AWS Lake Formation

2022/03/22 - AWS Lake Formation - 10 updated api methods

Changes  The release fixes the incorrect permissions called out in the documentation - DESCRIBE_TAG, ASSOCIATE_TAG, DELETE_TAG, ALTER_TAG. This trebuchet release fixes the corresponding SDK and documentation.

BatchGrantPermissions (updated) Link ¶
Changes (request, response)
Request
{'Entries': {'Permissions': {'ASSOCIATE'},
             'PermissionsWithGrantOption': {'ASSOCIATE'}}}
Response
{'Failures': {'RequestEntry': {'Permissions': {'ASSOCIATE'},
                               'PermissionsWithGrantOption': {'ASSOCIATE'}}}}

Batch operation to grant permissions to the principal.

See also: AWS API Documentation

Request Syntax

client.batch_grant_permissions(
    CatalogId='string',
    Entries=[
        {
            'Id': 'string',
            'Principal': {
                'DataLakePrincipalIdentifier': 'string'
            },
            'Resource': {
                'Catalog': {}
                ,
                'Database': {
                    'CatalogId': 'string',
                    'Name': 'string'
                },
                'Table': {
                    'CatalogId': 'string',
                    'DatabaseName': 'string',
                    'Name': 'string',
                    'TableWildcard': {}

                },
                'TableWithColumns': {
                    'CatalogId': 'string',
                    'DatabaseName': 'string',
                    'Name': 'string',
                    'ColumnNames': [
                        'string',
                    ],
                    'ColumnWildcard': {
                        'ExcludedColumnNames': [
                            'string',
                        ]
                    }
                },
                'DataLocation': {
                    'CatalogId': 'string',
                    'ResourceArn': 'string'
                },
                'DataCellsFilter': {
                    'TableCatalogId': 'string',
                    'DatabaseName': 'string',
                    'TableName': 'string',
                    'Name': 'string'
                },
                'LFTag': {
                    'CatalogId': 'string',
                    'TagKey': 'string',
                    'TagValues': [
                        'string',
                    ]
                },
                'LFTagPolicy': {
                    'CatalogId': 'string',
                    'ResourceType': 'DATABASE'|'TABLE',
                    'Expression': [
                        {
                            'TagKey': 'string',
                            'TagValues': [
                                'string',
                            ]
                        },
                    ]
                }
            },
            'Permissions': [
                'ALL'|'SELECT'|'ALTER'|'DROP'|'DELETE'|'INSERT'|'DESCRIBE'|'CREATE_DATABASE'|'CREATE_TABLE'|'DATA_LOCATION_ACCESS'|'CREATE_TAG'|'ASSOCIATE',
            ],
            'PermissionsWithGrantOption': [
                'ALL'|'SELECT'|'ALTER'|'DROP'|'DELETE'|'INSERT'|'DESCRIBE'|'CREATE_DATABASE'|'CREATE_TABLE'|'DATA_LOCATION_ACCESS'|'CREATE_TAG'|'ASSOCIATE',
            ]
        },
    ]
)
type CatalogId:

string

param CatalogId:

The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

type Entries:

list

param Entries:

[REQUIRED]

A list of up to 20 entries for resource permissions to be granted by batch operation to the principal.

  • (dict) --

    A permission to a resource granted by batch operation to the principal.

    • Id (string) -- [REQUIRED]

      A unique identifier for the batch permissions request entry.

    • Principal (dict) --

      The principal to be granted a permission.

      • DataLakePrincipalIdentifier (string) --

        An identifier for the Lake Formation principal.

    • Resource (dict) --

      The resource to which the principal is to be granted a permission.

      • Catalog (dict) --

        The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

      • Database (dict) --

        The database for the resource. Unique to the Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database permissions to a principal.

        • CatalogId (string) --

          The identifier for the Data Catalog. By default, it is the account ID of the caller.

        • Name (string) -- [REQUIRED]

          The name of the database resource. Unique to the Data Catalog.

      • Table (dict) --

        The table for the resource. A table is a metadata definition that represents your data. You can Grant and Revoke table privileges to a principal.

        • CatalogId (string) --

          The identifier for the Data Catalog. By default, it is the account ID of the caller.

        • DatabaseName (string) -- [REQUIRED]

          The name of the database for the table. Unique to a Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database privileges to a principal.

        • Name (string) --

          The name of the table.

        • TableWildcard (dict) --

          A wildcard object representing every table under a database.

          At least one of TableResource$Name or TableResource$TableWildcard is required.

      • TableWithColumns (dict) --

        The table with columns for the resource. A principal with permissions to this resource can select metadata from the columns of a table in the Data Catalog and the underlying data in Amazon S3.

        • CatalogId (string) --

          The identifier for the Data Catalog. By default, it is the account ID of the caller.

        • DatabaseName (string) -- [REQUIRED]

          The name of the database for the table with columns resource. Unique to the Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database privileges to a principal.

        • Name (string) -- [REQUIRED]

          The name of the table resource. A table is a metadata definition that represents your data. You can Grant and Revoke table privileges to a principal.

        • ColumnNames (list) --

          The list of column names for the table. At least one of ColumnNames or ColumnWildcard is required.

          • (string) --

        • ColumnWildcard (dict) --

          A wildcard specified by a ColumnWildcard object. At least one of ColumnNames or ColumnWildcard is required.

          • ExcludedColumnNames (list) --

            Excludes column names. Any column with this name will be excluded.

            • (string) --

      • DataLocation (dict) --

        The location of an Amazon S3 path where permissions are granted or revoked.

        • CatalogId (string) --

          The identifier for the Data Catalog where the location is registered with Lake Formation. By default, it is the account ID of the caller.

        • ResourceArn (string) -- [REQUIRED]

          The Amazon Resource Name (ARN) that uniquely identifies the data location resource.

      • DataCellsFilter (dict) --

        A data cell filter.

        • TableCatalogId (string) --

          The ID of the catalog to which the table belongs.

        • DatabaseName (string) --

          A database in the Glue Data Catalog.

        • TableName (string) --

          The name of the table.

        • Name (string) --

          The name of the data cells filter.

      • LFTag (dict) --

        The LF-tag key and values attached to a resource.

