQUIRED]

          The resource type for which the LF-tag policy applies.

        • Expression (list) --

          A list of LF-tag conditions or a saved expression that apply to the resource's LF-tag policy.

          • (dict) --

            A structure that allows an admin to grant user permissions on certain conditions. For example, granting a role access to all columns that do not have the LF-tag 'PII' in tables that have the LF-tag 'Prod'.

            • TagKey (string) -- [REQUIRED]

              The key-name for the LF-tag.

            • TagValues (list) -- [REQUIRED]

              A list of possible values an attribute can take.

              The maximum number of values that can be defined for a LF-Tag is 1000. A single API call supports 50 values. You can use multiple API calls to add more values.

              • (string) --

        • ExpressionName (string) --

          If provided, permissions are granted to the Data Catalog resources whose assigned LF-Tags match the expression body of the saved expression under the provided ExpressionName.

      • LFTagExpression (dict) --

        LF-Tag expression resource. A logical expression composed of one or more LF-Tag key:value pairs.

        • CatalogId (string) --

          The identifier for the Data Catalog. By default, the account ID.

        • Name (string) -- [REQUIRED]

          The name of the LF-Tag expression to grant permissions on.

    • Permissions (list) --

      The permissions to be granted.

      • (string) --

    • PermissionsWithGrantOption (list) --

      Indicates if the option to pass permissions is granted.

      • (string) --

rtype:

dict

returns:

Response Syntax

{
    'Failures': [
        {
            'RequestEntry': {
                'Id': 'string',
                'Principal': {
                    'DataLakePrincipalIdentifier': 'string'
                },
                'Resource': {
                    'Catalog': {
                        'Id': 'string'
                    },
                    'Database': {
                        'CatalogId': 'string',
                        'Name': 'string'
                    },
                    'Table': {
                        'CatalogId': 'string',
                        'DatabaseName': 'string',
                        'Name': 'string',
                        'TableWildcard': {}
                    },
                    'TableWithColumns': {
                        'CatalogId': 'string',
                        'DatabaseName': 'string',
                        'Name': 'string',
                        'ColumnNames': [
                            'string',
                        ],
                        'ColumnWildcard': {
                            'ExcludedColumnNames': [
                                'string',
                            ]
                        }
                    },
                    'DataLocation': {
                        'CatalogId': 'string',
                        'ResourceArn': 'string'
                    },
                    'DataCellsFilter': {
                        'TableCatalogId': 'string',
                        'DatabaseName': 'string',
                        'TableName': 'string',
                        'Name': 'string'
                    },
                    'LFTag': {
                        'CatalogId': 'string',
                        'TagKey': 'string',
                        'TagValues': [
                            'string',
                        ]
                    },
                    'LFTagPolicy': {
                        'CatalogId': 'string',
                        'ResourceType': 'DATABASE'|'TABLE',
                        'Expression': [
                            {
                                'TagKey': 'string',
                                'TagValues': [
                                    'string',
                                ]
                            },
                        ],
                        'ExpressionName': 'string'
                    },
                    'LFTagExpression': {
                        'CatalogId': 'string',
                        'Name': 'string'
                    }
                },
                'Permissions': [
                    'ALL'|'SELECT'|'ALTER'|'DROP'|'DELETE'|'INSERT'|'DESCRIBE'|'CREATE_DATABASE'|'CREATE_TABLE'|'DATA_LOCATION_ACCESS'|'CREATE_LF_TAG'|'ASSOCIATE'|'GRANT_WITH_LF_TAG_EXPRESSION'|'CREATE_LF_TAG_EXPRESSION'|'CREATE_CATALOG'|'SUPER_USER',
                ],
                'PermissionsWithGrantOption': [
                    'ALL'|'SELECT'|'ALTER'|'DROP'|'DELETE'|'INSERT'|'DESCRIBE'|'CREATE_DATABASE'|'CREATE_TABLE'|'DATA_LOCATION_ACCESS'|'CREATE_LF_TAG'|'ASSOCIATE'|'GRANT_WITH_LF_TAG_EXPRESSION'|'CREATE_LF_TAG_EXPRESSION'|'CREATE_CATALOG'|'SUPER_USER',
                ]
            },
            'Error': {
                'ErrorCode': 'string',
                'ErrorMessage': 'string'
            }
        },
    ]
}

Response Structure

  • (dict) --

    • Failures (list) --

      A list of failures to grant permissions to the resources.

      • (dict) --

        A list of failures when performing a batch grant or batch revoke operation.

        • RequestEntry (dict) --

          An identifier for an entry of the batch request.

          • Id (string) --

            A unique identifier for the batch permissions request entry.

          • Principal (dict) --

            The principal to be granted a permission.

            • DataLakePrincipalIdentifier (string) --

              An identifier for the Lake Formation principal.

          • Resource (dict) --

            The resource to which the principal is to be granted a permission.

            • Catalog (dict) --

              The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

              • Id (string) --

                An identifier for the catalog resource.

            • Database (dict) --

              The database for the resource. Unique to the Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database permissions to a principal.

              • CatalogId (string) --

                The identifier for the Data Catalog. By default, it is the account ID of the caller.

              • Name (string) --

                The name of the database resource. Unique to the Data Catalog.

            • Table (dict) --

              The table for the resource. A table is a metadata definition that represents your data. You can Grant and Revoke table privileges to a principal.

              • CatalogId (string) --

                The identifier for the Data Catalog. By default, it is the account ID of the caller.

              • DatabaseName (string) --

                The name of the database for the table. Unique to a Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database privileges to a principal.

              • Name (string) --

                The name of the table.

              • TableWildcard (dict) --

                A wildcard object representing every table under a database.

                At least one of TableResource$Name or TableResource$TableWildcard is required.

            • TableWithColumns (dict) --

              The table with columns for the resource. A principal with permissions to this resource can select metadata from the columns of a table in the Data Catalog and the underlying data in Amazon S3.

              • CatalogId (string) --

                The identifier for the Data Catalog. By default, it is the account ID of the caller.

              • DatabaseName (string) --

                The name of the database for the table with columns resource. Unique to the Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database privileges to a principal.

              • Name (string) --

                The name of the table resource. A table is a metadata definition that represents your data. You can Grant and Revoke table privileges to a principal.

              • ColumnNames (list) --

                The list of column names for the table. At least one of ColumnNames or ColumnWildcard is required.

                • (string) --

              • ColumnWildcard (dict) --

                A wildcard specified by a ColumnWildcard object. At least one of ColumnNames or ColumnWildcard is required.

                • ExcludedColumnNames (list) --

                  Excludes column names. Any column with this name will be excluded.

                  • (string) --

            • DataLocation (dict) --

              The location of an Amazon S3 path where permissions are granted or revoked.

              • CatalogId (string) --

                The identifier for the Data Catalog where the location is registered with Lake Formation. By default, it is the account ID of the caller.

              • ResourceArn (string) --

                The Amazon Resource Name (ARN) that uniquely identifies the data location resource.

            • DataCellsFilter (dict) --

              A data cell filter.

              • TableCatalogId (string) --

                The ID of the catalog to which the table belongs.

              • DatabaseName (string) --

                A database in the Glue Data Catalog.

              • TableName (string) --

                The name of the table.

              • Name (string) --

                The name of the data cells filter.

            • LFTag (dict) --

              The LF-tag key and values attached to a resource.

              • CatalogId (string) --

                The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

              • TagKey (string) --

                The key-name for the LF-tag.

              • TagValues (list) --

                A list of possible values an attribute can take.

                • (string) --

            • LFTagPolicy (dict) --

              A list of LF-tag conditions or saved LF-Tag expressions that define a resource's LF-tag policy.

              • CatalogId (string) --

                The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

              • ResourceType (string) --

                The resource type for which the LF-tag policy applies.

              • Expression (list) --

                A list of LF-tag conditions or a saved expression that apply to the resource's LF-tag policy.

                • (dict) --

                  A structure that allows an admin to grant user permissions on certain conditions. For example, granting a role access to all columns that do not have the LF-tag 'PII' in tables that have the LF-tag 'Prod'.

                  • TagKey (string) --

                    The key-name for the LF-tag.

                  • TagValues (list) --

                    A list of possible values an attribute can take.

                    The maximum number of values that can be defined for a LF-Tag is 1000. A single API call supports 50 values. You can use multiple API calls to add more values.

                    • (string) --

              • ExpressionName (string) --

                If provided, permissions are granted to the Data Catalog resources whose assigned LF-Tags match the expression body of the saved expression under the provided ExpressionName.

            • LFTagExpression (dict) --

              LF-Tag expression resource. A logical expression composed of one or more LF-Tag key:value pairs.

              • CatalogId (string) --

                The identifier for the Data Catalog. By default, the account ID.

              • Name (string) --

                The name of the LF-Tag expression to grant permissions on.

          • Permissions (list) --

            The permissions to be granted.

            • (string) --

          • PermissionsWithGrantOption (list) --

            Indicates if the option to pass permissions is granted.

            • (string) --

        • Error (dict) --

          An error message that applies to the failure of the entry.

          • ErrorCode (string) --

            The code associated with this error.

          • ErrorMessage (string) --

            A message describing the error.

BatchRevokePermissions (updated) Link ¶
Changes (request, response)
Request
{'Entries': {'Permissions': {'CREATE_CATALOG', 'SUPER_USER'},
             'PermissionsWithGrantOption': {'CREATE_CATALOG', 'SUPER_USER'},
             'Resource': {'Catalog': {'Id': 'string'}}}}
Response
{'Failures': {'RequestEntry': {'Permissions': {'CREATE_CATALOG', 'SUPER_USER'},
                               'PermissionsWithGrantOption': {'CREATE_CATALOG',
                                                              'SUPER_USER'},
                               'Resource': {'Catalog': {'Id': 'string'}}}}}

Batch operation to revoke permissions from the principal.

See also: AWS API Documentation

Request Syntax

client.batch_revoke_permissions(
    CatalogId='string',
    Entries=[
        {
            'Id': 'string',
            'Principal': {
                'DataLakePrincipalIdentifier': 'string'
            },
            'Resource': {
                'Catalog': {
                    'Id': 'string'
                },
                'Database': {
                    'CatalogId': 'string',
                    'Name': 'string'
                },
                'Table': {
                    'CatalogId': 'string',
                    'DatabaseName': 'string',
                    'Name': 'string',
                    'TableWildcard': {}

                },
                'TableWithColumns': {
                    'CatalogId': 'string',
                    'DatabaseName': 'string',
                    'Name': 'string',
                    'ColumnNames': [
                        'string',
                    ],
                    'ColumnWildcard': {
                        'ExcludedColumnNames': [
                            'string',
                        ]
                    }
                },
                'DataLocation': {
                    'CatalogId': 'string',
                    'ResourceArn': 'string'
                },
                'DataCellsFilter': {
                    'TableCatalogId': 'string',
                    'DatabaseName': 'string',
                    'TableName': 'string',
                    'Name': 'string'
                },
                'LFTag': {
                    'CatalogId': 'string',
                    'TagKey': 'string',
                    'TagValues': [
                        'string',
                    ]
                },
                'LFTagPolicy': {
                    'CatalogId': 'string',
                    'ResourceType': 'DATABASE'|'TABLE',
                    'Expression': [
                        {
                            'TagKey': 'string',
                            'TagValues': [
                                'string',
                            ]
                        },
                    ],
                    'ExpressionName': 'string'
                },
                'LFTagExpression': {
                    'CatalogId': 'string',
                    'Name': 'string'
                }
            },
            'Permissions': [
                'ALL'|'SELECT'|'ALTER'|'DROP'|'DELETE'|'INSERT'|'DESCRIBE'|'CREATE_DATABASE'|'CREATE_TABLE'|'DATA_LOCATION_ACCESS'|'CREATE_LF_TAG'|'ASSOCIATE'|'GRANT_WITH_LF_TAG_EXPRESSION'|'CREATE_LF_TAG_EXPRESSION'|'CREATE_CATALOG'|'SUPER_USER',
            ],
            'PermissionsWithGrantOption': [
                'ALL'|'SELECT'|'ALTER'|'DROP'|'DELETE'|'INSERT'|'DESCRIBE'|'CREATE_DATABASE'|'CREATE_TABLE'|'DATA_LOCATION_ACCESS'|'CREATE_LF_TAG'|'ASSOCIATE'|'GRANT_WITH_LF_TAG_EXPRESSION'|'CREATE_LF_TAG_EXPRESSION'|'CREATE_CATALOG'|'SUPER_USER',
            ]
        },
    ]
)
type CatalogId:

string

param CatalogId:

The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

type Entries:

list

param Entries:

[REQUIRED]

A list of up to 20 entries for resource permissions to be revoked by batch operation to the principal.

  • (dict) --

    A permission to a resource granted by batch operation to the principal.

    • Id (string) -- [REQUIRED]

      A unique identifier for the batch permissions request entry.

    • Principal (dict) --

      The principal to be granted a permission.

      • DataLakePrincipalIdentifier (string) --

        An identifier for the Lake Formation principal.

    • Resource (dict) --

      The resource to which the principal is to be granted a permission.

      • Catalog (dict) --

        The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

        • Id (string) --

          An identifier for the catalog resource.

      • Database (dict) --

        The database for the resource. Unique to the Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database permissions to a principal.

        • CatalogId (string) --

          The identifier for the Data Catalog. By default, it is the account ID of the caller.

        • Name (string) -- [REQUIRED]

          The name of the database resource. Unique to the Data Catalog.

      • Table (dict) --

        The table for the resource. A table is a metadata definition that represents your data. You can Grant and Revoke table privileges to a principal.

        • CatalogId (string) --

          The identifier for the Data Catalog. By default, it is the account ID of the caller.

        • DatabaseName (string) -- [REQUIRED]

          The name of the database for the table. Unique to a Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database privileges to a principal.

        • Name (string) --

          The name of the table.

        • TableWildcard (dict) --

          A wildcard object representing every table under a database.

          At least one of TableResource$Name or TableResource$TableWildcard is required.

      • TableWithColumns (dict) --

        The table with columns for the resource. A principal with permissions to this resource can select metadata from the columns of a table in the Data Catalog and the underlying data in Amazon S3.

        • CatalogId (string) --

          The identifier for the Data Catalog. By default, it is the account ID of the caller.

        • DatabaseName (string) -- [REQUIRED]

          The name of the database for the table with columns resource. Unique to the Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database privileges to a principal.

        • Name (string) -- [REQUIRED]

          The name of the table resource. A table is a metadata definition that represents your data. You can Grant and Revoke table privileges to a principal.

        • ColumnNames (list) --

          The list of column names for the table. At least one of ColumnNames or ColumnWildcard is required.

          • (string) --

        • ColumnWildcard (dict) --

          A wildcard specified by a ColumnWildcard object. At least one of ColumnNames or ColumnWildcard is required.

          • ExcludedColumnNames (list) --

            Excludes column names. Any column with this name will be excluded.

            • (string) --

      • DataLocation (dict) --

        The location of an Amazon S3 path where permissions are granted or revoked.

        • CatalogId (string) --

          The identifier for the Data Catalog where the location is registered with Lake Formation. By default, it is the account ID of the caller.

        • ResourceArn (string) -- [REQUIRED]

          The Amazon Resource Name (ARN) that uniquely identifies the data location resource.

      • DataCellsFilter (dict) --

        A data cell filter.

        • TableCatalogId (string) --

          The ID of the catalog to which the table belongs.

        • DatabaseName (string) --

          A database in the Glue Data Catalog.

        • TableName (string) --

          The name of the table.

        • Name (string) --

          The name of the data cells filter.

      • LFTag (dict) --

        The LF-tag key and values attached to a resource.

        • CatalogId (string) --

          The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

        • TagKey (string) -- [REQUIRED]

          The key-name for the LF-tag.

        • TagValues (list) -- [REQUIRED]

          A list of possible values an attribute can take.