        • CatalogId (string) --

          The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

        • TagKey (string) -- [REQUIRED]

          The key-name for the LF-tag.

        • TagValues (list) -- [REQUIRED]

          A list of possible values an attribute can take.

          • (string) --

      • LFTagPolicy (dict) --

        A list of LF-tag conditions that define a resource's LF-tag policy.

        • CatalogId (string) --

          The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

        • ResourceType (string) -- [REQUIRED]

          The resource type for which the LF-tag policy applies.

        • Expression (list) -- [REQUIRED]

          A list of LF-tag conditions that apply to the resource's LF-tag policy.

          • (dict) --

            A structure that allows an admin to grant user permissions on certain conditions. For example, granting a role access to all columns that do not have the LF-tag 'PII' in tables that have the LF-tag 'Prod'.

            • TagKey (string) -- [REQUIRED]

              The key-name for the LF-tag.

            • TagValues (list) -- [REQUIRED]

              A list of possible values an attribute can take.

              • (string) --

    • Permissions (list) --

      The permissions to be granted.

      • (string) --

    • PermissionsWithGrantOption (list) --

      Indicates if the option to pass permissions is granted.

      • (string) --

rtype:

dict

returns:

Response Syntax

{
    'Failures': [
        {
            'RequestEntry': {
                'Id': 'string',
                'Principal': {
                    'DataLakePrincipalIdentifier': 'string'
                },
                'Resource': {
                    'Catalog': {},
                    'Database': {
                        'CatalogId': 'string',
                        'Name': 'string'
                    },
                    'Table': {
                        'CatalogId': 'string',
                        'DatabaseName': 'string',
                        'Name': 'string',
                        'TableWildcard': {}
                    },
                    'TableWithColumns': {
                        'CatalogId': 'string',
                        'DatabaseName': 'string',
                        'Name': 'string',
                        'ColumnNames': [
                            'string',
                        ],
                        'ColumnWildcard': {
                            'ExcludedColumnNames': [
                                'string',
                            ]
                        }
                    },
                    'DataLocation': {
                        'CatalogId': 'string',
                        'ResourceArn': 'string'
                    },
                    'DataCellsFilter': {
                        'TableCatalogId': 'string',
                        'DatabaseName': 'string',
                        'TableName': 'string',
                        'Name': 'string'
                    },
                    'LFTag': {
                        'CatalogId': 'string',
                        'TagKey': 'string',
                        'TagValues': [
                            'string',
                        ]
                    },
                    'LFTagPolicy': {
                        'CatalogId': 'string',
                        'ResourceType': 'DATABASE'|'TABLE',
                        'Expression': [
                            {
                                'TagKey': 'string',
                                'TagValues': [
                                    'string',
                                ]
                            },
                        ]
                    }
                },
                'Permissions': [
                    'ALL'|'SELECT'|'ALTER'|'DROP'|'DELETE'|'INSERT'|'DESCRIBE'|'CREATE_DATABASE'|'CREATE_TABLE'|'DATA_LOCATION_ACCESS'|'CREATE_TAG'|'ASSOCIATE',
                ],
                'PermissionsWithGrantOption': [
                    'ALL'|'SELECT'|'ALTER'|'DROP'|'DELETE'|'INSERT'|'DESCRIBE'|'CREATE_DATABASE'|'CREATE_TABLE'|'DATA_LOCATION_ACCESS'|'CREATE_TAG'|'ASSOCIATE',
                ]
            },
            'Error': {
                'ErrorCode': 'string',
                'ErrorMessage': 'string'
            }
        },
    ]
}

Response Structure

  • (dict) --

    • Failures (list) --

      A list of failures to grant permissions to the resources.

      • (dict) --

        A list of failures when performing a batch grant or batch revoke operation.

        • RequestEntry (dict) --

          An identifier for an entry of the batch request.

          • Id (string) --

            A unique identifier for the batch permissions request entry.

          • Principal (dict) --

            The principal to be granted a permission.

            • DataLakePrincipalIdentifier (string) --

              An identifier for the Lake Formation principal.

          • Resource (dict) --

            The resource to which the principal is to be granted a permission.

            • Catalog (dict) --

              The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

            • Database (dict) --

              The database for the resource. Unique to the Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database permissions to a principal.

              • CatalogId (string) --

                The identifier for the Data Catalog. By default, it is the account ID of the caller.

              • Name (string) --

                The name of the database resource. Unique to the Data Catalog.

            • Table (dict) --

              The table for the resource. A table is a metadata definition that represents your data. You can Grant and Revoke table privileges to a principal.

              • CatalogId (string) --

                The identifier for the Data Catalog. By default, it is the account ID of the caller.

              • DatabaseName (string) --

                The name of the database for the table. Unique to a Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database privileges to a principal.

              • Name (string) --

                The name of the table.

              • TableWildcard (dict) --

                A wildcard object representing every table under a database.

                At least one of TableResource$Name or TableResource$TableWildcard is required.

            • TableWithColumns (dict) --

              The table with columns for the resource. A principal with permissions to this resource can select metadata from the columns of a table in the Data Catalog and the underlying data in Amazon S3.

              • CatalogId (string) --

                The identifier for the Data Catalog. By default, it is the account ID of the caller.

              • DatabaseName (string) --

                The name of the database for the table with columns resource. Unique to the Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database privileges to a principal.

              • Name (string) --

                The name of the table resource. A table is a metadata definition that represents your data. You can Grant and Revoke table privileges to a principal.

              • ColumnNames (list) --

                The list of column names for the table. At least one of ColumnNames or ColumnWildcard is required.

                • (string) --

              • ColumnWildcard (dict) --

                A wildcard specified by a ColumnWildcard object. At least one of ColumnNames or ColumnWildcard is required.

                • ExcludedColumnNames (list) --

                  Excludes column names. Any column with this name will be excluded.

                  • (string) --

            • DataLocation (dict) --

              The location of an Amazon S3 path where permissions are granted or revoked.

              • CatalogId (string) --

                The identifier for the Data Catalog where the location is registered with Lake Formation. By default, it is the account ID of the caller.

              • ResourceArn (string) --

                The Amazon Resource Name (ARN) that uniquely identifies the data location resource.

            • DataCellsFilter (dict) --

              A data cell filter.

              • TableCatalogId (string) --

                The ID of the catalog to which the table belongs.

              • DatabaseName (string) --

                A database in the Glue Data Catalog.

              • TableName (string) --

                The name of the table.

              • Name (string) --

                The name of the data cells filter.

            • LFTag (dict) --

              The LF-tag key and values attached to a resource.

              • CatalogId (string) --

                The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

              • TagKey (string) --

                The key-name for the LF-tag.

              • TagValues (list) --

                A list of possible values an attribute can take.

                • (string) --

            • LFTagPolicy (dict) --

              A list of LF-tag conditions that define a resource's LF-tag policy.

              • CatalogId (string) --

                The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

              • ResourceType (string) --

                The resource type for which the LF-tag policy applies.

              • Expression (list) --

                A list of LF-tag conditions that apply to the resource's LF-tag policy.

                • (dict) --

                  A structure that allows an admin to grant user permissions on certain conditions. For example, granting a role access to all columns that do not have the LF-tag 'PII' in tables that have the LF-tag 'Prod'.

                  • TagKey (string) --

                    The key-name for the LF-tag.

                  • TagValues (list) --

                    A list of possible values an attribute can take.

                    • (string) --

          • Permissions (list) --

            The permissions to be granted.

            • (string) --

          • PermissionsWithGrantOption (list) --

            Indicates if the option to pass permissions is granted.

            • (string) --

        • Error (dict) --

          An error message that applies to the failure of the entry.

          • ErrorCode (string) --

            The code associated with this error.

          • ErrorMessage (string) --

            A message describing the error.

BatchRevokePermissions (updated) Link ¶
Changes (request, response)
Request
{'Entries': {'Permissions': {'ASSOCIATE'},
             'PermissionsWithGrantOption': {'ASSOCIATE'}}}
Response
{'Failures': {'RequestEntry': {'Permissions': {'ASSOCIATE'},
                               'PermissionsWithGrantOption': {'ASSOCIATE'}}}}

Batch operation to revoke permissions from the principal.

See also: AWS API Documentation

Request Syntax

client.batch_revoke_permissions(
    CatalogId='string',
    Entries=[
        {
            'Id': 'string',
            'Principal': {
                'DataLakePrincipalIdentifier': 'string'
            },
            'Resource': {
                'Catalog': {}
                ,
                'Database': {
                    'CatalogId': 'string',
                    'Name': 'string'
                },
                'Table': {
                    'CatalogId': 'string',
                    'DatabaseName': 'string',
                    'Name': 'string',
                    'TableWildcard': {}

                },
                'TableWithColumns': {
                    'CatalogId': 'string',
                    'DatabaseName': 'string',
                    'Name': 'string',
                    'ColumnNames': [
                        'string',
                    ],
                    'ColumnWildcard': {
                        'ExcludedColumnNames': [
                            'string',
                        ]
                    }
                },
                'DataLocation': {
                    'CatalogId': 'string',
                    'ResourceArn': 'string'
                },
                'DataCellsFilter': {
                    'TableCatalogId': 'string',
                    'DatabaseName': 'string',
                    'TableName': 'string',
                    'Name': 'string'
                },
                'LFTag': {
                    'CatalogId': 'string',
                    'TagKey': 'string',
                    'TagValues': [
                        'string',
                    ]
                },
                'LFTagPolicy': {
                    'CatalogId': 'string',
                    'ResourceType': 'DATABASE'|'TABLE',
                    'Expression': [
                        {
                            'TagKey': 'string',
                            'TagValues': [
                                'string',
                            ]
                        },
                    ]
                }
            },
            'Permissions': [
                'ALL'|'SELECT'|'ALTER'|'DROP'|'DELETE'|'INSERT'|'DESCRIBE'|'CREATE_DATABASE'|'CREATE_TABLE'|'DATA_LOCATION_ACCESS'|'CREATE_TAG'|'ASSOCIATE',
            ],
            'PermissionsWithGrantOption': [
                'ALL'|'SELECT'|'ALTER'|'DROP'|'DELETE'|'INSERT'|'DESCRIBE'|'CREATE_DATABASE'|'CREATE_TABLE'|'DATA_LOCATION_ACCESS'|'CREATE_TAG'|'ASSOCIATE',
            ]
        },
    ]
)
type CatalogId:

string

param CatalogId:

The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

type Entries:

list

param Entries:

[REQUIRED]

A list of up to 20 entries for resource permissions to be revoked by batch operation to the principal.

  • (dict) --

    A permission to a resource granted by batch operation to the principal.

    • Id (string) -- [REQUIRED]

      A unique identifier for the batch permissions request entry.

    • Principal (dict) --

      The principal to be granted a permission.

      • DataLakePrincipalIdentifier (string) --

        An identifier for the Lake Formation principal.

    • Resource (dict) --

      The resource to which the principal is to be granted a permission.

      • Catalog (dict) --

        The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

      • Database (dict) --

        The database for the resource. Unique to the Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database permissions to a principal.

        • CatalogId (string) --

          The identifier for the Data Catalog. By default, it is the account ID of the caller.

        • Name (string) -- [REQUIRED]

          The name of the database resource. Unique to the Data Catalog.

      • Table (dict) --

        The table for the resource. A table is a metadata definition that represents your data. You can Grant and Revoke table privileges to a principal.

        • CatalogId (string) --

          The identifier for the Data Catalog. By default, it is the account ID of the caller.

        • DatabaseName (string) -- [REQUIRED]

          The name of the database for the table. Unique to a Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database privileges to a principal.

        • Name (string) --

          The name of the table.

        • TableWildcard (dict) --

          A wildcard object representing every table under a database.

          At least one of TableResource$Name or TableResource$TableWildcard is required.

      • TableWithColumns (dict) --

        The table with columns for the resource. A principal with permissions to this resource can select metadata from the columns of a table in the Data Catalog and the underlying data in Amazon S3.

        • CatalogId (string) --

          The identifier for the Data Catalog. By default, it is the account ID of the caller.

        • DatabaseName (string) -- [REQUIRED]

          The name of the database for the table with columns resource. Unique to the Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database privileges to a principal.

        • Name (string) -- [REQUIRED]

          The name of the table resource. A table is a metadata definition that represents your data. You can Grant and Revoke table privileges to a principal.