          • (string) --

      • LFTagPolicy (dict) --

        A list of LF-tag conditions or saved LF-Tag expressions that define a resource's LF-tag policy.

        • CatalogId (string) --

          The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

        • ResourceType (string) -- [REQUIRED]

          The resource type for which the LF-tag policy applies.

        • Expression (list) --

          A list of LF-tag conditions or a saved expression that apply to the resource's LF-tag policy.

          • (dict) --

            A structure that allows an admin to grant user permissions on certain conditions. For example, granting a role access to all columns that do not have the LF-tag 'PII' in tables that have the LF-tag 'Prod'.

            • TagKey (string) -- [REQUIRED]

              The key-name for the LF-tag.

            • TagValues (list) -- [REQUIRED]

              A list of possible values an attribute can take.

              The maximum number of values that can be defined for a LF-Tag is 1000. A single API call supports 50 values. You can use multiple API calls to add more values.

              • (string) --

        • ExpressionName (string) --

          If provided, permissions are granted to the Data Catalog resources whose assigned LF-Tags match the expression body of the saved expression under the provided ExpressionName.

      • LFTagExpression (dict) --

        LF-Tag expression resource. A logical expression composed of one or more LF-Tag key:value pairs.

        • CatalogId (string) --

          The identifier for the Data Catalog. By default, the account ID.

        • Name (string) -- [REQUIRED]

          The name of the LF-Tag expression to grant permissions on.

    • Permissions (list) --

      The permissions to be granted.

      • (string) --

    • PermissionsWithGrantOption (list) --

      Indicates if the option to pass permissions is granted.

      • (string) --

rtype:

dict

returns:

Response Syntax

{
    'Failures': [
        {
            'RequestEntry': {
                'Id': 'string',
                'Principal': {
                    'DataLakePrincipalIdentifier': 'string'
                },
                'Resource': {
                    'Catalog': {
                        'Id': 'string'
                    },
                    'Database': {
                        'CatalogId': 'string',
                        'Name': 'string'
                    },
                    'Table': {
                        'CatalogId': 'string',
                        'DatabaseName': 'string',
                        'Name': 'string',
                        'TableWildcard': {}
                    },
                    'TableWithColumns': {
                        'CatalogId': 'string',
                        'DatabaseName': 'string',
                        'Name': 'string',
                        'ColumnNames': [
                            'string',
                        ],
                        'ColumnWildcard': {
                            'ExcludedColumnNames': [
                                'string',
                            ]
                        }
                    },
                    'DataLocation': {
                        'CatalogId': 'string',
                        'ResourceArn': 'string'
                    },
                    'DataCellsFilter': {
                        'TableCatalogId': 'string',
                        'DatabaseName': 'string',
                        'TableName': 'string',
                        'Name': 'string'
                    },
                    'LFTag': {
                        'CatalogId': 'string',
                        'TagKey': 'string',
                        'TagValues': [
                            'string',
                        ]
                    },
                    'LFTagPolicy': {
                        'CatalogId': 'string',
                        'ResourceType': 'DATABASE'|'TABLE',
                        'Expression': [
                            {
                                'TagKey': 'string',
                                'TagValues': [
                                    'string',
                                ]
                            },
                        ],
                        'ExpressionName': 'string'
                    },
                    'LFTagExpression': {
                        'CatalogId': 'string',
                        'Name': 'string'
                    }
                },
                'Permissions': [
                    'ALL'|'SELECT'|'ALTER'|'DROP'|'DELETE'|'INSERT'|'DESCRIBE'|'CREATE_DATABASE'|'CREATE_TABLE'|'DATA_LOCATION_ACCESS'|'CREATE_LF_TAG'|'ASSOCIATE'|'GRANT_WITH_LF_TAG_EXPRESSION'|'CREATE_LF_TAG_EXPRESSION'|'CREATE_CATALOG'|'SUPER_USER',
                ],
                'PermissionsWithGrantOption': [
                    'ALL'|'SELECT'|'ALTER'|'DROP'|'DELETE'|'INSERT'|'DESCRIBE'|'CREATE_DATABASE'|'CREATE_TABLE'|'DATA_LOCATION_ACCESS'|'CREATE_LF_TAG'|'ASSOCIATE'|'GRANT_WITH_LF_TAG_EXPRESSION'|'CREATE_LF_TAG_EXPRESSION'|'CREATE_CATALOG'|'SUPER_USER',
                ]
            },
            'Error': {
                'ErrorCode': 'string',
                'ErrorMessage': 'string'
            }
        },
    ]
}

Response Structure

  • (dict) --

    • Failures (list) --

      A list of failures to revoke permissions to the resources.

      • (dict) --

        A list of failures when performing a batch grant or batch revoke operation.

        • RequestEntry (dict) --

          An identifier for an entry of the batch request.

          • Id (string) --

            A unique identifier for the batch permissions request entry.

          • Principal (dict) --

            The principal to be granted a permission.

            • DataLakePrincipalIdentifier (string) --

              An identifier for the Lake Formation principal.

          • Resource (dict) --

            The resource to which the principal is to be granted a permission.

            • Catalog (dict) --

              The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

              • Id (string) --

                An identifier for the catalog resource.

            • Database (dict) --

              The database for the resource. Unique to the Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database permissions to a principal.

              • CatalogId (string) --

                The identifier for the Data Catalog. By default, it is the account ID of the caller.

              • Name (string) --

                The name of the database resource. Unique to the Data Catalog.

            • Table (dict) --

              The table for the resource. A table is a metadata definition that represents your data. You can Grant and Revoke table privileges to a principal.

              • CatalogId (string) --

                The identifier for the Data Catalog. By default, it is the account ID of the caller.

              • DatabaseName (string) --

                The name of the database for the table. Unique to a Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database privileges to a principal.

              • Name (string) --

                The name of the table.

              • TableWildcard (dict) --

                A wildcard object representing every table under a database.

                At least one of TableResource$Name or TableResource$TableWildcard is required.

            • TableWithColumns (dict) --

              The table with columns for the resource. A principal with permissions to this resource can select metadata from the columns of a table in the Data Catalog and the underlying data in Amazon S3.

              • CatalogId (string) --

                The identifier for the Data Catalog. By default, it is the account ID of the caller.

              • DatabaseName (string) --

                The name of the database for the table with columns resource. Unique to the Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database privileges to a principal.

              • Name (string) --

                The name of the table resource. A table is a metadata definition that represents your data. You can Grant and Revoke table privileges to a principal.

              • ColumnNames (list) --

                The list of column names for the table. At least one of ColumnNames or ColumnWildcard is required.

                • (string) --

              • ColumnWildcard (dict) --

                A wildcard specified by a ColumnWildcard object. At least one of ColumnNames or ColumnWildcard is required.

                • ExcludedColumnNames (list) --

                  Excludes column names. Any column with this name will be excluded.

                  • (string) --

            • DataLocation (dict) --

              The location of an Amazon S3 path where permissions are granted or revoked.

              • CatalogId (string) --

                The identifier for the Data Catalog where the location is registered with Lake Formation. By default, it is the account ID of the caller.

              • ResourceArn (string) --

                The Amazon Resource Name (ARN) that uniquely identifies the data location resource.

            • DataCellsFilter (dict) --

              A data cell filter.

              • TableCatalogId (string) --

                The ID of the catalog to which the table belongs.

              • DatabaseName (string) --

                A database in the Glue Data Catalog.

              • TableName (string) --

                The name of the table.

              • Name (string) --

                The name of the data cells filter.

            • LFTag (dict) --

              The LF-tag key and values attached to a resource.

              • CatalogId (string) --

                The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

              • TagKey (string) --

                The key-name for the LF-tag.

              • TagValues (list) --

                A list of possible values an attribute can take.

                • (string) --

            • LFTagPolicy (dict) --

              A list of LF-tag conditions or saved LF-Tag expressions that define a resource's LF-tag policy.

              • CatalogId (string) --

                The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

              • ResourceType (string) --

                The resource type for which the LF-tag policy applies.

              • Expression (list) --

                A list of LF-tag conditions or a saved expression that apply to the resource's LF-tag policy.

                • (dict) --

                  A structure that allows an admin to grant user permissions on certain conditions. For example, granting a role access to all columns that do not have the LF-tag 'PII' in tables that have the LF-tag 'Prod'.

                  • TagKey (string) --

                    The key-name for the LF-tag.

                  • TagValues (list) --

                    A list of possible values an attribute can take.

                    The maximum number of values that can be defined for a LF-Tag is 1000. A single API call supports 50 values. You can use multiple API calls to add more values.

                    • (string) --

              • ExpressionName (string) --

                If provided, permissions are granted to the Data Catalog resources whose assigned LF-Tags match the expression body of the saved expression under the provided ExpressionName.

            • LFTagExpression (dict) --

              LF-Tag expression resource. A logical expression composed of one or more LF-Tag key:value pairs.

              • CatalogId (string) --

                The identifier for the Data Catalog. By default, the account ID.

              • Name (string) --

                The name of the LF-Tag expression to grant permissions on.

          • Permissions (list) --

            The permissions to be granted.

            • (string) --

          • PermissionsWithGrantOption (list) --

            Indicates if the option to pass permissions is granted.

            • (string) --

        • Error (dict) --

          An error message that applies to the failure of the entry.

          • ErrorCode (string) --

            The code associated with this error.

          • ErrorMessage (string) --

            A message describing the error.

CreateLakeFormationOptIn (updated) Link ¶
Changes (request)
{'Resource': {'Catalog': {'Id': 'string'}}}

Enforce Lake Formation permissions for the given databases, tables, and principals.

See also: AWS API Documentation

Request Syntax

client.create_lake_formation_opt_in(
    Principal={
        'DataLakePrincipalIdentifier': 'string'
    },
    Resource={
        'Catalog': {
            'Id': 'string'
        },
        'Database': {
            'CatalogId': 'string',
            'Name': 'string'
        },
        'Table': {
            'CatalogId': 'string',
            'DatabaseName': 'string',
            'Name': 'string',
            'TableWildcard': {}

        },
        'TableWithColumns': {
            'CatalogId': 'string',
            'DatabaseName': 'string',
            'Name': 'string',
            'ColumnNames': [
                'string',
            ],
            'ColumnWildcard': {
                'ExcludedColumnNames': [
                    'string',
                ]
            }
        },
        'DataLocation': {
            'CatalogId': 'string',
            'ResourceArn': 'string'
        },
        'DataCellsFilter': {
            'TableCatalogId': 'string',
            'DatabaseName': 'string',
            'TableName': 'string',
            'Name': 'string'
        },
        'LFTag': {
            'CatalogId': 'string',
            'TagKey': 'string',
            'TagValues': [
                'string',
            ]
        },
        'LFTagPolicy': {
            'CatalogId': 'string',
            'ResourceType': 'DATABASE'|'TABLE',
            'Expression': [
                {
                    'TagKey': 'string',
                    'TagValues': [
                        'string',
                    ]
                },
            ],
            'ExpressionName': 'string'
        },
        'LFTagExpression': {
            'CatalogId': 'string',
            'Name': 'string'
        }
    }
)
type Principal:

dict

param Principal:

[REQUIRED]

The Lake Formation principal. Supported principals are IAM users or IAM roles.

  • DataLakePrincipalIdentifier (string) --

    An identifier for the Lake Formation principal.

type Resource:

dict

param Resource:

[REQUIRED]

A structure for the resource.

  • Catalog (dict) --

    The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

    • Id (string) --

      An identifier for the catalog resource.

  • Database (dict) --

    The database for the resource. Unique to the Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database permissions to a principal.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, it is the account ID of the caller.

    • Name (string) -- [REQUIRED]

      The name of the database resource. Unique to the Data Catalog.

  • Table (dict) --

    The table for the resource. A table is a metadata definition that represents your data. You can Grant and Revoke table privileges to a principal.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, it is the account ID of the caller.

    • DatabaseName (string) -- [REQUIRED]

      The name of the database for the table. Unique to a Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database privileges to a principal.

    • Name (string) --

      The name of the table.

    • TableWildcard (dict) --

      A wildcard object representing every table under a database.

      At least one of TableResource$Name or TableResource$TableWildcard is required.

  • TableWithColumns (dict) --

    The table with columns for the resource. A principal with permissions to this resource can select metadata from the columns of a table in the Data Catalog and the underlying data in Amazon S3.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, it is the account ID of the caller.

    • DatabaseName (string) -- [REQUIRED]

      The name of the database for the table with columns resource. Unique to the Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database privileges to a principal.

    • Name (string) -- [REQUIRED]

      The name of the table resource. A table is a metadata definition that represents your data. You can Grant and Revoke table privileges to a principal.

    • ColumnNames (list) --

      The list of column names for the table. At least one of ColumnNames or ColumnWildcard is required.

      • (string) --

    • ColumnWildcard (dict) --

      A wildcard specified by a ColumnWildcard object. At least one of ColumnNames or ColumnWildcard is required.

      • ExcludedColumnNames (list) --

        Excludes column names. Any column with this name will be excluded.

        • (string) --

  • DataLocation (dict) --

    The location of an Amazon S3 path where permissions are granted or revoked.

    • CatalogId (string) --

      The identifier for the Data Catalog where the location is registered with Lake Formation. By default, it is the account ID of the caller.

    • ResourceArn (string) -- [REQUIRED]

      The Amazon Resource Name (ARN) that uniquely identifies the data location resource.

  • DataCellsFilter (dict) --

    A data cell filter.

    • TableCatalogId (string) --

      The ID of the catalog to which the table belongs.

    • DatabaseName (string) --

      A database in the Glue Data Catalog.

    • TableName (string) --

      The name of the table.

    • Name (string) --

      The name of the data cells filter.

  • LFTag (dict) --

    The LF-tag key and values attached to a resource.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

    • TagKey (string) -- [REQUIRED]

      The key-name for the LF-tag.

    • TagValues (list) -- [REQUIRED]

      A list of possible values an attribute can take.

      • (string) --

  • LFTagPolicy (dict) --

    A list of LF-tag conditions or saved LF-Tag expressions that define a resource's LF-tag policy.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

    • ResourceType (string) -- [REQUIRED]

      The resource type for which the LF-tag policy applies.

    • Expression (list) --

      A list of LF-tag conditions or a saved expression that apply to the resource's LF-tag policy.

      • (dict) --

        A structure that allows an admin to grant user permissions on certain conditions. For example, granting a role access to all columns that do not have the LF-tag 'PII' in tables that have the LF-tag 'Prod'.

        • TagKey (string) -- [REQUIRED]

          The key-name for the LF-tag.

        • TagValues (list) -- [REQUIRED]

          A list of possible values an attribute can take.

          The maximum number of values that can be defined for a LF-Tag is 1000. A single API call supports 50 values. You can use multiple API calls to add more values.

          • (string) --

    • ExpressionName (string) --

      If provided, permissions are granted to the Data Catalog resources whose assigned LF-Tags match the expression body of the saved expression under the provided ExpressionName.

  • LFTagExpression (dict) --

    LF-Tag expression resource. A logical expression composed of one or more LF-Tag key:value pairs.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, the account ID.

    • Name (string) -- [REQUIRED]

      The name of the LF-Tag expression to grant permissions on.

rtype:

dict

returns:

Response Syntax

{}

Response Structure

  • (dict) --

DeleteLakeFormationOptIn (updated) Link ¶
Changes (request)
{'Resource': {'Catalog': {'Id': 'string'}}}

Remove the Lake Formation permissions enforcement of the given databases, tables, and principals.