        • ColumnNames (list) --

          The list of column names for the table. At least one of ColumnNames or ColumnWildcard is required.

          • (string) --

        • ColumnWildcard (dict) --

          A wildcard specified by a ColumnWildcard object. At least one of ColumnNames or ColumnWildcard is required.

          • ExcludedColumnNames (list) --

            Excludes column names. Any column with this name will be excluded.

            • (string) --

      • DataLocation (dict) --

        The location of an Amazon S3 path where permissions are granted or revoked.

        • CatalogId (string) --

          The identifier for the Data Catalog where the location is registered with Lake Formation. By default, it is the account ID of the caller.

        • ResourceArn (string) -- [REQUIRED]

          The Amazon Resource Name (ARN) that uniquely identifies the data location resource.

      • DataCellsFilter (dict) --

        A data cell filter.

        • TableCatalogId (string) --

          The ID of the catalog to which the table belongs.

        • DatabaseName (string) --

          A database in the Glue Data Catalog.

        • TableName (string) --

          The name of the table.

        • Name (string) --

          The name of the data cells filter.

      • LFTag (dict) --

        The LF-tag key and values attached to a resource.

        • CatalogId (string) --

          The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

        • TagKey (string) -- [REQUIRED]

          The key-name for the LF-tag.

        • TagValues (list) -- [REQUIRED]

          A list of possible values an attribute can take.

          • (string) --

      • LFTagPolicy (dict) --

        A list of LF-tag conditions that define a resource's LF-tag policy.

        • CatalogId (string) --

          The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

        • ResourceType (string) -- [REQUIRED]

          The resource type for which the LF-tag policy applies.

        • Expression (list) -- [REQUIRED]

          A list of LF-tag conditions that apply to the resource's LF-tag policy.

          • (dict) --

            A structure that allows an admin to grant user permissions on certain conditions. For example, granting a role access to all columns that do not have the LF-tag 'PII' in tables that have the LF-tag 'Prod'.

            • TagKey (string) -- [REQUIRED]

              The key-name for the LF-tag.

            • TagValues (list) -- [REQUIRED]

              A list of possible values an attribute can take.

              • (string) --

    • Permissions (list) --

      The permissions to be granted.

      • (string) --

    • PermissionsWithGrantOption (list) --

      Indicates if the option to pass permissions is granted.

      • (string) --

rtype:

dict

returns:

Response Syntax

{
    'Failures': [
        {
            'RequestEntry': {
                'Id': 'string',
                'Principal': {
                    'DataLakePrincipalIdentifier': 'string'
                },
                'Resource': {
                    'Catalog': {},
                    'Database': {
                        'CatalogId': 'string',
                        'Name': 'string'
                    },
                    'Table': {
                        'CatalogId': 'string',
                        'DatabaseName': 'string',
                        'Name': 'string',
                        'TableWildcard': {}
                    },
                    'TableWithColumns': {
                        'CatalogId': 'string',
                        'DatabaseName': 'string',
                        'Name': 'string',
                        'ColumnNames': [
                            'string',
                        ],
                        'ColumnWildcard': {
                            'ExcludedColumnNames': [
                                'string',
                            ]
                        }
                    },
                    'DataLocation': {
                        'CatalogId': 'string',
                        'ResourceArn': 'string'
                    },
                    'DataCellsFilter': {
                        'TableCatalogId': 'string',
                        'DatabaseName': 'string',
                        'TableName': 'string',
                        'Name': 'string'
                    },
                    'LFTag': {
                        'CatalogId': 'string',
                        'TagKey': 'string',
                        'TagValues': [
                            'string',
                        ]
                    },
                    'LFTagPolicy': {
                        'CatalogId': 'string',
                        'ResourceType': 'DATABASE'|'TABLE',
                        'Expression': [
                            {
                                'TagKey': 'string',
                                'TagValues': [
                                    'string',
                                ]
                            },
                        ]
                    }
                },
                'Permissions': [
                    'ALL'|'SELECT'|'ALTER'|'DROP'|'DELETE'|'INSERT'|'DESCRIBE'|'CREATE_DATABASE'|'CREATE_TABLE'|'DATA_LOCATION_ACCESS'|'CREATE_TAG'|'ASSOCIATE',
                ],
                'PermissionsWithGrantOption': [
                    'ALL'|'SELECT'|'ALTER'|'DROP'|'DELETE'|'INSERT'|'DESCRIBE'|'CREATE_DATABASE'|'CREATE_TABLE'|'DATA_LOCATION_ACCESS'|'CREATE_TAG'|'ASSOCIATE',
                ]
            },
            'Error': {
                'ErrorCode': 'string',
                'ErrorMessage': 'string'
            }
        },
    ]
}

Response Structure

  • (dict) --

    • Failures (list) --

      A list of failures to revoke permissions to the resources.

      • (dict) --

        A list of failures when performing a batch grant or batch revoke operation.

        • RequestEntry (dict) --

          An identifier for an entry of the batch request.

          • Id (string) --

            A unique identifier for the batch permissions request entry.

          • Principal (dict) --

            The principal to be granted a permission.

            • DataLakePrincipalIdentifier (string) --

              An identifier for the Lake Formation principal.

          • Resource (dict) --

            The resource to which the principal is to be granted a permission.

            • Catalog (dict) --

              The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

            • Database (dict) --

              The database for the resource. Unique to the Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database permissions to a principal.

              • CatalogId (string) --

                The identifier for the Data Catalog. By default, it is the account ID of the caller.

              • Name (string) --

                The name of the database resource. Unique to the Data Catalog.

            • Table (dict) --

              The table for the resource. A table is a metadata definition that represents your data. You can Grant and Revoke table privileges to a principal.

              • CatalogId (string) --

                The identifier for the Data Catalog. By default, it is the account ID of the caller.

              • DatabaseName (string) --

                The name of the database for the table. Unique to a Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database privileges to a principal.

              • Name (string) --

                The name of the table.

              • TableWildcard (dict) --

                A wildcard object representing every table under a database.

                At least one of TableResource$Name or TableResource$TableWildcard is required.

            • TableWithColumns (dict) --

              The table with columns for the resource. A principal with permissions to this resource can select metadata from the columns of a table in the Data Catalog and the underlying data in Amazon S3.