See also: AWS API Documentation

Request Syntax

client.delete_lake_formation_opt_in(
    Principal={
        'DataLakePrincipalIdentifier': 'string'
    },
    Resource={
        'Catalog': {
            'Id': 'string'
        },
        'Database': {
            'CatalogId': 'string',
            'Name': 'string'
        },
        'Table': {
            'CatalogId': 'string',
            'DatabaseName': 'string',
            'Name': 'string',
            'TableWildcard': {}

        },
        'TableWithColumns': {
            'CatalogId': 'string',
            'DatabaseName': 'string',
            'Name': 'string',
            'ColumnNames': [
                'string',
            ],
            'ColumnWildcard': {
                'ExcludedColumnNames': [
                    'string',
                ]
            }
        },
        'DataLocation': {
            'CatalogId': 'string',
            'ResourceArn': 'string'
        },
        'DataCellsFilter': {
            'TableCatalogId': 'string',
            'DatabaseName': 'string',
            'TableName': 'string',
            'Name': 'string'
        },
        'LFTag': {
            'CatalogId': 'string',
            'TagKey': 'string',
            'TagValues': [
                'string',
            ]
        },
        'LFTagPolicy': {
            'CatalogId': 'string',
            'ResourceType': 'DATABASE'|'TABLE',
            'Expression': [
                {
                    'TagKey': 'string',
                    'TagValues': [
                        'string',
                    ]
                },
            ],
            'ExpressionName': 'string'
        },
        'LFTagExpression': {
            'CatalogId': 'string',
            'Name': 'string'
        }
    }
)
type Principal:

dict

param Principal:

[REQUIRED]

The Lake Formation principal. Supported principals are IAM users or IAM roles.

  • DataLakePrincipalIdentifier (string) --

    An identifier for the Lake Formation principal.

type Resource:

dict

param Resource:

[REQUIRED]

A structure for the resource.

  • Catalog (dict) --

    The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

    • Id (string) --

      An identifier for the catalog resource.

  • Database (dict) --

    The database for the resource. Unique to the Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database permissions to a principal.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, it is the account ID of the caller.

    • Name (string) -- [REQUIRED]

      The name of the database resource. Unique to the Data Catalog.

  • Table (dict) --

    The table for the resource. A table is a metadata definition that represents your data. You can Grant and Revoke table privileges to a principal.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, it is the account ID of the caller.

    • DatabaseName (string) -- [REQUIRED]

      The name of the database for the table. Unique to a Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database privileges to a principal.

    • Name (string) --

      The name of the table.

    • TableWildcard (dict) --

      A wildcard object representing every table under a database.

      At least one of TableResource$Name or TableResource$TableWildcard is required.

  • TableWithColumns (dict) --

    The table with columns for the resource. A principal with permissions to this resource can select metadata from the columns of a table in the Data Catalog and the underlying data in Amazon S3.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, it is the account ID of the caller.

    • DatabaseName (string) -- [REQUIRED]

      The name of the database for the table with columns resource. Unique to the Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database privileges to a principal.

    • Name (string) -- [REQUIRED]

      The name of the table resource. A table is a metadata definition that represents your data. You can Grant and Revoke table privileges to a principal.

    • ColumnNames (list) --

      The list of column names for the table. At least one of ColumnNames or ColumnWildcard is required.

      • (string) --

    • ColumnWildcard (dict) --

      A wildcard specified by a ColumnWildcard object. At least one of ColumnNames or ColumnWildcard is required.

      • ExcludedColumnNames (list) --

        Excludes column names. Any column with this name will be excluded.

        • (string) --

  • DataLocation (dict) --

    The location of an Amazon S3 path where permissions are granted or revoked.

    • CatalogId (string) --

      The identifier for the Data Catalog where the location is registered with Lake Formation. By default, it is the account ID of the caller.

    • ResourceArn (string) -- [REQUIRED]

      The Amazon Resource Name (ARN) that uniquely identifies the data location resource.

  • DataCellsFilter (dict) --

    A data cell filter.

    • TableCatalogId (string) --

      The ID of the catalog to which the table belongs.

    • DatabaseName (string) --

      A database in the Glue Data Catalog.

    • TableName (string) --

      The name of the table.

    • Name (string) --

      The name of the data cells filter.

  • LFTag (dict) --

    The LF-tag key and values attached to a resource.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

    • TagKey (string) -- [REQUIRED]

      The key-name for the LF-tag.

    • TagValues (list) -- [REQUIRED]

      A list of possible values an attribute can take.

      • (string) --

  • LFTagPolicy (dict) --

    A list of LF-tag conditions or saved LF-Tag expressions that define a resource's LF-tag policy.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

    • ResourceType (string) -- [REQUIRED]

      The resource type for which the LF-tag policy applies.

    • Expression (list) --

      A list of LF-tag conditions or a saved expression that apply to the resource's LF-tag policy.

      • (dict) --

        A structure that allows an admin to grant user permissions on certain conditions. For example, granting a role access to all columns that do not have the LF-tag 'PII' in tables that have the LF-tag 'Prod'.

        • TagKey (string) -- [REQUIRED]

          The key-name for the LF-tag.

        • TagValues (list) -- [REQUIRED]

          A list of possible values an attribute can take.

          The maximum number of values that can be defined for a LF-Tag is 1000. A single API call supports 50 values. You can use multiple API calls to add more values.

          • (string) --

    • ExpressionName (string) --

      If provided, permissions are granted to the Data Catalog resources whose assigned LF-Tags match the expression body of the saved expression under the provided ExpressionName.

  • LFTagExpression (dict) --

    LF-Tag expression resource. A logical expression composed of one or more LF-Tag key:value pairs.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, the account ID.

    • Name (string) -- [REQUIRED]

      The name of the LF-Tag expression to grant permissions on.

rtype:

dict

returns:

Response Syntax

{}

Response Structure

  • (dict) --

GetDataLakeSettings (updated) Link ¶
Changes (response)
{'DataLakeSettings': {'CreateDatabaseDefaultPermissions': {'Permissions': {'CREATE_CATALOG',
                                                                           'SUPER_USER'}},
                      'CreateTableDefaultPermissions': {'Permissions': {'CREATE_CATALOG',
                                                                        'SUPER_USER'}}}}

Retrieves the list of the data lake administrators of a Lake Formation-managed data lake.

See also: AWS API Documentation

Request Syntax

client.get_data_lake_settings(
    CatalogId='string'
)
type CatalogId:

string

param CatalogId:

The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

rtype:

dict

returns:

Response Syntax

{
    'DataLakeSettings': {
        'DataLakeAdmins': [
            {
                'DataLakePrincipalIdentifier': 'string'
            },
        ],
        'ReadOnlyAdmins': [
            {
                'DataLakePrincipalIdentifier': 'string'
            },
        ],
        'CreateDatabaseDefaultPermissions': [
            {
                'Principal': {
                    'DataLakePrincipalIdentifier': 'string'
                },
                'Permissions': [
                    'ALL'|'SELECT'|'ALTER'|'DROP'|'DELETE'|'INSERT'|'DESCRIBE'|'CREATE_DATABASE'|'CREATE_TABLE'|'DATA_LOCATION_ACCESS'|'CREATE_LF_TAG'|'ASSOCIATE'|'GRANT_WITH_LF_TAG_EXPRESSION'|'CREATE_LF_TAG_EXPRESSION'|'CREATE_CATALOG'|'SUPER_USER',
                ]
            },
        ],
        'CreateTableDefaultPermissions': [
            {
                'Principal': {
                    'DataLakePrincipalIdentifier': 'string'
                },
                'Permissions': [
                    'ALL'|'SELECT'|'ALTER'|'DROP'|'DELETE'|'INSERT'|'DESCRIBE'|'CREATE_DATABASE'|'CREATE_TABLE'|'DATA_LOCATION_ACCESS'|'CREATE_LF_TAG'|'ASSOCIATE'|'GRANT_WITH_LF_TAG_EXPRESSION'|'CREATE_LF_TAG_EXPRESSION'|'CREATE_CATALOG'|'SUPER_USER',
                ]
            },
        ],
        'Parameters': {
            'string': 'string'
        },
        'TrustedResourceOwners': [
            'string',
        ],
        'AllowExternalDataFiltering': True|False,
        'AllowFullTableExternalDataAccess': True|False,
        'ExternalDataFilteringAllowList': [
            {
                'DataLakePrincipalIdentifier': 'string'
            },
        ],
        'AuthorizedSessionTagValueList': [
            'string',
        ]
    }
}

Response Structure

  • (dict) --

    • DataLakeSettings (dict) --

      A structure representing a list of Lake Formation principals designated as data lake administrators.

      • DataLakeAdmins (list) --

        A list of Lake Formation principals. Supported principals are IAM users or IAM roles.

        • (dict) --

          The Lake Formation principal. Supported principals are IAM users or IAM roles.

          • DataLakePrincipalIdentifier (string) --

            An identifier for the Lake Formation principal.

      • ReadOnlyAdmins (list) --

        A list of Lake Formation principals with only view access to the resources, without the ability to make changes. Supported principals are IAM users or IAM roles.

        • (dict) --

          The Lake Formation principal. Supported principals are IAM users or IAM roles.

          • DataLakePrincipalIdentifier (string) --

            An identifier for the Lake Formation principal.

      • CreateDatabaseDefaultPermissions (list) --

        Specifies whether access control on newly created database is managed by Lake Formation permissions or exclusively by IAM permissions.

        A null value indicates access control by Lake Formation permissions. A value that assigns ALL to IAM_ALLOWED_PRINCIPALS indicates access control by IAM permissions. This is referred to as the setting "Use only IAM access control," and is for backward compatibility with the Glue permission model implemented by IAM permissions.

        The only permitted values are an empty array or an array that contains a single JSON object that grants ALL to IAM_ALLOWED_PRINCIPALS.

        For more information, see Changing the Default Security Settings for Your Data Lake.

        • (dict) --

          Permissions granted to a principal.

          • Principal (dict) --

            The principal who is granted permissions.

            • DataLakePrincipalIdentifier (string) --

              An identifier for the Lake Formation principal.

          • Permissions (list) --

            The permissions that are granted to the principal.

            • (string) --

      • CreateTableDefaultPermissions (list) --

        Specifies whether access control on newly created table is managed by Lake Formation permissions or exclusively by IAM permissions.

        A null value indicates access control by Lake Formation permissions. A value that assigns ALL to IAM_ALLOWED_PRINCIPALS indicates access control by IAM permissions. This is referred to as the setting "Use only IAM access control," and is for backward compatibility with the Glue permission model implemented by IAM permissions.

        The only permitted values are an empty array or an array that contains a single JSON object that grants ALL to IAM_ALLOWED_PRINCIPALS.

        For more information, see Changing the Default Security Settings for Your Data Lake.

        • (dict) --

          Permissions granted to a principal.

          • Principal (dict) --

            The principal who is granted permissions.

            • DataLakePrincipalIdentifier (string) --

              An identifier for the Lake Formation principal.

          • Permissions (list) --

            The permissions that are granted to the principal.

            • (string) --

      • Parameters (dict) --

        A key-value map that provides an additional configuration on your data lake. CROSS_ACCOUNT_VERSION is the key you can configure in the Parameters field. Accepted values for the CrossAccountVersion key are 1, 2, 3, and 4.

        • (string) --

          • (string) --

      • TrustedResourceOwners (list) --

        A list of the resource-owning account IDs that the caller's account can use to share their user access details (user ARNs). The user ARNs can be logged in the resource owner's CloudTrail log.

        You may want to specify this property when you are in a high-trust boundary, such as the same team or company.

        • (string) --

      • AllowExternalDataFiltering (boolean) --

        Whether to allow Amazon EMR clusters to access data managed by Lake Formation.

        If true, you allow Amazon EMR clusters to access data in Amazon S3 locations that are registered with Lake Formation.

        If false or null, no Amazon EMR clusters will be able to access data in Amazon S3 locations that are registered with Lake Formation.

        For more information, see (Optional) Allow external data filtering.

      • AllowFullTableExternalDataAccess (boolean) --

        Whether to allow a third-party query engine to get data access credentials without session tags when a caller has full data access permissions.

      • ExternalDataFilteringAllowList (list) --

        A list of the account IDs of Amazon Web Services accounts with Amazon EMR clusters that are to perform data filtering.>

        • (dict) --

          The Lake Formation principal. Supported principals are IAM users or IAM roles.

          • DataLakePrincipalIdentifier (string) --

            An identifier for the Lake Formation principal.

      • AuthorizedSessionTagValueList (list) --

        Lake Formation relies on a privileged process secured by Amazon EMR or the third party integrator to tag the user's role while assuming it. Lake Formation will publish the acceptable key-value pair, for example key = "LakeFormationTrustedCaller" and value = "TRUE" and the third party integrator must properly tag the temporary security credentials that will be used to call Lake Formation's administrative APIs.

        • (string) --

GetEffectivePermissionsForPath (updated) Link ¶
Changes (response)
{'Permissions': {'Condition': {'Expression': 'string'},
                 'Permissions': {'CREATE_CATALOG', 'SUPER_USER'},
                 'PermissionsWithGrantOption': {'CREATE_CATALOG', 'SUPER_USER'},
                 'Resource': {'Catalog': {'Id': 'string'}}}}

Returns the Lake Formation permissions for a specified table or database resource located at a path in Amazon S3. GetEffectivePermissionsForPath will not return databases and tables if the catalog is encrypted.

See also: AWS API Documentation

Request Syntax

client.get_effective_permissions_for_path(
    CatalogId='string',
    ResourceArn='string',
    NextToken='string',
    MaxResults=123
)
type CatalogId:

string

param CatalogId:

The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

type ResourceArn:

string

param ResourceArn:

[REQUIRED]

The Amazon Resource Name (ARN) of the resource for which you want to get permissions.

type NextToken:

string

param NextToken:

A continuation token, if this is not the first call to retrieve this list.

type MaxResults:

integer

param MaxResults:

The maximum number of results to return.

rtype:

dict

returns:

Response Syntax

{
    'Permissions': [
        {
            'Principal': {
                'DataLakePrincipalIdentifier': 'string'
            },
            'Resource': {
                'Catalog': {
                    'Id': 'string'
                },
                'Database': {
                    'CatalogId': 'string',
                    'Name': 'string'
                },
                'Table': {
                    'CatalogId': 'string',
                    'DatabaseName': 'string',
                    'Name': 'string',
                    'TableWildcard': {}
                },
                'TableWithColumns': {
                    'CatalogId': 'string',
                    'DatabaseName': 'string',
                    'Name': 'string',
                    'ColumnNames': [
                        'string',
                    ],
                    'ColumnWildcard': {
                        'ExcludedColumnNames': [
                            'string',
                        ]
                    }
                },
                'DataLocation': {
                    'CatalogId': 'string',
                    'ResourceArn': 'string'
                },
                'DataCellsFilter': {
                    'TableCatalogId': 'string',
                    'DatabaseName': 'string',
                    'TableName': 'string',
                    'Name': 'string'
                },
                'LFTag': {
                    'CatalogId': 'string',
                    'TagKey': 'string',
                    'TagValues': [
                        'string',
                    ]
                },
                'LFTagPolicy': {
                    'CatalogId': 'string',
                    'ResourceType': 'DATABASE'|'TABLE',
                    'Expression': [
                        {
                            'TagKey': 'string',
                            'TagValues': [
                                'string',
                            ]
                        },
                    ],
                    'ExpressionName': 'string'
                },
                'LFTagExpression': {
                    'CatalogId': 'string',
                    'Name': 'string'
                }
            },
            'Condition': {
                'Expression': 'string'
            },
            'Permissions': [
                'ALL'|'SELECT'|'ALTER'|'DROP'|'DELETE'|'INSERT'|'DESCRIBE'|'CREATE_DATABASE'|'CREATE_TABLE'|'DATA_LOCATION_ACCESS'|'CREATE_LF_TAG'|'ASSOCIATE'|'GRANT_WITH_LF_TAG_EXPRESSION'|'CREATE_LF_TAG_EXPRESSION'|'CREATE_CATALOG'|'SUPER_USER',
            ],
            'PermissionsWithGrantOption': [
                'ALL'|'SELECT'|'ALTER'|'DROP'|'DELETE'|'INSERT'|'DESCRIBE'|'CREATE_DATABASE'|'CREATE_TABLE'|'DATA_LOCATION_ACCESS'|'CREATE_LF_TAG'|'ASSOCIATE'|'GRANT_WITH_LF_TAG_EXPRESSION'|'CREATE_LF_TAG_EXPRESSION'|'CREATE_CATALOG'|'SUPER_USER',
            ],
            'AdditionalDetails': {
                'ResourceShare': [
                    'string',
                ]
            },
            'LastUpdated': datetime(2015, 1, 1),
            'LastUpdatedBy': 'string'
        },
    ],
    'NextToken': 'string'
}

Response Structure

  • (dict) --

    • Permissions (list) --

      A list of the permissions for the specified table or database resource located at the path in Amazon S3.