              • CatalogId (string) --

                The identifier for the Data Catalog. By default, it is the account ID of the caller.

              • DatabaseName (string) --

                The name of the database for the table with columns resource. Unique to the Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database privileges to a principal.

              • Name (string) --

                The name of the table resource. A table is a metadata definition that represents your data. You can Grant and Revoke table privileges to a principal.

              • ColumnNames (list) --

                The list of column names for the table. At least one of ColumnNames or ColumnWildcard is required.

                • (string) --

              • ColumnWildcard (dict) --

                A wildcard specified by a ColumnWildcard object. At least one of ColumnNames or ColumnWildcard is required.

                • ExcludedColumnNames (list) --

                  Excludes column names. Any column with this name will be excluded.

                  • (string) --

            • DataLocation (dict) --

              The location of an Amazon S3 path where permissions are granted or revoked.

              • CatalogId (string) --

                The identifier for the Data Catalog where the location is registered with Lake Formation. By default, it is the account ID of the caller.

              • ResourceArn (string) --

                The Amazon Resource Name (ARN) that uniquely identifies the data location resource.

            • DataCellsFilter (dict) --

              A data cell filter.

              • TableCatalogId (string) --

                The ID of the catalog to which the table belongs.

              • DatabaseName (string) --

                A database in the Glue Data Catalog.

              • TableName (string) --

                The name of the table.

              • Name (string) --

                The name of the data cells filter.

            • LFTag (dict) --

              The LF-tag key and values attached to a resource.

              • CatalogId (string) --

                The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

              • TagKey (string) --

                The key-name for the LF-tag.

              • TagValues (list) --

                A list of possible values an attribute can take.

                • (string) --

            • LFTagPolicy (dict) --

              A list of LF-tag conditions that define a resource's LF-tag policy.

              • CatalogId (string) --

                The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

              • ResourceType (string) --

                The resource type for which the LF-tag policy applies.

              • Expression (list) --

                A list of LF-tag conditions that apply to the resource's LF-tag policy.

                • (dict) --

                  A structure that allows an admin to grant user permissions on certain conditions. For example, granting a role access to all columns that do not have the LF-tag 'PII' in tables that have the LF-tag 'Prod'.

                  • TagKey (string) --

                    The key-name for the LF-tag.

                  • TagValues (list) --

                    A list of possible values an attribute can take.

                    • (string) --

          • Permissions (list) --

            The permissions to be granted.

            • (string) --

          • PermissionsWithGrantOption (list) --

            Indicates if the option to pass permissions is granted.

            • (string) --

        • Error (dict) --

          An error message that applies to the failure of the entry.

          • ErrorCode (string) --

            The code associated with this error.

          • ErrorMessage (string) --

            A message describing the error.

GetDataLakeSettings (updated) Link ¶
Changes (response)
{'DataLakeSettings': {'CreateDatabaseDefaultPermissions': {'Permissions': {'ASSOCIATE'}},
                      'CreateTableDefaultPermissions': {'Permissions': {'ASSOCIATE'}}}}

Retrieves the list of the data lake administrators of a Lake Formation-managed data lake.

See also: AWS API Documentation

Request Syntax

client.get_data_lake_settings(
    CatalogId='string'
)
type CatalogId:

string

param CatalogId:

The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

rtype:

dict

returns:

Response Syntax

{
    'DataLakeSettings': {
        'DataLakeAdmins': [
            {
                'DataLakePrincipalIdentifier': 'string'
            },
        ],
        'CreateDatabaseDefaultPermissions': [
            {
                'Principal': {
                    'DataLakePrincipalIdentifier': 'string'
                },
                'Permissions': [
                    'ALL'|'SELECT'|'ALTER'|'DROP'|'DELETE'|'INSERT'|'DESCRIBE'|'CREATE_DATABASE'|'CREATE_TABLE'|'DATA_LOCATION_ACCESS'|'CREATE_TAG'|'ASSOCIATE',
                ]
            },
        ],
        'CreateTableDefaultPermissions': [
            {
                'Principal': {
                    'DataLakePrincipalIdentifier': 'string'
                },
                'Permissions': [
                    'ALL'|'SELECT'|'ALTER'|'DROP'|'DELETE'|'INSERT'|'DESCRIBE'|'CREATE_DATABASE'|'CREATE_TABLE'|'DATA_LOCATION_ACCESS'|'CREATE_TAG'|'ASSOCIATE',
                ]
            },
        ],
        'TrustedResourceOwners': [
            'string',
        ],
        'AllowExternalDataFiltering': True|False,
        'ExternalDataFilteringAllowList': [
            {
                'DataLakePrincipalIdentifier': 'string'
            },
        ],
        'AuthorizedSessionTagValueList': [
            'string',
        ]
    }
}

Response Structure

  • (dict) --

    • DataLakeSettings (dict) --

      A structure representing a list of Lake Formation principals designated as data lake administrators.

      • DataLakeAdmins (list) --

        A list of Lake Formation principals. Supported principals are IAM users or IAM roles.

        • (dict) --

          The Lake Formation principal. Supported principals are IAM users or IAM roles.

          • DataLakePrincipalIdentifier (string) --

            An identifier for the Lake Formation principal.

      • CreateDatabaseDefaultPermissions (list) --

        Specifies whether access control on newly created database is managed by Lake Formation permissions or exclusively by IAM permissions. You can override this default setting when you create a database.

        A null value indicates access control by Lake Formation permissions. A value that assigns ALL to IAM_ALLOWED_PRINCIPALS indicates access control by IAM permissions. This is referred to as the setting "Use only IAM access control," and is for backward compatibility with the Glue permission model implemented by IAM permissions.

        The only permitted values are an empty array or an array that contains a single JSON object that grants ALL to IAM_ALLOWED_PRINCIPALS.

        For more information, see Changing the Default Security Settings for Your Data Lake.

        • (dict) --

          Permissions granted to a principal.

          • Principal (dict) --

            The principal who is granted permissions.

            • DataLakePrincipalIdentifier (string) --

              An identifier for the Lake Formation principal.

          • Permissions (list) --

            The permissions that are granted to the principal.

            • (string) --

      • CreateTableDefaultPermissions (list) --

        Specifies whether access control on newly created table is managed by Lake Formation permissions or exclusively by IAM permissions.

        A null value indicates access control by Lake Formation permissions. A value that assigns ALL to IAM_ALLOWED_PRINCIPALS indicates access control by IAM permissions. This is referred to as the setting "Use only IAM access control," and is for backward compatibility with the Glue permission model implemented by IAM permissions.

        The only permitted values are an empty array or an array that contains a single JSON object that grants ALL to IAM_ALLOWED_PRINCIPALS.

        For more information, see Changing the Default Security Settings for Your Data Lake.

        • (dict) --

          Permissions granted to a principal.

          • Principal (dict) --

            The principal who is granted permissions.

            • DataLakePrincipalIdentifier (string) --

              An identifier for the Lake Formation principal.

          • Permissions (list) --

            The permissions that are granted to the principal.

            • (string) --

      • TrustedResourceOwners (list) --

        A list of the resource-owning account IDs that the caller's account can use to share their user access details (user ARNs). The user ARNs can be logged in the resource owner's CloudTrail log.

        You may want to specify this property when you are in a high-trust boundary, such as the same team or company.

        • (string) --

      • AllowExternalDataFiltering (boolean) --

        Whether to allow Amazon EMR clusters to access data managed by Lake Formation.

        If true, you allow Amazon EMR clusters to access data in Amazon S3 locations that are registered with Lake Formation.

        If false or null, no Amazon EMR clusters will be able to access data in Amazon S3 locations that are registered with Lake Formation.

        For more information, see (Optional) Allow Data Filtering on Amazon EMR.

      • ExternalDataFilteringAllowList (list) --

        A list of the account IDs of Amazon Web Services accounts with Amazon EMR clusters that are to perform data filtering.>

        • (dict) --

          The Lake Formation principal. Supported principals are IAM users or IAM roles.

          • DataLakePrincipalIdentifier (string) --

            An identifier for the Lake Formation principal.

      • AuthorizedSessionTagValueList (list) --

        Lake Formation relies on a privileged process secured by Amazon EMR or the third party integrator to tag the user's role while assuming it. Lake Formation will publish the acceptable key-value pair, for example key = "LakeFormationTrustedCaller" and value = "TRUE" and the third party integrator must properly tag the temporary security credentials that will be used to call Lake Formation's administrative APIs.

        • (string) --

GetEffectivePermissionsForPath (updated) Link ¶
Changes (response)
{'Permissions': {'Permissions': {'ASSOCIATE'},
                 'PermissionsWithGrantOption': {'ASSOCIATE'}}}

Returns the Lake Formation permissions for a specified table or database resource located at a path in Amazon S3. GetEffectivePermissionsForPath will not return databases and tables if the catalog is encrypted.

See also: AWS API Documentation

Request Syntax

client.get_effective_permissions_for_path(
    CatalogId='string',
    ResourceArn='string',
    NextToken='string',
    MaxResults=123
)
type CatalogId:

string

param CatalogId:

The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

type ResourceArn:

string

param ResourceArn:

[REQUIRED]

The Amazon Resource Name (ARN) of the resource for which you want to get permissions.

type NextToken:

string

param NextToken:

A continuation token, if this is not the first call to retrieve this list.

type MaxResults:

integer

param MaxResults:

The maximum number of results to return.

rtype:

dict

returns:

Response Syntax

{
    'Permissions': [
        {
            'Principal': {
                'DataLakePrincipalIdentifier': 'string'
            },
            'Resource': {
                'Catalog': {},
                'Database': {
                    'CatalogId': 'string',
                    'Name': 'string'
                },
                'Table': {
                    'CatalogId': 'string',
                    'DatabaseName': 'string',
                    'Name': 'string',
                    'TableWildcard': {}
                },
                'TableWithColumns': {
                    'CatalogId': 'string',
                    'DatabaseName': 'string',
                    'Name': 'string',
                    'ColumnNames': [
                        'string',
                    ],
                    'ColumnWildcard': {
                        'ExcludedColumnNames': [
                            'string',
                        ]
                    }
                },
                'DataLocation': {
                    'CatalogId': 'string',
                    'ResourceArn': 'string'
                },
                'DataCellsFilter': {
                    'TableCatalogId': 'string',
                    'DatabaseName': 'string',
                    'TableName': 'string',
                    'Name': 'string'
                },
                'LFTag': {
                    'CatalogId': 'string',
                    'TagKey': 'string',
                    'TagValues': [
                        'string',
                    ]
                },
                'LFTagPolicy': {
                    'CatalogId': 'string',
                    'ResourceType': 'DATABASE'|'TABLE',
                    'Expression': [
                        {
                            'TagKey': 'string',
                            'TagValues': [
                                'string',
                            ]
                        },
                    ]
                }
            },
            'Permissions': [
                'ALL'|'SELECT'|'ALTER'|'DROP'|'DELETE'|'INSERT'|'DESCRIBE'|'CREATE_DATABASE'|'CREATE_TABLE'|'DATA_LOCATION_ACCESS'|'CREATE_TAG'|'ASSOCIATE',
            ],
            'PermissionsWithGrantOption': [
                'ALL'|'SELECT'|'ALTER'|'DROP'|'DELETE'|'INSERT'|'DESCRIBE'|'CREATE_DATABASE'|'CREATE_TABLE'|'DATA_LOCATION_ACCESS'|'CREATE_TAG'|'ASSOCIATE',
            ],
            'AdditionalDetails': {
                'ResourceShare': [
                    'string',
                ]
            }
        },
    ],
    'NextToken': 'string'
}

Response Structure

  • (dict) --

    • Permissions (list) --

      A list of the permissions for the specified table or database resource located at the path in Amazon S3.

      • (dict) --

        The permissions granted or revoked on a resource.

        • Principal (dict) --

          The Data Lake principal to be granted or revoked permissions.

          • DataLakePrincipalIdentifier (string) --

            An identifier for the Lake Formation principal.

        • Resource (dict) --

          The resource where permissions are to be granted or revoked.

          • Catalog (dict) --

            The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

          • Database (dict) --

            The database for the resource. Unique to the Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database permissions to a principal.