      • (dict) --

        The permissions granted or revoked on a resource.

        • Principal (dict) --

          The Data Lake principal to be granted or revoked permissions.

          • DataLakePrincipalIdentifier (string) --

            An identifier for the Lake Formation principal.

        • Resource (dict) --

          The resource where permissions are to be granted or revoked.

          • Catalog (dict) --

            The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

            • Id (string) --

              An identifier for the catalog resource.

          • Database (dict) --

            The database for the resource. Unique to the Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database permissions to a principal.

            • CatalogId (string) --

              The identifier for the Data Catalog. By default, it is the account ID of the caller.

            • Name (string) --

              The name of the database resource. Unique to the Data Catalog.

          • Table (dict) --

            The table for the resource. A table is a metadata definition that represents your data. You can Grant and Revoke table privileges to a principal.

            • CatalogId (string) --

              The identifier for the Data Catalog. By default, it is the account ID of the caller.

            • DatabaseName (string) --

              The name of the database for the table. Unique to a Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database privileges to a principal.

            • Name (string) --

              The name of the table.

            • TableWildcard (dict) --

              A wildcard object representing every table under a database.

              At least one of TableResource$Name or TableResource$TableWildcard is required.

          • TableWithColumns (dict) --

            The table with columns for the resource. A principal with permissions to this resource can select metadata from the columns of a table in the Data Catalog and the underlying data in Amazon S3.

            • CatalogId (string) --

              The identifier for the Data Catalog. By default, it is the account ID of the caller.

            • DatabaseName (string) --

              The name of the database for the table with columns resource. Unique to the Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database privileges to a principal.

            • Name (string) --

              The name of the table resource. A table is a metadata definition that represents your data. You can Grant and Revoke table privileges to a principal.

            • ColumnNames (list) --

              The list of column names for the table. At least one of ColumnNames or ColumnWildcard is required.

              • (string) --

            • ColumnWildcard (dict) --

              A wildcard specified by a ColumnWildcard object. At least one of ColumnNames or ColumnWildcard is required.

              • ExcludedColumnNames (list) --

                Excludes column names. Any column with this name will be excluded.

                • (string) --

          • DataLocation (dict) --

            The location of an Amazon S3 path where permissions are granted or revoked.

            • CatalogId (string) --

              The identifier for the Data Catalog where the location is registered with Lake Formation. By default, it is the account ID of the caller.

            • ResourceArn (string) --

              The Amazon Resource Name (ARN) that uniquely identifies the data location resource.

          • DataCellsFilter (dict) --

            A data cell filter.

            • TableCatalogId (string) --

              The ID of the catalog to which the table belongs.

            • DatabaseName (string) --

              A database in the Glue Data Catalog.

            • TableName (string) --

              The name of the table.

            • Name (string) --

              The name of the data cells filter.

          • LFTag (dict) --

            The LF-tag key and values attached to a resource.

            • CatalogId (string) --

              The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

            • TagKey (string) --

              The key-name for the LF-tag.

            • TagValues (list) --

              A list of possible values an attribute can take.

              • (string) --

          • LFTagPolicy (dict) --

            A list of LF-tag conditions or saved LF-Tag expressions that define a resource's LF-tag policy.

            • CatalogId (string) --

              The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

            • ResourceType (string) --

              The resource type for which the LF-tag policy applies.

            • Expression (list) --

              A list of LF-tag conditions or a saved expression that apply to the resource's LF-tag policy.

              • (dict) --

                A structure that allows an admin to grant user permissions on certain conditions. For example, granting a role access to all columns that do not have the LF-tag 'PII' in tables that have the LF-tag 'Prod'.

                • TagKey (string) --

                  The key-name for the LF-tag.

                • TagValues (list) --

                  A list of possible values an attribute can take.

                  The maximum number of values that can be defined for a LF-Tag is 1000. A single API call supports 50 values. You can use multiple API calls to add more values.

                  • (string) --

            • ExpressionName (string) --

              If provided, permissions are granted to the Data Catalog resources whose assigned LF-Tags match the expression body of the saved expression under the provided ExpressionName.

          • LFTagExpression (dict) --

            LF-Tag expression resource. A logical expression composed of one or more LF-Tag key:value pairs.

            • CatalogId (string) --

              The identifier for the Data Catalog. By default, the account ID.

            • Name (string) --

              The name of the LF-Tag expression to grant permissions on.

        • Condition (dict) --

          A Lake Formation condition, which applies to permissions and opt-ins that contain an expression.

          • Expression (string) --

            An expression written based on the Cedar Policy Language used to match the principal attributes.

        • Permissions (list) --

          The permissions to be granted or revoked on the resource.

          • (string) --

        • PermissionsWithGrantOption (list) --

          Indicates whether to grant the ability to grant permissions (as a subset of permissions granted).

          • (string) --

        • AdditionalDetails (dict) --

          This attribute can be used to return any additional details of PrincipalResourcePermissions. Currently returns only as a RAM resource share ARN.

          • ResourceShare (list) --

            A resource share ARN for a catalog resource shared through RAM.

            • (string) --

        • LastUpdated (datetime) --

          The date and time when the resource was last updated.

        • LastUpdatedBy (string) --

          The user who updated the record.

    • NextToken (string) --

      A continuation token, if this is not the first call to retrieve this list.

GetResourceLFTags (updated) Link ¶
Changes (request)
{'Resource': {'Catalog': {'Id': 'string'}}}

Returns the LF-tags applied to a resource.

See also: AWS API Documentation

Request Syntax

client.get_resource_lf_tags(
    CatalogId='string',
    Resource={
        'Catalog': {
            'Id': 'string'
        },
        'Database': {
            'CatalogId': 'string',
            'Name': 'string'
        },
        'Table': {
            'CatalogId': 'string',
            'DatabaseName': 'string',
            'Name': 'string',
            'TableWildcard': {}

        },
        'TableWithColumns': {
            'CatalogId': 'string',
            'DatabaseName': 'string',
            'Name': 'string',
            'ColumnNames': [
                'string',
            ],
            'ColumnWildcard': {
                'ExcludedColumnNames': [
                    'string',
                ]
            }
        },
        'DataLocation': {
            'CatalogId': 'string',
            'ResourceArn': 'string'
        },
        'DataCellsFilter': {
            'TableCatalogId': 'string',
            'DatabaseName': 'string',
            'TableName': 'string',
            'Name': 'string'
        },
        'LFTag': {
            'CatalogId': 'string',
            'TagKey': 'string',
            'TagValues': [
                'string',
            ]
        },
        'LFTagPolicy': {
            'CatalogId': 'string',
            'ResourceType': 'DATABASE'|'TABLE',
            'Expression': [
                {
                    'TagKey': 'string',
                    'TagValues': [
                        'string',
                    ]
                },
            ],
            'ExpressionName': 'string'
        },
        'LFTagExpression': {
            'CatalogId': 'string',
            'Name': 'string'
        }
    },
    ShowAssignedLFTags=True|False
)
type CatalogId:

string

param CatalogId:

The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

type Resource:

dict

param Resource:

[REQUIRED]

The database, table, or column resource for which you want to return LF-tags.

  • Catalog (dict) --

    The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

    • Id (string) --

      An identifier for the catalog resource.

  • Database (dict) --

    The database for the resource. Unique to the Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database permissions to a principal.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, it is the account ID of the caller.

    • Name (string) -- [REQUIRED]

      The name of the database resource. Unique to the Data Catalog.

  • Table (dict) --

    The table for the resource. A table is a metadata definition that represents your data. You can Grant and Revoke table privileges to a principal.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, it is the account ID of the caller.

    • DatabaseName (string) -- [REQUIRED]

      The name of the database for the table. Unique to a Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database privileges to a principal.

    • Name (string) --

      The name of the table.

    • TableWildcard (dict) --

      A wildcard object representing every table under a database.

      At least one of TableResource$Name or TableResource$TableWildcard is required.

  • TableWithColumns (dict) --

    The table with columns for the resource. A principal with permissions to this resource can select metadata from the columns of a table in the Data Catalog and the underlying data in Amazon S3.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, it is the account ID of the caller.

    • DatabaseName (string) -- [REQUIRED]

      The name of the database for the table with columns resource. Unique to the Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database privileges to a principal.

    • Name (string) -- [REQUIRED]

      The name of the table resource. A table is a metadata definition that represents your data. You can Grant and Revoke table privileges to a principal.

    • ColumnNames (list) --

      The list of column names for the table. At least one of ColumnNames or ColumnWildcard is required.

      • (string) --

    • ColumnWildcard (dict) --

      A wildcard specified by a ColumnWildcard object. At least one of ColumnNames or ColumnWildcard is required.

      • ExcludedColumnNames (list) --

        Excludes column names. Any column with this name will be excluded.

        • (string) --

  • DataLocation (dict) --

    The location of an Amazon S3 path where permissions are granted or revoked.

    • CatalogId (string) --

      The identifier for the Data Catalog where the location is registered with Lake Formation. By default, it is the account ID of the caller.

    • ResourceArn (string) -- [REQUIRED]

      The Amazon Resource Name (ARN) that uniquely identifies the data location resource.

  • DataCellsFilter (dict) --

    A data cell filter.

    • TableCatalogId (string) --

      The ID of the catalog to which the table belongs.

    • DatabaseName (string) --

      A database in the Glue Data Catalog.

    • TableName (string) --

      The name of the table.

    • Name (string) --

      The name of the data cells filter.

  • LFTag (dict) --

    The LF-tag key and values attached to a resource.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

    • TagKey (string) -- [REQUIRED]

      The key-name for the LF-tag.

    • TagValues (list) -- [REQUIRED]

      A list of possible values an attribute can take.

      • (string) --

  • LFTagPolicy (dict) --

    A list of LF-tag conditions or saved LF-Tag expressions that define a resource's LF-tag policy.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

    • ResourceType (string) -- [REQUIRED]

      The resource type for which the LF-tag policy applies.

    • Expression (list) --

      A list of LF-tag conditions or a saved expression that apply to the resource's LF-tag policy.

      • (dict) --

        A structure that allows an admin to grant user permissions on certain conditions. For example, granting a role access to all columns that do not have the LF-tag 'PII' in tables that have the LF-tag 'Prod'.

        • TagKey (string) -- [REQUIRED]

          The key-name for the LF-tag.

        • TagValues (list) -- [REQUIRED]

          A list of possible values an attribute can take.

          The maximum number of values that can be defined for a LF-Tag is 1000. A single API call supports 50 values. You can use multiple API calls to add more values.

          • (string) --

    • ExpressionName (string) --

      If provided, permissions are granted to the Data Catalog resources whose assigned LF-Tags match the expression body of the saved expression under the provided ExpressionName.

  • LFTagExpression (dict) --

    LF-Tag expression resource. A logical expression composed of one or more LF-Tag key:value pairs.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, the account ID.

    • Name (string) -- [REQUIRED]

      The name of the LF-Tag expression to grant permissions on.

type ShowAssignedLFTags:

boolean

param ShowAssignedLFTags:

Indicates whether to show the assigned LF-tags.

rtype:

dict

returns:

Response Syntax

{
    'LFTagOnDatabase': [
        {
            'CatalogId': 'string',
            'TagKey': 'string',
            'TagValues': [
                'string',
            ]
        },
    ],
    'LFTagsOnTable': [
        {
            'CatalogId': 'string',
            'TagKey': 'string',
            'TagValues': [
                'string',
            ]
        },
    ],
    'LFTagsOnColumns': [
        {
            'Name': 'string',
            'LFTags': [
                {
                    'CatalogId': 'string',
                    'TagKey': 'string',
                    'TagValues': [
                        'string',
                    ]
                },
            ]
        },
    ]
}

Response Structure

  • (dict) --

    • LFTagOnDatabase (list) --

      A list of LF-tags applied to a database resource.

      • (dict) --

        A structure containing an LF-tag key-value pair.

        • CatalogId (string) --

          The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

        • TagKey (string) --

          The key-name for the LF-tag.

        • TagValues (list) --

          A list of possible values an attribute can take.

          • (string) --

    • LFTagsOnTable (list) --

      A list of LF-tags applied to a table resource.

      • (dict) --

        A structure containing an LF-tag key-value pair.

        • CatalogId (string) --

          The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

        • TagKey (string) --

          The key-name for the LF-tag.

        • TagValues (list) --

          A list of possible values an attribute can take.

          • (string) --

    • LFTagsOnColumns (list) --

      A list of LF-tags applied to a column resource.

      • (dict) --

        A structure containing the name of a column resource and the LF-tags attached to it.

        • Name (string) --

          The name of a column resource.

        • LFTags (list) --

          The LF-tags attached to a column resource.

          • (dict) --

            A structure containing an LF-tag key-value pair.

            • CatalogId (string) --

              The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

            • TagKey (string) --

              The key-name for the LF-tag.

            • TagValues (list) --

              A list of possible values an attribute can take.

              • (string) --

GetTemporaryGluePartitionCredentials (updated) Link ¶
Changes (request)
{'Permissions': {'CREATE_CATALOG', 'SUPER_USER'}}

This API is identical to GetTemporaryTableCredentials except that this is used when the target Data Catalog resource is of type Partition. Lake Formation restricts the permission of the vended credentials with the same scope down policy which restricts access to a single Amazon S3 prefix.

See also: AWS API Documentation

Request Syntax

client.get_temporary_glue_partition_credentials(
    TableArn='string',
    Partition={
        'Values': [
            'string',
        ]
    },
    Permissions=[
        'ALL'|'SELECT'|'ALTER'|'DROP'|'DELETE'|'INSERT'|'DESCRIBE'|'CREATE_DATABASE'|'CREATE_TABLE'|'DATA_LOCATION_ACCESS'|'CREATE_LF_TAG'|'ASSOCIATE'|'GRANT_WITH_LF_TAG_EXPRESSION'|'CREATE_LF_TAG_EXPRESSION'|'CREATE_CATALOG'|'SUPER_USER',
    ],
    DurationSeconds=123,
    AuditContext={
        'AdditionalAuditContext': 'string'
    },
    SupportedPermissionTypes=[
        'COLUMN_PERMISSION'|'CELL_FILTER_PERMISSION'|'NESTED_PERMISSION'|'NESTED_CELL_PERMISSION',
    ]
)
type TableArn:

string

param TableArn:

[REQUIRED]

The ARN of the partitions' table.

type Partition:

dict

param Partition:

[REQUIRED]

A list of partition values identifying a single partition.

  • Values (list) -- [REQUIRED]

    The list of partition values.

    • (string) --

type Permissions:

list

param Permissions:

Filters the request based on the user having been granted a list of specified permissions on the requested resource(s).

  • (string) --

type DurationSeconds:

integer

param DurationSeconds:

The time period, between 900 and 21,600 seconds, for the timeout of the temporary credentials.

type AuditContext:

dict

param AuditContext:

A structure representing context to access a resource (column names, query ID, etc).

  • AdditionalAuditContext (string) --

    The filter engine can populate the 'AdditionalAuditContext' information with the request ID for you to track. This information will be displayed in CloudTrail log in your account.

type SupportedPermissionTypes:

list

param SupportedPermissionTypes:

A list of supported permission types for the partition. Valid values are COLUMN_PERMISSION and CELL_FILTER_PERMISSION.

  • (string) --

rtype:

dict

returns:

Response Syntax

{
    'AccessKeyId': 'string',
    'SecretAccessKey': 'string',
    'SessionToken': 'string',
    'Expiration': datetime(2015, 1, 1)
}

Response Structure

  • (dict) --

    • AccessKeyId (string) --

      The access key ID for the temporary credentials.

    • SecretAccessKey (string) --

      The secret key for the temporary credentials.

    • SessionToken (string) --

      The session token for the temporary credentials.

    • Expiration (datetime) --

      The date and time when the temporary credentials expire.

GetTemporaryGlueTableCredentials (updated) Link ¶
Changes (request)
{'Permissions': {'CREATE_CATALOG', 'SUPER_USER'}}

Allows a caller in a secure environment to assume a role with permission to access Amazon S3. In order to vend such credentials, Lake Formation assumes the role associated with a registered location, for example an Amazon S3 bucket, with a scope down policy which restricts the access to a single prefix.

To call this API, the role that the service assumes must have lakeformation:GetDataAccess permission on the resource.

See also: AWS API Documentation

Request Syntax

client.get_temporary_glue_table_credentials(
    TableArn='string',
    Permissions=[
        'ALL'|'SELECT'|'ALTER'|'DROP'|'DELETE'|'INSERT'|'DESCRIBE'|'CREATE_DATABASE'|'CREATE_TABLE'|'DATA_LOCATION_ACCESS'|'CREATE_LF_TAG'|'ASSOCIATE'|'GRANT_WITH_LF_TAG_EXPRESSION'|'CREATE_LF_TAG_EXPRESSION'|'CREATE_CATALOG'|'SUPER_USER',
    ],
    DurationSeconds=123,
    AuditContext={
        'AdditionalAuditContext': 'string'
    },
    SupportedPermissionTypes=[
        'COLUMN_PERMISSION'|'CELL_FILTER_PERMISSION'|'NESTED_PERMISSION'|'NESTED_CELL_PERMISSION',
    ],
    S3Path='string',
    QuerySessionContext={
        'QueryId': 'string',
        'QueryStartTime': datetime(2015, 1, 1),
        'ClusterId': 'string',
        'QueryAuthorizationId': 'string',
        'AdditionalContext': {
            'string': 'string'
        }
    }
)
type TableArn:

string

param TableArn:

[REQUIRED]

The ARN identifying a table in the Data Catalog for the temporary credentials request.

type Permissions:

list

param Permissions:

Filters the request based on the user having been granted a list of specified permissions on the requested resource(s).

  • (string) --

type DurationSeconds:

integer

param DurationSeconds:

The time period, between 900 and 21,600 seconds, for the timeout of the temporary credentials.

type AuditContext:

dict

param AuditContext:

A structure representing context to access a resource (column names, query ID, etc).

  • AdditionalAuditContext (string) --

    The filter engine can populate the 'AdditionalAuditContext' information with the request ID for you to track. This information will be displayed in CloudTrail log in your account.

type SupportedPermissionTypes:

list

param SupportedPermissionTypes:

A list of supported permission types for the table. Valid values are COLUMN_PERMISSION and CELL_FILTER_PERMISSION.

  • (string) --

type S3Path:

string

param S3Path:

The Amazon S3 path for the table.

type QuerySessionContext:

dict

param QuerySessionContext:

A structure used as a protocol between query engines and Lake Formation or Glue. Contains both a Lake Formation generated authorization identifier and information from the request's authorization context.

  • QueryId (string) --

    A unique identifier generated by the query engine for the query.

  • QueryStartTime (datetime) --

    A timestamp provided by the query engine for when the query started.

  • ClusterId (string) --

    An identifier string for the consumer cluster.

  • QueryAuthorizationId (string) --

    A cryptographically generated query identifier generated by Glue or Lake Formation.

  • AdditionalContext (dict) --

    An opaque string-string map passed by the query engine.

    • (string) --

      • (string) --

rtype:

dict

returns:

Response Syntax

{
    'AccessKeyId': 'string',
    'SecretAccessKey': 'string',
    'SessionToken': 'string',
    'Expiration': datetime(2015, 1, 1),
    'VendedS3Path': [
        'string',
    ]
}

Response Structure

  • (dict) --

    • AccessKeyId (string) --

      The access key ID for the temporary credentials.

    • SecretAccessKey (string) --

      The secret key for the temporary credentials.

    • SessionToken (string) --

      The session token for the temporary credentials.

    • Expiration (datetime) --

      The date and time when the temporary credentials expire.

    • VendedS3Path (list) --

      The Amazon S3 path for the temporary credentials.

      • (string) --

GrantPermissions (updated) Link ¶
Changes (request)
{'Permissions': {'CREATE_CATALOG', 'SUPER_USER'},
 'PermissionsWithGrantOption': {'CREATE_CATALOG', 'SUPER_USER'},
 'Resource': {'Catalog': {'Id': 'string'}}}

Grants permissions to the principal to access metadata in the Data Catalog and data organized in underlying data storage such as Amazon S3.

For information about permissions, see Security and Access Control to Metadata and Data.

See also: AWS API Documentation

Request Syntax

client.grant_permissions(
    CatalogId='string',
    Principal={
        'DataLakePrincipalIdentifier': 'string'
    },
    Resource={
        'Catalog': {
            'Id': 'string'
        },
        'Database': {
            'CatalogId': 'string',
            'Name': 'string'
        },
        'Table': {
            'CatalogId': 'string',
            'DatabaseName': 'string',
            'Name': 'string',
            'TableWildcard': {}

        },
        'TableWithColumns': {
            'CatalogId': 'string',
            'DatabaseName': 'string',
            'Name': 'string',
            'ColumnNames': [
                'string',
            ],
            'ColumnWildcard': {
                'ExcludedColumnNames': [
                    'string',
                ]
            }
        },
        'DataLocation': {
            'CatalogId': 'string',
            'ResourceArn': 'string'
        },
        'DataCellsFilter': {
            'TableCatalogId': 'string',
            'DatabaseName': 'string',
            'TableName': 'string',
            'Name': 'string'
        },
        'LFTag': {
            'CatalogId': 'string',
            'TagKey': 'string',
            'TagValues': [
                'string',
            ]
        },
        'LFTagPolicy': {
            'CatalogId': 'string',
            'ResourceType': 'DATABASE'|'TABLE',
            'Expression': [
                {
                    'TagKey': 'string',
                    'TagValues': [
                        'string',
                    ]
                },
            ],
            'ExpressionName': 'string'
        },
        'LFTagExpression': {
            'CatalogId': 'string',
            'Name': 'string'
        }
    },
    Permissions=[
        'ALL'|'SELECT'|'ALTER'|'DROP'|'DELETE'|'INSERT'|'DESCRIBE'|'CREATE_DATABASE'|'CREATE_TABLE'|'DATA_LOCATION_ACCESS'|'CREATE_LF_TAG'|'ASSOCIATE'|'GRANT_WITH_LF_TAG_EXPRESSION'|'CREATE_LF_TAG_EXPRESSION'|'CREATE_CATALOG'|'SUPER_USER',
    ],
    PermissionsWithGrantOption=[
        'ALL'|'SELECT'|'ALTER'|'DROP'|'DELETE'|'INSERT'|'DESCRIBE'|'CREATE_DATABASE'|'CREATE_TABLE'|'DATA_LOCATION_ACCESS'|'CREATE_LF_TAG'|'ASSOCIATE'|'GRANT_WITH_LF_TAG_EXPRESSION'|'CREATE_LF_TAG_EXPRESSION'|'CREATE_CATALOG'|'SUPER_USER',
    ]
)
type CatalogId:

string

param CatalogId:

The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

type Principal:

dict

param Principal:

[REQUIRED]

The principal to be granted the permissions on the resource. Supported principals are IAM users or IAM roles, and they are defined by their principal type and their ARN.

Note that if you define a resource with a particular ARN, then later delete, and recreate a resource with that same ARN, the resource maintains the permissions already granted.

  • DataLakePrincipalIdentifier (string) --

    An identifier for the Lake Formation principal.

type Resource:

dict

param Resource:

[REQUIRED]

The resource to which permissions are to be granted. Resources in Lake Formation are the Data Catalog, databases, and tables.

  • Catalog (dict) --

    The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

    • Id (string) --

      An identifier for the catalog resource.

  • Database (dict) --

    The database for the resource. Unique to the Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database permissions to a principal.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, it is the account ID of the caller.

    • Name (string) -- [REQUIRED]

      The name of the database resource. Unique to the Data Catalog.

  • Table (dict) --

    The table for the resource. A table is a metadata definition that represents your data. You can Grant and Revoke table privileges to a principal.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, it is the account ID of the caller.

    • DatabaseName (string) -- [REQUIRED]

      The name of the database for the table. Unique to a Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database privileges to a principal.

    • Name (string) --

      The name of the table.

    • TableWildcard (dict) --

      A wildcard object representing every table under a database.

      At least one of TableResource$Name or TableResource$TableWildcard is required.

  • TableWithColumns (dict) --

    The table with columns for the resource. A principal with permissions to this resource can select metadata from the columns of a table in the Data Catalog and the underlying data in Amazon S3.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, it is the account ID of the caller.

    • DatabaseName (string) -- [REQUIRED]

      The name of the database for the table with columns resource. Unique to the Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database privileges to a principal.

    • Name (string) -- [REQUIRED]

      The name of the table resource. A table is a metadata definition that represents your data. You can Grant and Revoke table privileges to a principal.

    • ColumnNames (list) --

      The list of column names for the table. At least one of ColumnNames or ColumnWildcard is required.

      • (string) --

    • ColumnWildcard (dict) --

      A wildcard specified by a ColumnWildcard object. At least one of ColumnNames or ColumnWildcard is required.

      • ExcludedColumnNames (list) --

        Excludes column names. Any column with this name will be excluded.

        • (string) --

  • DataLocation (dict) --

    The location of an Amazon S3 path where permissions are granted or revoked.

    • CatalogId (string) --

      The identifier for the Data Catalog where the location is registered with Lake Formation. By default, it is the account ID of the caller.

    • ResourceArn (string) -- [REQUIRED]

      The Amazon Resource Name (ARN) that uniquely identifies the data location resource.

  • DataCellsFilter (dict) --

    A data cell filter.

    • TableCatalogId (string) --

      The ID of the catalog to which the table belongs.

    • DatabaseName (string) --

      A database in the Glue Data Catalog.

    • TableName (string) --

      The name of the table.

    • Name (string) --

      The name of the data cells filter.

  • LFTag (dict) --

    The LF-tag key and values attached to a resource.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

    • TagKey (string) -- [REQUIRED]

      The key-name for the LF-tag.

    • TagValues (list) -- [REQUIRED]

      A list of possible values an attribute can take.

      • (string) --

  • LFTagPolicy (dict) --

    A list of LF-tag conditions or saved LF-Tag expressions that define a resource's LF-tag policy.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

    • ResourceType (string) -- [REQUIRED]

      The resource type for which the LF-tag policy applies.

    • Expression (list) --

      A list of LF-tag conditions or a saved expression that apply to the resource's LF-tag policy.

      • (dict) --

        A structure that allows an admin to grant user permissions on certain conditions. For example, granting a role access to all columns that do not have the LF-tag 'PII' in tables that have the LF-tag 'Prod'.

        • TagKey (string) -- [REQUIRED]

          The key-name for the LF-tag.

        • TagValues (list) -- [REQUIRED]

          A list of possible values an attribute can take.

          The maximum number of values that can be defined for a LF-Tag is 1000. A single API call supports 50 values. You can use multiple API calls to add more values.

          • (string) --

    • ExpressionName (string) --

      If provided, permissions are granted to the Data Catalog resources whose assigned LF-Tags match the expression body of the saved expression under the provided ExpressionName.

  • LFTagExpression (dict) --

    LF-Tag expression resource. A logical expression composed of one or more LF-Tag key:value pairs.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, the account ID.

    • Name (string) -- [REQUIRED]

      The name of the LF-Tag expression to grant permissions on.

type Permissions:

list

param Permissions:

[REQUIRED]

The permissions granted to the principal on the resource. Lake Formation defines privileges to grant and revoke access to metadata in the Data Catalog and data organized in underlying data storage such as Amazon S3. Lake Formation requires that each principal be authorized to perform a specific task on Lake Formation resources.

  • (string) --

type PermissionsWithGrantOption:

list

param PermissionsWithGrantOption:

Indicates a list of the granted permissions that the principal may pass to other users. These permissions may only be a subset of the permissions granted in the Privileges.

  • (string) --

rtype:

dict

returns:

Response Syntax

{}

Response Structure

  • (dict) --

ListLakeFormationOptIns (updated) Link ¶
Changes (request, response)
Request
{'Resource': {'Catalog': {'Id': 'string'}}}
Response
{'LakeFormationOptInsInfoList': {'Condition': {'Expression': 'string'},
                                 'Resource': {'Catalog': {'Id': 'string'}}}}

Retrieve the current list of resources and principals that are opt in to enforce Lake Formation permissions.

See also: AWS API Documentation

Request Syntax

client.list_lake_formation_opt_ins(
    Principal={
        'DataLakePrincipalIdentifier': 'string'
    },
    Resource={
        'Catalog': {
            'Id': 'string'
        },
        'Database': {
            'CatalogId': 'string',
            'Name': 'string'
        },
        'Table': {
            'CatalogId': 'string',
            'DatabaseName': 'string',
            'Name': 'string',
            'TableWildcard': {}

        },
        'TableWithColumns': {
            'CatalogId': 'string',
            'DatabaseName': 'string',
            'Name': 'string',
            'ColumnNames': [
                'string',
            ],
            'ColumnWildcard': {
                'ExcludedColumnNames': [
                    'string',
                ]
            }
        },
        'DataLocation': {
            'CatalogId': 'string',
            'ResourceArn': 'string'
        },
        'DataCellsFilter': {
            'TableCatalogId': 'string',
            'DatabaseName': 'string',
            'TableName': 'string',
            'Name': 'string'
        },
        'LFTag': {
            'CatalogId': 'string',
            'TagKey': 'string',
            'TagValues': [
                'string',
            ]
        },
        'LFTagPolicy': {
            'CatalogId': 'string',
            'ResourceType': 'DATABASE'|'TABLE',
            'Expression': [
                {
                    'TagKey': 'string',
                    'TagValues': [
                        'string',
                    ]
                },
            ],
            'ExpressionName': 'string'
        },
        'LFTagExpression': {
            'CatalogId': 'string',
            'Name': 'string'
        }
    },
    MaxResults=123,
    NextToken='string'
)
type Principal:

dict

param Principal:

The Lake Formation principal. Supported principals are IAM users or IAM roles.

  • DataLakePrincipalIdentifier (string) --

    An identifier for the Lake Formation principal.

type Resource:

dict

param Resource:

A structure for the resource.

  • Catalog (dict) --

    The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

    • Id (string) --

      An identifier for the catalog resource.

  • Database (dict) --

    The database for the resource. Unique to the Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database permissions to a principal.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, it is the account ID of the caller.

    • Name (string) -- [REQUIRED]

      The name of the database resource. Unique to the Data Catalog.

  • Table (dict) --

    The table for the resource. A table is a metadata definition that represents your data. You can Grant and Revoke table privileges to a principal.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, it is the account ID of the caller.

    • DatabaseName (string) -- [REQUIRED]

      The name of the database for the table. Unique to a Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database privileges to a principal.

    • Name (string) --

      The name of the table.

    • TableWildcard (dict) --

      A wildcard object representing every table under a database.

      At least one of TableResource$Name or TableResource$TableWildcard is required.