            • CatalogId (string) --

              The identifier for the Data Catalog. By default, it is the account ID of the caller.

            • Name (string) --

              The name of the database resource. Unique to the Data Catalog.

          • Table (dict) --

            The table for the resource. A table is a metadata definition that represents your data. You can Grant and Revoke table privileges to a principal.

            • CatalogId (string) --

              The identifier for the Data Catalog. By default, it is the account ID of the caller.

            • DatabaseName (string) --

              The name of the database for the table. Unique to a Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database privileges to a principal.

            • Name (string) --

              The name of the table.

            • TableWildcard (dict) --

              A wildcard object representing every table under a database.

              At least one of TableResource$Name or TableResource$TableWildcard is required.

          • TableWithColumns (dict) --

            The table with columns for the resource. A principal with permissions to this resource can select metadata from the columns of a table in the Data Catalog and the underlying data in Amazon S3.

            • CatalogId (string) --

              The identifier for the Data Catalog. By default, it is the account ID of the caller.

            • DatabaseName (string) --

              The name of the database for the table with columns resource. Unique to the Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database privileges to a principal.

            • Name (string) --

              The name of the table resource. A table is a metadata definition that represents your data. You can Grant and Revoke table privileges to a principal.

            • ColumnNames (list) --

              The list of column names for the table. At least one of ColumnNames or ColumnWildcard is required.

              • (string) --

            • ColumnWildcard (dict) --

              A wildcard specified by a ColumnWildcard object. At least one of ColumnNames or ColumnWildcard is required.

              • ExcludedColumnNames (list) --

                Excludes column names. Any column with this name will be excluded.

                • (string) --

          • DataLocation (dict) --

            The location of an Amazon S3 path where permissions are granted or revoked.

            • CatalogId (string) --

              The identifier for the Data Catalog where the location is registered with Lake Formation. By default, it is the account ID of the caller.

            • ResourceArn (string) --

              The Amazon Resource Name (ARN) that uniquely identifies the data location resource.

          • DataCellsFilter (dict) --

            A data cell filter.

            • TableCatalogId (string) --

              The ID of the catalog to which the table belongs.

            • DatabaseName (string) --

              A database in the Glue Data Catalog.

            • TableName (string) --

              The name of the table.

            • Name (string) --

              The name of the data cells filter.

          • LFTag (dict) --

            The LF-tag key and values attached to a resource.

            • CatalogId (string) --

              The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

            • TagKey (string) --

              The key-name for the LF-tag.

            • TagValues (list) --

              A list of possible values an attribute can take.

              • (string) --

          • LFTagPolicy (dict) --

            A list of LF-tag conditions that define a resource's LF-tag policy.

            • CatalogId (string) --

              The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

            • ResourceType (string) --

              The resource type for which the LF-tag policy applies.

            • Expression (list) --

              A list of LF-tag conditions that apply to the resource's LF-tag policy.

              • (dict) --

                A structure that allows an admin to grant user permissions on certain conditions. For example, granting a role access to all columns that do not have the LF-tag 'PII' in tables that have the LF-tag 'Prod'.

                • TagKey (string) --

                  The key-name for the LF-tag.

                • TagValues (list) --

                  A list of possible values an attribute can take.

                  • (string) --

        • Permissions (list) --

          The permissions to be granted or revoked on the resource.

          • (string) --

        • PermissionsWithGrantOption (list) --

          Indicates whether to grant the ability to grant permissions (as a subset of permissions granted).

          • (string) --

        • AdditionalDetails (dict) --

          This attribute can be used to return any additional details of PrincipalResourcePermissions. Currently returns only as a RAM resource share ARN.

          • ResourceShare (list) --

            A resource share ARN for a catalog resource shared through RAM.

            • (string) --

    • NextToken (string) --

      A continuation token, if this is not the first call to retrieve this list.

GetTemporaryGluePartitionCredentials (updated) Link ¶
Changes (request)
{'Permissions': {'ASSOCIATE'}}

This API is identical to GetTemporaryTableCredentials except that this is used when the target Data Catalog resource is of type Partition. Lake Formation restricts the permission of the vended credentials with the same scope down policy which restricts access to a single Amazon S3 prefix.

See also: AWS API Documentation

Request Syntax

client.get_temporary_glue_partition_credentials(
    TableArn='string',
    Partition={
        'Values': [
            'string',
        ]
    },
    Permissions=[
        'ALL'|'SELECT'|'ALTER'|'DROP'|'DELETE'|'INSERT'|'DESCRIBE'|'CREATE_DATABASE'|'CREATE_TABLE'|'DATA_LOCATION_ACCESS'|'CREATE_TAG'|'ASSOCIATE',
    ],
    DurationSeconds=123,
    AuditContext={
        'AdditionalAuditContext': 'string'
    },
    SupportedPermissionTypes=[
        'COLUMN_PERMISSION'|'CELL_FILTER_PERMISSION',
    ]
)
type TableArn:

string

param TableArn:

[REQUIRED]

The ARN of the partitions' table.

type Partition:

dict

param Partition:

[REQUIRED]

A list of partition values identifying a single partition.

  • Values (list) -- [REQUIRED]

    The list of partition values.

    • (string) --

type Permissions:

list

param Permissions:

Filters the request based on the user having been granted a list of specified permissions on the requested resource(s).

  • (string) --

type DurationSeconds:

integer

param DurationSeconds:

The time period, between 900 and 21,600 seconds, for the timeout of the temporary credentials.

type AuditContext:

dict

param AuditContext:

A structure representing context to access a resource (column names, query ID, etc).

  • AdditionalAuditContext (string) --

    The filter engine can populate the 'AdditionalAuditContext' information with the request ID for you to track. This information will be displayed in CloudTrail log in your account.

type SupportedPermissionTypes:

list

param SupportedPermissionTypes:

[REQUIRED]

A list of supported permission types for the partition. Valid values are COLUMN_PERMISSION and CELL_FILTER_PERMISSION.

  • (string) --

rtype:

dict

returns:

Response Syntax

{
    'AccessKeyId': 'string',
    'SecretAccessKey': 'string',
    'SessionToken': 'string',
    'Expiration': datetime(2015, 1, 1)
}

Response Structure

  • (dict) --

    • AccessKeyId (string) --

      The access key ID for the temporary credentials.