  • TableWithColumns (dict) --

    The table with columns for the resource. A principal with permissions to this resource can select metadata from the columns of a table in the Data Catalog and the underlying data in Amazon S3.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, it is the account ID of the caller.

    • DatabaseName (string) -- [REQUIRED]

      The name of the database for the table with columns resource. Unique to the Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database privileges to a principal.

    • Name (string) -- [REQUIRED]

      The name of the table resource. A table is a metadata definition that represents your data. You can Grant and Revoke table privileges to a principal.

    • ColumnNames (list) --

      The list of column names for the table. At least one of ColumnNames or ColumnWildcard is required.

      • (string) --

    • ColumnWildcard (dict) --

      A wildcard specified by a ColumnWildcard object. At least one of ColumnNames or ColumnWildcard is required.

      • ExcludedColumnNames (list) --

        Excludes column names. Any column with this name will be excluded.

        • (string) --

  • DataLocation (dict) --

    The location of an Amazon S3 path where permissions are granted or revoked.

    • CatalogId (string) --

      The identifier for the Data Catalog where the location is registered with Lake Formation. By default, it is the account ID of the caller.

    • ResourceArn (string) -- [REQUIRED]

      The Amazon Resource Name (ARN) that uniquely identifies the data location resource.

  • DataCellsFilter (dict) --

    A data cell filter.

    • TableCatalogId (string) --

      The ID of the catalog to which the table belongs.

    • DatabaseName (string) --

      A database in the Glue Data Catalog.

    • TableName (string) --

      The name of the table.

    • Name (string) --

      The name of the data cells filter.

  • LFTag (dict) --

    The LF-tag key and values attached to a resource.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

    • TagKey (string) -- [REQUIRED]

      The key-name for the LF-tag.

    • TagValues (list) -- [REQUIRED]

      A list of possible values an attribute can take.

      • (string) --

  • LFTagPolicy (dict) --

    A list of LF-tag conditions or saved LF-Tag expressions that define a resource's LF-tag policy.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

    • ResourceType (string) -- [REQUIRED]

      The resource type for which the LF-tag policy applies.

    • Expression (list) --

      A list of LF-tag conditions or a saved expression that apply to the resource's LF-tag policy.

      • (dict) --

        A structure that allows an admin to grant user permissions on certain conditions. For example, granting a role access to all columns that do not have the LF-tag 'PII' in tables that have the LF-tag 'Prod'.

        • TagKey (string) -- [REQUIRED]

          The key-name for the LF-tag.

        • TagValues (list) -- [REQUIRED]

          A list of possible values an attribute can take.

          The maximum number of values that can be defined for a LF-Tag is 1000. A single API call supports 50 values. You can use multiple API calls to add more values.

          • (string) --

    • ExpressionName (string) --

      If provided, permissions are granted to the Data Catalog resources whose assigned LF-Tags match the expression body of the saved expression under the provided ExpressionName.

  • LFTagExpression (dict) --

    LF-Tag expression resource. A logical expression composed of one or more LF-Tag key:value pairs.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, the account ID.

    • Name (string) -- [REQUIRED]

      The name of the LF-Tag expression to grant permissions on.

type MaxResults:

integer

param MaxResults:

The maximum number of results to return.

type NextToken:

string

param NextToken:

A continuation token, if this is not the first call to retrieve this list.

rtype:

dict

returns:

Response Syntax

{
    'LakeFormationOptInsInfoList': [
        {
            'Resource': {
                'Catalog': {
                    'Id': 'string'
                },
                'Database': {
                    'CatalogId': 'string',
                    'Name': 'string'
                },
                'Table': {
                    'CatalogId': 'string',
                    'DatabaseName': 'string',
                    'Name': 'string',
                    'TableWildcard': {}
                },
                'TableWithColumns': {
                    'CatalogId': 'string',
                    'DatabaseName': 'string',
                    'Name': 'string',
                    'ColumnNames': [
                        'string',
                    ],
                    'ColumnWildcard': {
                        'ExcludedColumnNames': [
                            'string',
                        ]
                    }
                },
                'DataLocation': {
                    'CatalogId': 'string',
                    'ResourceArn': 'string'
                },
                'DataCellsFilter': {
                    'TableCatalogId': 'string',
                    'DatabaseName': 'string',
                    'TableName': 'string',
                    'Name': 'string'
                },
                'LFTag': {
                    'CatalogId': 'string',
                    'TagKey': 'string',
                    'TagValues': [
                        'string',
                    ]
                },
                'LFTagPolicy': {
                    'CatalogId': 'string',
                    'ResourceType': 'DATABASE'|'TABLE',
                    'Expression': [
                        {
                            'TagKey': 'string',
                            'TagValues': [
                                'string',
                            ]
                        },
                    ],
                    'ExpressionName': 'string'
                },
                'LFTagExpression': {
                    'CatalogId': 'string',
                    'Name': 'string'
                }
            },
            'Principal': {
                'DataLakePrincipalIdentifier': 'string'
            },
            'Condition': {
                'Expression': 'string'
            },
            'LastModified': datetime(2015, 1, 1),
            'LastUpdatedBy': 'string'
        },
    ],
    'NextToken': 'string'
}

Response Structure

  • (dict) --

    • LakeFormationOptInsInfoList (list) --

      A list of principal-resource pairs that have Lake Formation permissins enforced.

      • (dict) --

        A single principal-resource pair that has Lake Formation permissins enforced.

        • Resource (dict) --

          A structure for the resource.

          • Catalog (dict) --

            The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

            • Id (string) --

              An identifier for the catalog resource.

          • Database (dict) --

            The database for the resource. Unique to the Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database permissions to a principal.

            • CatalogId (string) --

              The identifier for the Data Catalog. By default, it is the account ID of the caller.

            • Name (string) --

              The name of the database resource. Unique to the Data Catalog.

          • Table (dict) --

            The table for the resource. A table is a metadata definition that represents your data. You can Grant and Revoke table privileges to a principal.

            • CatalogId (string) --

              The identifier for the Data Catalog. By default, it is the account ID of the caller.

            • DatabaseName (string) --

              The name of the database for the table. Unique to a Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database privileges to a principal.

            • Name (string) --

              The name of the table.

            • TableWildcard (dict) --

              A wildcard object representing every table under a database.

              At least one of TableResource$Name or TableResource$TableWildcard is required.

          • TableWithColumns (dict) --

            The table with columns for the resource. A principal with permissions to this resource can select metadata from the columns of a table in the Data Catalog and the underlying data in Amazon S3.

            • CatalogId (string) --

              The identifier for the Data Catalog. By default, it is the account ID of the caller.

            • DatabaseName (string) --

              The name of the database for the table with columns resource. Unique to the Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database privileges to a principal.

            • Name (string) --

              The name of the table resource. A table is a metadata definition that represents your data. You can Grant and Revoke table privileges to a principal.

            • ColumnNames (list) --

              The list of column names for the table. At least one of ColumnNames or ColumnWildcard is required.

              • (string) --

            • ColumnWildcard (dict) --

              A wildcard specified by a ColumnWildcard object. At least one of ColumnNames or ColumnWildcard is required.

              • ExcludedColumnNames (list) --

                Excludes column names. Any column with this name will be excluded.

                • (string) --

          • DataLocation (dict) --

            The location of an Amazon S3 path where permissions are granted or revoked.

            • CatalogId (string) --

              The identifier for the Data Catalog where the location is registered with Lake Formation. By default, it is the account ID of the caller.

            • ResourceArn (string) --

              The Amazon Resource Name (ARN) that uniquely identifies the data location resource.

          • DataCellsFilter (dict) --

            A data cell filter.

            • TableCatalogId (string) --

              The ID of the catalog to which the table belongs.

            • DatabaseName (string) --

              A database in the Glue Data Catalog.

            • TableName (string) --

              The name of the table.

            • Name (string) --

              The name of the data cells filter.

          • LFTag (dict) --

            The LF-tag key and values attached to a resource.

            • CatalogId (string) --

              The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

            • TagKey (string) --

              The key-name for the LF-tag.

            • TagValues (list) --

              A list of possible values an attribute can take.

              • (string) --

          • LFTagPolicy (dict) --

            A list of LF-tag conditions or saved LF-Tag expressions that define a resource's LF-tag policy.

            • CatalogId (string) --

              The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

            • ResourceType (string) --

              The resource type for which the LF-tag policy applies.

            • Expression (list) --

              A list of LF-tag conditions or a saved expression that apply to the resource's LF-tag policy.

              • (dict) --

                A structure that allows an admin to grant user permissions on certain conditions. For example, granting a role access to all columns that do not have the LF-tag 'PII' in tables that have the LF-tag 'Prod'.

                • TagKey (string) --

                  The key-name for the LF-tag.

                • TagValues (list) --

                  A list of possible values an attribute can take.

                  The maximum number of values that can be defined for a LF-Tag is 1000. A single API call supports 50 values. You can use multiple API calls to add more values.

                  • (string) --

            • ExpressionName (string) --

              If provided, permissions are granted to the Data Catalog resources whose assigned LF-Tags match the expression body of the saved expression under the provided ExpressionName.

          • LFTagExpression (dict) --

            LF-Tag expression resource. A logical expression composed of one or more LF-Tag key:value pairs.

            • CatalogId (string) --

              The identifier for the Data Catalog. By default, the account ID.

            • Name (string) --

              The name of the LF-Tag expression to grant permissions on.

        • Principal (dict) --

          The Lake Formation principal. Supported principals are IAM users or IAM roles.

          • DataLakePrincipalIdentifier (string) --

            An identifier for the Lake Formation principal.

        • Condition (dict) --

          A Lake Formation condition, which applies to permissions and opt-ins that contain an expression.

          • Expression (string) --

            An expression written based on the Cedar Policy Language used to match the principal attributes.

        • LastModified (datetime) --

          The last modified date and time of the record.

        • LastUpdatedBy (string) --

          The user who updated the record.

    • NextToken (string) --

      A continuation token, if this is not the first call to retrieve this list.

ListPermissions (updated) Link ¶
Changes (request, response)
Request
{'Resource': {'Catalog': {'Id': 'string'}}}
Response
{'PrincipalResourcePermissions': {'Condition': {'Expression': 'string'},
                                  'Permissions': {'CREATE_CATALOG',
                                                  'SUPER_USER'},
                                  'PermissionsWithGrantOption': {'CREATE_CATALOG',
                                                                 'SUPER_USER'},
                                  'Resource': {'Catalog': {'Id': 'string'}}}}

Returns a list of the principal permissions on the resource, filtered by the permissions of the caller. For example, if you are granted an ALTER permission, you are able to see only the principal permissions for ALTER.

This operation returns only those permissions that have been explicitly granted.

For information about permissions, see Security and Access Control to Metadata and Data.

See also: AWS API Documentation

Request Syntax

client.list_permissions(
    CatalogId='string',
    Principal={
        'DataLakePrincipalIdentifier': 'string'
    },
    ResourceType='CATALOG'|'DATABASE'|'TABLE'|'DATA_LOCATION'|'LF_TAG'|'LF_TAG_POLICY'|'LF_TAG_POLICY_DATABASE'|'LF_TAG_POLICY_TABLE'|'LF_NAMED_TAG_EXPRESSION',
    Resource={
        'Catalog': {
            'Id': 'string'
        },
        'Database': {
            'CatalogId': 'string',
            'Name': 'string'
        },
        'Table': {
            'CatalogId': 'string',
            'DatabaseName': 'string',
            'Name': 'string',
            'TableWildcard': {}

        },
        'TableWithColumns': {
            'CatalogId': 'string',
            'DatabaseName': 'string',
            'Name': 'string',
            'ColumnNames': [
                'string',
            ],
            'ColumnWildcard': {
                'ExcludedColumnNames': [
                    'string',
                ]
            }
        },
        'DataLocation': {
            'CatalogId': 'string',
            'ResourceArn': 'string'
        },
        'DataCellsFilter': {
            'TableCatalogId': 'string',
            'DatabaseName': 'string',
            'TableName': 'string',
            'Name': 'string'
        },
        'LFTag': {
            'CatalogId': 'string',
            'TagKey': 'string',
            'TagValues': [
                'string',
            ]
        },
        'LFTagPolicy': {
            'CatalogId': 'string',
            'ResourceType': 'DATABASE'|'TABLE',
            'Expression': [
                {
                    'TagKey': 'string',
                    'TagValues': [
                        'string',
                    ]
                },
            ],
            'ExpressionName': 'string'
        },
        'LFTagExpression': {
            'CatalogId': 'string',
            'Name': 'string'
        }
    },
    NextToken='string',
    MaxResults=123,
    IncludeRelated='string'
)
type CatalogId:

string

param CatalogId:

The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

type Principal:

dict

param Principal:

Specifies a principal to filter the permissions returned.

  • DataLakePrincipalIdentifier (string) --

    An identifier for the Lake Formation principal.

type ResourceType:

string

param ResourceType:

Specifies a resource type to filter the permissions returned.

type Resource:

dict

param Resource:

A resource where you will get a list of the principal permissions.

This operation does not support getting privileges on a table with columns. Instead, call this operation on the table, and the operation returns the table and the table w columns.

  • Catalog (dict) --

    The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

    • Id (string) --

      An identifier for the catalog resource.

  • Database (dict) --

    The database for the resource. Unique to the Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database permissions to a principal.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, it is the account ID of the caller.

    • Name (string) -- [REQUIRED]

      The name of the database resource. Unique to the Data Catalog.

  • Table (dict) --

    The table for the resource. A table is a metadata definition that represents your data. You can Grant and Revoke table privileges to a principal.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, it is the account ID of the caller.

    • DatabaseName (string) -- [REQUIRED]

      The name of the database for the table. Unique to a Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database privileges to a principal.

    • Name (string) --

      The name of the table.

    • TableWildcard (dict) --

      A wildcard object representing every table under a database.

      At least one of TableResource$Name or TableResource$TableWildcard is required.

  • TableWithColumns (dict) --

    The table with columns for the resource. A principal with permissions to this resource can select metadata from the columns of a table in the Data Catalog and the underlying data in Amazon S3.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, it is the account ID of the caller.

    • DatabaseName (string) -- [REQUIRED]

      The name of the database for the table with columns resource. Unique to the Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database privileges to a principal.

    • Name (string) -- [REQUIRED]

      The name of the table resource. A table is a metadata definition that represents your data. You can Grant and Revoke table privileges to a principal.

    • ColumnNames (list) --

      The list of column names for the table. At least one of ColumnNames or ColumnWildcard is required.

      • (string) --

    • ColumnWildcard (dict) --

      A wildcard specified by a ColumnWildcard object. At least one of ColumnNames or ColumnWildcard is required.

      • ExcludedColumnNames (list) --

        Excludes column names. Any column with this name will be excluded.

        • (string) --

  • DataLocation (dict) --

    The location of an Amazon S3 path where permissions are granted or revoked.

    • CatalogId (string) --

      The identifier for the Data Catalog where the location is registered with Lake Formation. By default, it is the account ID of the caller.

    • ResourceArn (string) -- [REQUIRED]

      The Amazon Resource Name (ARN) that uniquely identifies the data location resource.

  • DataCellsFilter (dict) --

    A data cell filter.

    • TableCatalogId (string) --

      The ID of the catalog to which the table belongs.

    • DatabaseName (string) --

      A database in the Glue Data Catalog.

    • TableName (string) --

      The name of the table.

    • Name (string) --

      The name of the data cells filter.

  • LFTag (dict) --

    The LF-tag key and values attached to a resource.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

    • TagKey (string) -- [REQUIRED]

      The key-name for the LF-tag.

    • TagValues (list) -- [REQUIRED]

      A list of possible values an attribute can take.

      • (string) --

  • LFTagPolicy (dict) --

    A list of LF-tag conditions or saved LF-Tag expressions that define a resource's LF-tag policy.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

    • ResourceType (string) -- [REQUIRED]

      The resource type for which the LF-tag policy applies.

    • Expression (list) --

      A list of LF-tag conditions or a saved expression that apply to the resource's LF-tag policy.

      • (dict) --

        A structure that allows an admin to grant user permissions on certain conditions. For example, granting a role access to all columns that do not have the LF-tag 'PII' in tables that have the LF-tag 'Prod'.

        • TagKey (string) -- [REQUIRED]

          The key-name for the LF-tag.

        • TagValues (list) -- [REQUIRED]

          A list of possible values an attribute can take.

          The maximum number of values that can be defined for a LF-Tag is 1000. A single API call supports 50 values. You can use multiple API calls to add more values.

          • (string) --

    • ExpressionName (string) --

      If provided, permissions are granted to the Data Catalog resources whose assigned LF-Tags match the expression body of the saved expression under the provided ExpressionName.

  • LFTagExpression (dict) --

    LF-Tag expression resource. A logical expression composed of one or more LF-Tag key:value pairs.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, the account ID.

    • Name (string) -- [REQUIRED]

      The name of the LF-Tag expression to grant permissions on.

type NextToken:

string

param NextToken:

A continuation token, if this is not the first call to retrieve this list.

type MaxResults:

integer

param MaxResults:

The maximum number of results to return.

type IncludeRelated:

string

param IncludeRelated:

Indicates that related permissions should be included in the results.

rtype:

dict

returns:

Response Syntax

{
    'PrincipalResourcePermissions': [
        {
            'Principal': {
                'DataLakePrincipalIdentifier': 'string'
            },
            'Resource': {
                'Catalog': {
                    'Id': 'string'
                },
                'Database': {
                    'CatalogId': 'string',
                    'Name': 'string'
                },
                'Table': {
                    'CatalogId': 'string',
                    'DatabaseName': 'string',
                    'Name': 'string',
                    'TableWildcard': {}
                },
                'TableWithColumns': {
                    'CatalogId': 'string',
                    'DatabaseName': 'string',
                    'Name': 'string',
                    'ColumnNames': [
                        'string',
                    ],
                    'ColumnWildcard': {
                        'ExcludedColumnNames': [
                            'string',
                        ]
                    }
                },
                'DataLocation': {
                    'CatalogId': 'string',
                    'ResourceArn': 'string'
                },
                'DataCellsFilter': {
                    'TableCatalogId': 'string',
                    'DatabaseName': 'string',
                    'TableName': 'string',
                    'Name': 'string'
                },
                'LFTag': {
                    'CatalogId': 'string',
                    'TagKey': 'string',
                    'TagValues': [
                        'string',
                    ]
                },
                'LFTagPolicy': {
                    'CatalogId': 'string',
                    'ResourceType': 'DATABASE'|'TABLE',
                    'Expression': [
                        {
                            'TagKey': 'string',
                            'TagValues': [
                                'string',
                            ]
                        },
                    ],
                    'ExpressionName': 'string'
                },
                'LFTagExpression': {
                    'CatalogId': 'string',
                    'Name': 'string'
                }
            },
            'Condition': {
                'Expression': 'string'
            },
            'Permissions': [
                'ALL'|'SELECT'|'ALTER'|'DROP'|'DELETE'|'INSERT'|'DESCRIBE'|'CREATE_DATABASE'|'CREATE_TABLE'|'DATA_LOCATION_ACCESS'|'CREATE_LF_TAG'|'ASSOCIATE'|'GRANT_WITH_LF_TAG_EXPRESSION'|'CREATE_LF_TAG_EXPRESSION'|'CREATE_CATALOG'|'SUPER_USER',
            ],
            'PermissionsWithGrantOption': [
                'ALL'|'SELECT'|'ALTER'|'DROP'|'DELETE'|'INSERT'|'DESCRIBE'|'CREATE_DATABASE'|'CREATE_TABLE'|'DATA_LOCATION_ACCESS'|'CREATE_LF_TAG'|'ASSOCIATE'|'GRANT_WITH_LF_TAG_EXPRESSION'|'CREATE_LF_TAG_EXPRESSION'|'CREATE_CATALOG'|'SUPER_USER',
            ],
            'AdditionalDetails': {
                'ResourceShare': [
                    'string',
                ]
            },
            'LastUpdated': datetime(2015, 1, 1),
            'LastUpdatedBy': 'string'
        },
    ],
    'NextToken': 'string'
}

Response Structure

  • (dict) --

    • PrincipalResourcePermissions (list) --

      A list of principals and their permissions on the resource for the specified principal and resource types.

      • (dict) --

        The permissions granted or revoked on a resource.

        • Principal (dict) --

          The Data Lake principal to be granted or revoked permissions.

          • DataLakePrincipalIdentifier (string) --

            An identifier for the Lake Formation principal.

        • Resource (dict) --

          The resource where permissions are to be granted or revoked.

          • Catalog (dict) --

            The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

            • Id (string) --

              An identifier for the catalog resource.

          • Database (dict) --

            The database for the resource. Unique to the Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database permissions to a principal.

            • CatalogId (string) --

              The identifier for the Data Catalog. By default, it is the account ID of the caller.

            • Name (string) --

              The name of the database resource. Unique to the Data Catalog.

          • Table (dict) --

            The table for the resource. A table is a metadata definition that represents your data. You can Grant and Revoke table privileges to a principal.

            • CatalogId (string) --

              The identifier for the Data Catalog. By default, it is the account ID of the caller.

            • DatabaseName (string) --

              The name of the database for the table. Unique to a Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database privileges to a principal.

            • Name (string) --

              The name of the table.

            • TableWildcard (dict) --

              A wildcard object representing every table under a database.

              At least one of TableResource$Name or TableResource$TableWildcard is required.

          • TableWithColumns (dict) --

            The table with columns for the resource. A principal with permissions to this resource can select metadata from the columns of a table in the Data Catalog and the underlying data in Amazon S3.

            • CatalogId (string) --

              The identifier for the Data Catalog. By default, it is the account ID of the caller.

            • DatabaseName (string) --

              The name of the database for the table with columns resource. Unique to the Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database privileges to a principal.

            • Name (string) --

              The name of the table resource. A table is a metadata definition that represents your data. You can Grant and Revoke table privileges to a principal.

            • ColumnNames (list) --

              The list of column names for the table. At least one of ColumnNames or ColumnWildcard is required.

              • (string) --

            • ColumnWildcard (dict) --

              A wildcard specified by a ColumnWildcard object. At least one of ColumnNames or ColumnWildcard is required.

              • ExcludedColumnNames (list) --

                Excludes column names. Any column with this name will be excluded.

                • (string) --

          • DataLocation (dict) --

            The location of an Amazon S3 path where permissions are granted or revoked.

            • CatalogId (string) --

              The identifier for the Data Catalog where the location is registered with Lake Formation. By default, it is the account ID of the caller.

            • ResourceArn (string) --

              The Amazon Resource Name (ARN) that uniquely identifies the data location resource.

          • DataCellsFilter (dict) --

            A data cell filter.

            • TableCatalogId (string) --

              The ID of the catalog to which the table belongs.

            • DatabaseName (string) --

              A database in the Glue Data Catalog.

            • TableName (string) --

              The name of the table.

            • Name (string) --

              The name of the data cells filter.

          • LFTag (dict) --

            The LF-tag key and values attached to a resource.

            • CatalogId (string) --

              The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

            • TagKey (string) --

              The key-name for the LF-tag.

            • TagValues (list) --

              A list of possible values an attribute can take.

              • (string) --

          • LFTagPolicy (dict) --

            A list of LF-tag conditions or saved LF-Tag expressions that define a resource's LF-tag policy.

            • CatalogId (string) --

              The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

            • ResourceType (string) --

              The resource type for which the LF-tag policy applies.

            • Expression (list) --

              A list of LF-tag conditions or a saved expression that apply to the resource's LF-tag policy.

              • (dict) --

                A structure that allows an admin to grant user permissions on certain conditions. For example, granting a role access to all columns that do not have the LF-tag 'PII' in tables that have the LF-tag 'Prod'.

                • TagKey (string) --

                  The key-name for the LF-tag.

                • TagValues (list) --

                  A list of possible values an attribute can take.

                  The maximum number of values that can be defined for a LF-Tag is 1000. A single API call supports 50 values. You can use multiple API calls to add more values.

                  • (string) --

            • ExpressionName (string) --

              If provided, permissions are granted to the Data Catalog resources whose assigned LF-Tags match the expression body of the saved expression under the provided ExpressionName.

          • LFTagExpression (dict) --

            LF-Tag expression resource. A logical expression composed of one or more LF-Tag key:value pairs.

            • CatalogId (string) --

              The identifier for the Data Catalog. By default, the account ID.

            • Name (string) --

              The name of the LF-Tag expression to grant permissions on.

        • Condition (dict) --

          A Lake Formation condition, which applies to permissions and opt-ins that contain an expression.

          • Expression (string) --

            An expression written based on the Cedar Policy Language used to match the principal attributes.

        • Permissions (list) --

          The permissions to be granted or revoked on the resource.

          • (string) --

        • PermissionsWithGrantOption (list) --

          Indicates whether to grant the ability to grant permissions (as a subset of permissions granted).

          • (string) --

        • AdditionalDetails (dict) --

          This attribute can be used to return any additional details of PrincipalResourcePermissions. Currently returns only as a RAM resource share ARN.

          • ResourceShare (list) --

            A resource share ARN for a catalog resource shared through RAM.

            • (string) --

        • LastUpdated (datetime) --

          The date and time when the resource was last updated.

        • LastUpdatedBy (string) --

          The user who updated the record.

    • NextToken (string) --

      A continuation token, if this is not the first call to retrieve this list.

PutDataLakeSettings (updated) Link ¶
Changes (request)
{'DataLakeSettings': {'CreateDatabaseDefaultPermissions': {'Permissions': {'CREATE_CATALOG',
                                                                           'SUPER_USER'}},
                      'CreateTableDefaultPermissions': {'Permissions': {'CREATE_CATALOG',
                                                                        'SUPER_USER'}}}}

Sets the list of data lake administrators who have admin privileges on all resources managed by Lake Formation. For more information on admin privileges, see Granting Lake Formation Permissions.

This API replaces the current list of data lake admins with the new list being passed. To add an admin, fetch the current list and add the new admin to that list and pass that list in this API.

See also: AWS API Documentation

Request Syntax

client.put_data_lake_settings(
    CatalogId='string',
    DataLakeSettings={
        'DataLakeAdmins': [
            {
                'DataLakePrincipalIdentifier': 'string'
            },
        ],
        'ReadOnlyAdmins': [
            {
                'DataLakePrincipalIdentifier': 'string'
            },
        ],
        'CreateDatabaseDefaultPermissions': [
            {
                'Principal': {
                    'DataLakePrincipalIdentifier': 'string'
                },
                'Permissions': [
                    'ALL'|'SELECT'|'ALTER'|'DROP'|'DELETE'|'INSERT'|'DESCRIBE'|'CREATE_DATABASE'|'CREATE_TABLE'|'DATA_LOCATION_ACCESS'|'CREATE_LF_TAG'|'ASSOCIATE'|'GRANT_WITH_LF_TAG_EXPRESSION'|'CREATE_LF_TAG_EXPRESSION'|'CREATE_CATALOG'|'SUPER_USER',
                ]
            },
        ],
        'CreateTableDefaultPermissions': [
            {
                'Principal': {
                    'DataLakePrincipalIdentifier': 'string'
                },
                'Permissions': [
                    'ALL'|'SELECT'|'ALTER'|'DROP'|'DELETE'|'INSERT'|'DESCRIBE'|'CREATE_DATABASE'|'CREATE_TABLE'|'DATA_LOCATION_ACCESS'|'CREATE_LF_TAG'|'ASSOCIATE'|'GRANT_WITH_LF_TAG_EXPRESSION'|'CREATE_LF_TAG_EXPRESSION'|'CREATE_CATALOG'|'SUPER_USER',
                ]
            },
        ],
        'Parameters': {
            'string': 'string'
        },
        'TrustedResourceOwners': [
            'string',
        ],
        'AllowExternalDataFiltering': True|False,
        'AllowFullTableExternalDataAccess': True|False,
        'ExternalDataFilteringAllowList': [
            {
                'DataLakePrincipalIdentifier': 'string'
            },
        ],
        'AuthorizedSessionTagValueList': [
            'string',
        ]
    }
)
type CatalogId:

string

param CatalogId:

The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

type DataLakeSettings:

dict

param DataLakeSettings:

[REQUIRED]

A structure representing a list of Lake Formation principals designated as data lake administrators.

  • DataLakeAdmins (list) --

    A list of Lake Formation principals. Supported principals are IAM users or IAM roles.

    • (dict) --

      The Lake Formation principal. Supported principals are IAM users or IAM roles.

      • DataLakePrincipalIdentifier (string) --

        An identifier for the Lake Formation principal.

  • ReadOnlyAdmins (list) --

    A list of Lake Formation principals with only view access to the resources, without the ability to make changes. Supported principals are IAM users or IAM roles.

    • (dict) --

      The Lake Formation principal. Supported principals are IAM users or IAM roles.

      • DataLakePrincipalIdentifier (string) --

        An identifier for the Lake Formation principal.

  • CreateDatabaseDefaultPermissions (list) --

    Specifies whether access control on newly created database is managed by Lake Formation permissions or exclusively by IAM permissions.

    A null value indicates access control by Lake Formation permissions. A value that assigns ALL to IAM_ALLOWED_PRINCIPALS indicates access control by IAM permissions. This is referred to as the setting "Use only IAM access control," and is for backward compatibility with the Glue permission model implemented by IAM permissions.

    The only permitted values are an empty array or an array that contains a single JSON object that grants ALL to IAM_ALLOWED_PRINCIPALS.

    For more information, see Changing the Default Security Settings for Your Data Lake.

    • (dict) --

      Permissions granted to a principal.

      • Principal (dict) --

        The principal who is granted permissions.

        • DataLakePrincipalIdentifier (string) --

          An identifier for the Lake Formation principal.

      • Permissions (list) --

        The permissions that are granted to the principal.

        • (string) --

  • CreateTableDefaultPermissions (list) --

    Specifies whether access control on newly created table is managed by Lake Formation permissions or exclusively by IAM permissions.

    A null value indicates access control by Lake Formation permissions. A value that assigns ALL to IAM_ALLOWED_PRINCIPALS indicates access control by IAM permissions. This is referred to as the setting "Use only IAM access control," and is for backward compatibility with the Glue permission model implemented by IAM permissions.

    The only permitted values are an empty array or an array that contains a single JSON object that grants ALL to IAM_ALLOWED_PRINCIPALS.

    For more information, see Changing the Default Security Settings for Your Data Lake.

    • (dict) --

      Permissions granted to a principal.

      • Principal (dict) --

        The principal who is granted permissions.

        • DataLakePrincipalIdentifier (string) --

          An identifier for the Lake Formation principal.

      • Permissions (list) --

        The permissions that are granted to the principal.

        • (string) --

  • Parameters (dict) --

    A key-value map that provides an additional configuration on your data lake. CROSS_ACCOUNT_VERSION is the key you can configure in the Parameters field. Accepted values for the CrossAccountVersion key are 1, 2, 3, and 4.

    • (string) --

      • (string) --

  • TrustedResourceOwners (list) --

    A list of the resource-owning account IDs that the caller's account can use to share their user access details (user ARNs). The user ARNs can be logged in the resource owner's CloudTrail log.

    You may want to specify this property when you are in a high-trust boundary, such as the same team or company.

    • (string) --

  • AllowExternalDataFiltering (boolean) --

    Whether to allow Amazon EMR clusters to access data managed by Lake Formation.

    If true, you allow Amazon EMR clusters to access data in Amazon S3 locations that are registered with Lake Formation.

    If false or null, no Amazon EMR clusters will be able to access data in Amazon S3 locations that are registered with Lake Formation.

    For more information, see (Optional) Allow external data filtering.

  • AllowFullTableExternalDataAccess (boolean) --

    Whether to allow a third-party query engine to get data access credentials without session tags when a caller has full data access permissions.

  • ExternalDataFilteringAllowList (list) --

    A list of the account IDs of Amazon Web Services accounts with Amazon EMR clusters that are to perform data filtering.>

    • (dict) --

      The Lake Formation principal. Supported principals are IAM users or IAM roles.

      • DataLakePrincipalIdentifier (string) --

        An identifier for the Lake Formation principal.

  • AuthorizedSessionTagValueList (list) --

    Lake Formation relies on a privileged process secured by Amazon EMR or the third party integrator to tag the user's role while assuming it. Lake Formation will publish the acceptable key-value pair, for example key = "LakeFormationTrustedCaller" and value = "TRUE" and the third party integrator must properly tag the temporary security credentials that will be used to call Lake Formation's administrative APIs.

    • (string) --

rtype:

dict

returns:

Response Syntax

{}

Response Structure

  • (dict) --

RemoveLFTagsFromResource (updated) Link ¶
Changes (request)
{'Resource': {'Catalog': {'Id': 'string'}}}

Removes an LF-tag from the resource. Only database, table, or tableWithColumns resource are allowed. To tag columns, use the column inclusion list in tableWithColumns to specify column input.

See also: AWS API Documentation

Request Syntax

client.remove_lf_tags_from_resource(
    CatalogId='string',
    Resource={
        'Catalog': {
            'Id': 'string'
        },
        'Database': {
            'CatalogId': 'string',
            'Name': 'string'
        },
        'Table': {
            'CatalogId': 'string',
            'DatabaseName': 'string',
            'Name': 'string',
            'TableWildcard': {}

        },
        'TableWithColumns': {
            'CatalogId': 'string',
            'DatabaseName': 'string',
            'Name': 'string',
            'ColumnNames': [
                'string',
            ],
            'ColumnWildcard': {
                'ExcludedColumnNames': [
                    'string',
                ]
            }
        },
        'DataLocation': {
            'CatalogId': 'string',
            'ResourceArn': 'string'
        },
        'DataCellsFilter': {
            'TableCatalogId': 'string',
            'DatabaseName': 'string',
            'TableName': 'string',
            'Name': 'string'
        },
        'LFTag': {
            'CatalogId': 'string',
            'TagKey': 'string',
            'TagValues': [
                'string',
            ]
        },
        'LFTagPolicy': {
            'CatalogId': 'string',
            'ResourceType': 'DATABASE'|'TABLE',
            'Expression': [
                {
                    'TagKey': 'string',
                    'TagValues': [
                        'string',
                    ]
                },
            ],
            'ExpressionName': 'string'
        },
        'LFTagExpression': {
            'CatalogId': 'string',
            'Name': 'string'
        }
    },
    LFTags=[
        {
            'CatalogId': 'string',
            'TagKey': 'string',
            'TagValues': [
                'string',
            ]
        },
    ]
)
type CatalogId:

string

param CatalogId:

The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

type Resource:

dict

param Resource:

[REQUIRED]

The database, table, or column resource where you want to remove an LF-tag.

  • Catalog (dict) --

    The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

    • Id (string) --

      An identifier for the catalog resource.

  • Database (dict) --

    The database for the resource. Unique to the Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database permissions to a principal.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, it is the account ID of the caller.

    • Name (string) -- [REQUIRED]

      The name of the database resource. Unique to the Data Catalog.

  • Table (dict) --

    The table for the resource. A table is a metadata definition that represents your data. You can Grant and Revoke table privileges to a principal.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, it is the account ID of the caller.

    • DatabaseName (string) -- [REQUIRED]

      The name of the database for the table. Unique to a Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database privileges to a principal.

    • Name (string) --

      The name of the table.

    • TableWildcard (dict) --

      A wildcard object representing every table under a database.

      At least one of TableResource$Name or TableResource$TableWildcard is required.

  • TableWithColumns (dict) --

    The table with columns for the resource. A principal with permissions to this resource can select metadata from the columns of a table in the Data Catalog and the underlying data in Amazon S3.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, it is the account ID of the caller.

    • DatabaseName (string) -- [REQUIRED]

      The name of the database for the table with columns resource. Unique to the Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database privileges to a principal.

    • Name (string) -- [REQUIRED]

      The name of the table resource. A table is a metadata definition that represents your data. You can Grant and Revoke table privileges to a principal.

    • ColumnNames (list) --

      The list of column names for the table. At least one of ColumnNames or ColumnWildcard is required.

      • (string) --

    • ColumnWildcard (dict) --

      A wildcard specified by a ColumnWildcard object. At least one of ColumnNames or ColumnWildcard is required.

      • ExcludedColumnNames (list) --

        Excludes column names. Any column with this name will be excluded.

        • (string) --

  • DataLocation (dict) --

    The location of an Amazon S3 path where permissions are granted or revoked.

    • CatalogId (string) --

      The identifier for the Data Catalog where the location is registered with Lake Formation. By default, it is the account ID of the caller.

    • ResourceArn (string) -- [REQUIRED]

      The Amazon Resource Name (ARN) that uniquely identifies the data location resource.

  • DataCellsFilter (dict) --

    A data cell filter.

    • TableCatalogId (string) --

      The ID of the catalog to which the table belongs.

    • DatabaseName (string) --

      A database in the Glue Data Catalog.

    • TableName (string) --

      The name of the table.

    • Name (string) --

      The name of the data cells filter.

  • LFTag (dict) --

    The LF-tag key and values attached to a resource.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

    • TagKey (string) -- [REQUIRED]

      The key-name for the LF-tag.

    • TagValues (list) -- [REQUIRED]

      A list of possible values an attribute can take.

      • (string) --

  • LFTagPolicy (dict) --

    A list of LF-tag conditions or saved LF-Tag expressions that define a resource's LF-tag policy.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

    • ResourceType (string) -- [REQUIRED]

      The resource type for which the LF-tag policy applies.

    • Expression (list) --

      A list of LF-tag conditions or a saved expression that apply to the resource's LF-tag policy.

      • (dict) --

        A structure that allows an admin to grant user permissions on certain conditions. For example, granting a role access to all columns that do not have the LF-tag 'PII' in tables that have the LF-tag 'Prod'.

        • TagKey (string) -- [REQUIRED]

          The key-name for the LF-tag.

        • TagValues (list) -- [REQUIRED]

          A list of possible values an attribute can take.

          The maximum number of values that can be defined for a LF-Tag is 1000. A single API call supports 50 values. You can use multiple API calls to add more values.

          • (string) --

    • ExpressionName (string) --

      If provided, permissions are granted to the Data Catalog resources whose assigned LF-Tags match the expression body of the saved expression under the provided ExpressionName.

  • LFTagExpression (dict) --

    LF-Tag expression resource. A logical expression composed of one or more LF-Tag key:value pairs.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, the account ID.

    • Name (string) -- [REQUIRED]

      The name of the LF-Tag expression to grant permissions on.

type LFTags:

list

param LFTags:

[REQUIRED]

The LF-tags to be removed from the resource.

  • (dict) --

    A structure containing an LF-tag key-value pair.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

    • TagKey (string) -- [REQUIRED]

      The key-name for the LF-tag.

    • TagValues (list) -- [REQUIRED]

      A list of possible values an attribute can take.

      • (string) --

rtype:

dict

returns:

Response Syntax

{
    'Failures': [
        {
            'LFTag': {
                'CatalogId': 'string',
                'TagKey': 'string',
                'TagValues': [
                    'string',
                ]
            },
            'Error': {
                'ErrorCode': 'string',
                'ErrorMessage': 'string'
            }
        },
    ]
}

Response Structure

  • (dict) --

    • Failures (list) --

      A list of failures to untag a resource.

      • (dict) --

        A structure containing an error related to a TagResource or UnTagResource operation.

        • LFTag (dict) --

          The key-name of the LF-tag.

          • CatalogId (string) --

            The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

          • TagKey (string) --

            The key-name for the LF-tag.

          • TagValues (list) --

            A list of possible values an attribute can take.

            • (string) --

        • Error (dict) --

          An error that occurred with the attachment or detachment of the LF-tag.

          • ErrorCode (string) --

            The code associated with this error.

          • ErrorMessage (string) --

            A message describing the error.

RevokePermissions (updated) Link ¶
Changes (request)
{'Permissions': {'CREATE_CATALOG', 'SUPER_USER'},
 'PermissionsWithGrantOption': {'CREATE_CATALOG', 'SUPER_USER'},
 'Resource': {'Catalog': {'Id': 'string'}}}

Revokes permissions to the principal to access metadata in the Data Catalog and data organized in underlying data storage such as Amazon S3.

See also: AWS API Documentation

Request Syntax

client.revoke_permissions(
    CatalogId='string',
    Principal={
        'DataLakePrincipalIdentifier': 'string'
    },
    Resource={
        'Catalog': {
            'Id': 'string'
        },
        'Database': {
            'CatalogId': 'string',
            'Name': 'string'
        },
        'Table': {
            'CatalogId': 'string',
            'DatabaseName': 'string',
            'Name': 'string',
            'TableWildcard': {}

        },
        'TableWithColumns': {
            'CatalogId': 'string',
            'DatabaseName': 'string',
            'Name': 'string',
            'ColumnNames': [
                'string',
            ],
            'ColumnWildcard': {
                'ExcludedColumnNames': [
                    'string',
                ]
            }
        },
        'DataLocation': {
            'CatalogId': 'string',
            'ResourceArn': 'string'
        },
        'DataCellsFilter': {
            'TableCatalogId': 'string',
            'DatabaseName': 'string',
            'TableName': 'string',
            'Name': 'string'
        },
        'LFTag': {
            'CatalogId': 'string',
            'TagKey': 'string',
            'TagValues': [
                'string',
            ]
        },
        'LFTagPolicy': {
            'CatalogId': 'string',
            'ResourceType': 'DATABASE'|'TABLE',
            'Expression': [
                {
                    'TagKey': 'string',
                    'TagValues': [
                        'string',
                    ]
                },
            ],
            'ExpressionName': 'string'
        },
        'LFTagExpression': {
            'CatalogId': 'string',
            'Name': 'string'
        }
    },
    Permissions=[
        'ALL'|'SELECT'|'ALTER'|'DROP'|'DELETE'|'INSERT'|'DESCRIBE'|'CREATE_DATABASE'|'CREATE_TABLE'|'DATA_LOCATION_ACCESS'|'CREATE_LF_TAG'|'ASSOCIATE'|'GRANT_WITH_LF_TAG_EXPRESSION'|'CREATE_LF_TAG_EXPRESSION'|'CREATE_CATALOG'|'SUPER_USER',
    ],
    PermissionsWithGrantOption=[
        'ALL'|'SELECT'|'ALTER'|'DROP'|'DELETE'|'INSERT'|'DESCRIBE'|'CREATE_DATABASE'|'CREATE_TABLE'|'DATA_LOCATION_ACCESS'|'CREATE_LF_TAG'|'ASSOCIATE'|'GRANT_WITH_LF_TAG_EXPRESSION'|'CREATE_LF_TAG_EXPRESSION'|'CREATE_CATALOG'|'SUPER_USER',
    ]
)
type CatalogId:

string

param CatalogId:

The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

type Principal:

dict

param Principal:

[REQUIRED]

The principal to be revoked permissions on the resource.

  • DataLakePrincipalIdentifier (string) --

    An identifier for the Lake Formation principal.

type Resource:

dict

param Resource:

[REQUIRED]

The resource to which permissions are to be revoked.

  • Catalog (dict) --

    The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

    • Id (string) --

      An identifier for the catalog resource.

  • Database (dict) --

    The database for the resource. Unique to the Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database permissions to a principal.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, it is the account ID of the caller.

    • Name (string) -- [REQUIRED]

      The name of the database resource. Unique to the Data Catalog.

  • Table (dict) --

    The table for the resource. A table is a metadata definition that represents your data. You can Grant and Revoke table privileges to a principal.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, it is the account ID of the caller.

    • DatabaseName (string) -- [REQUIRED]

      The name of the database for the table. Unique to a Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database privileges to a principal.

    • Name (string) --

      The name of the table.

    • TableWildcard (dict) --

      A wildcard object representing every table under a database.

      At least one of TableResource$Name or TableResource$TableWildcard is required.

  • TableWithColumns (dict) --

    The table with columns for the resource. A principal with permissions to this resource can select metadata from the columns of a table in the Data Catalog and the underlying data in Amazon S3.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, it is the account ID of the caller.

    • DatabaseName (string) -- [REQUIRED]

      The name of the database for the table with columns resource. Unique to the Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database privileges to a principal.

    • Name (string) -- [REQUIRED]

      The name of the table resource. A table is a metadata definition that represents your data. You can Grant and Revoke table privileges to a principal.

    • ColumnNames (list) --

      The list of column names for the table. At least one of ColumnNames or ColumnWildcard is required.

      • (string) --

    • ColumnWildcard (dict) --

      A wildcard specified by a ColumnWildcard object. At least one of ColumnNames or ColumnWildcard is required.

      • ExcludedColumnNames (list) --

        Excludes column names. Any column with this name will be excluded.

        • (string) --

  • DataLocation (dict) --

    The location of an Amazon S3 path where permissions are granted or revoked.

    • CatalogId (string) --

      The identifier for the Data Catalog where the location is registered with Lake Formation. By default, it is the account ID of the caller.

    • ResourceArn (string) -- [REQUIRED]

      The Amazon Resource Name (ARN) that uniquely identifies the data location resource.

  • DataCellsFilter (dict) --

    A data cell filter.

    • TableCatalogId (string) --

      The ID of the catalog to which the table belongs.

    • DatabaseName (string) --

      A database in the Glue Data Catalog.

    • TableName (string) --

      The name of the table.

    • Name (string) --

      The name of the data cells filter.

  • LFTag (dict) --

    The LF-tag key and values attached to a resource.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

    • TagKey (string) -- [REQUIRED]

      The key-name for the LF-tag.

    • TagValues (list) -- [REQUIRED]

      A list of possible values an attribute can take.

      • (string) --

  • LFTagPolicy (dict) --

    A list of LF-tag conditions or saved LF-Tag expressions that define a resource's LF-tag policy.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

    • ResourceType (string) -- [REQUIRED]

      The resource type for which the LF-tag policy applies.

    • Expression (list) --

      A list of LF-tag conditions or a saved expression that apply to the resource's LF-tag policy.

      • (dict) --

        A structure that allows an admin to grant user permissions on certain conditions. For example, granting a role access to all columns that do not have the LF-tag 'PII' in tables that have the LF-tag 'Prod'.

        • TagKey (string) -- [REQUIRED]

          The key-name for the LF-tag.

        • TagValues (list) -- [REQUIRED]

          A list of possible values an attribute can take.

          The maximum number of values that can be defined for a LF-Tag is 1000. A single API call supports 50 values. You can use multiple API calls to add more values.

          • (string) --

    • ExpressionName (string) --

      If provided, permissions are granted to the Data Catalog resources whose assigned LF-Tags match the expression body of the saved expression under the provided ExpressionName.

  • LFTagExpression (dict) --

    LF-Tag expression resource. A logical expression composed of one or more LF-Tag key:value pairs.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, the account ID.

    • Name (string) -- [REQUIRED]

      The name of the LF-Tag expression to grant permissions on.

type Permissions:

list

param Permissions:

[REQUIRED]

The permissions revoked to the principal on the resource. For information about permissions, see Security and Access Control to Metadata and Data.

  • (string) --

type PermissionsWithGrantOption:

list

param PermissionsWithGrantOption:

Indicates a list of permissions for which to revoke the grant option allowing the principal to pass permissions to other principals.

  • (string) --

rtype:

dict

returns:

Response Syntax

{}

Response Structure

  • (dict) --