    • SecretAccessKey (string) --

      The secret key for the temporary credentials.

    • SessionToken (string) --

      The session token for the temporary credentials.

    • Expiration (datetime) --

      The date and time when the temporary credentials expire.

GetTemporaryGlueTableCredentials (updated) Link ¶
Changes (request)
{'Permissions': {'ASSOCIATE'}}

Allows a caller in a secure environment to assume a role with permission to access Amazon S3. In order to vend such credentials, Lake Formation assumes the role associated with a registered location, for example an Amazon S3 bucket, with a scope down policy which restricts the access to a single prefix.

See also: AWS API Documentation

Request Syntax

client.get_temporary_glue_table_credentials(
    TableArn='string',
    Permissions=[
        'ALL'|'SELECT'|'ALTER'|'DROP'|'DELETE'|'INSERT'|'DESCRIBE'|'CREATE_DATABASE'|'CREATE_TABLE'|'DATA_LOCATION_ACCESS'|'CREATE_TAG'|'ASSOCIATE',
    ],
    DurationSeconds=123,
    AuditContext={
        'AdditionalAuditContext': 'string'
    },
    SupportedPermissionTypes=[
        'COLUMN_PERMISSION'|'CELL_FILTER_PERMISSION',
    ]
)
type TableArn:

string

param TableArn:

[REQUIRED]

The ARN identifying a table in the Data Catalog for the temporary credentials request.

type Permissions:

list

param Permissions:

Filters the request based on the user having been granted a list of specified permissions on the requested resource(s).

  • (string) --

type DurationSeconds:

integer

param DurationSeconds:

The time period, between 900 and 21,600 seconds, for the timeout of the temporary credentials.

type AuditContext:

dict

param AuditContext:

A structure representing context to access a resource (column names, query ID, etc).

  • AdditionalAuditContext (string) --

    The filter engine can populate the 'AdditionalAuditContext' information with the request ID for you to track. This information will be displayed in CloudTrail log in your account.

type SupportedPermissionTypes:

list

param SupportedPermissionTypes:

[REQUIRED]

A list of supported permission types for the table. Valid values are COLUMN_PERMISSION and CELL_FILTER_PERMISSION.

  • (string) --

rtype:

dict

returns:

Response Syntax

{
    'AccessKeyId': 'string',
    'SecretAccessKey': 'string',
    'SessionToken': 'string',
    'Expiration': datetime(2015, 1, 1)
}

Response Structure

  • (dict) --

    • AccessKeyId (string) --

      The access key ID for the temporary credentials.

    • SecretAccessKey (string) --

      The secret key for the temporary credentials.

    • SessionToken (string) --

      The session token for the temporary credentials.

    • Expiration (datetime) --

      The date and time when the temporary credentials expire.

GrantPermissions (updated) Link ¶
Changes (request)
{'Permissions': {'ASSOCIATE'}, 'PermissionsWithGrantOption': {'ASSOCIATE'}}

Grants permissions to the principal to access metadata in the Data Catalog and data organized in underlying data storage such as Amazon S3.

For information about permissions, see Security and Access Control to Metadata and Data.

See also: AWS API Documentation

Request Syntax

client.grant_permissions(
    CatalogId='string',
    Principal={
        'DataLakePrincipalIdentifier': 'string'
    },
    Resource={
        'Catalog': {}
        ,
        'Database': {
            'CatalogId': 'string',
            'Name': 'string'
        },
        'Table': {
            'CatalogId': 'string',
            'DatabaseName': 'string',
            'Name': 'string',
            'TableWildcard': {}

        },
        'TableWithColumns': {
            'CatalogId': 'string',
            'DatabaseName': 'string',
            'Name': 'string',
            'ColumnNames': [
                'string',
            ],
            'ColumnWildcard': {
                'ExcludedColumnNames': [
                    'string',
                ]
            }
        },
        'DataLocation': {
            'CatalogId': 'string',
            'ResourceArn': 'string'
        },
        'DataCellsFilter': {
            'TableCatalogId': 'string',
            'DatabaseName': 'string',
            'TableName': 'string',
            'Name': 'string'
        },
        'LFTag': {
            'CatalogId': 'string',
            'TagKey': 'string',
            'TagValues': [
                'string',
            ]
        },
        'LFTagPolicy': {
            'CatalogId': 'string',
            'ResourceType': 'DATABASE'|'TABLE',
            'Expression': [
                {
                    'TagKey': 'string',
                    'TagValues': [
                        'string',
                    ]
                },
            ]
        }
    },
    Permissions=[
        'ALL'|'SELECT'|'ALTER'|'DROP'|'DELETE'|'INSERT'|'DESCRIBE'|'CREATE_DATABASE'|'CREATE_TABLE'|'DATA_LOCATION_ACCESS'|'CREATE_TAG'|'ASSOCIATE',
    ],
    PermissionsWithGrantOption=[
        'ALL'|'SELECT'|'ALTER'|'DROP'|'DELETE'|'INSERT'|'DESCRIBE'|'CREATE_DATABASE'|'CREATE_TABLE'|'DATA_LOCATION_ACCESS'|'CREATE_TAG'|'ASSOCIATE',
    ]
)
type CatalogId:

string

param CatalogId:

The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

type Principal:

dict

param Principal:

[REQUIRED]

The principal to be granted the permissions on the resource. Supported principals are IAM users or IAM roles, and they are defined by their principal type and their ARN.

Note that if you define a resource with a particular ARN, then later delete, and recreate a resource with that same ARN, the resource maintains the permissions already granted.

  • DataLakePrincipalIdentifier (string) --

    An identifier for the Lake Formation principal.

type Resource:

dict

param Resource:

[REQUIRED]

The resource to which permissions are to be granted. Resources in Lake Formation are the Data Catalog, databases, and tables.

  • Catalog (dict) --

    The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

  • Database (dict) --

    The database for the resource. Unique to the Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database permissions to a principal.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, it is the account ID of the caller.

    • Name (string) -- [REQUIRED]

      The name of the database resource. Unique to the Data Catalog.

  • Table (dict) --

    The table for the resource. A table is a metadata definition that represents your data. You can Grant and Revoke table privileges to a principal.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, it is the account ID of the caller.

    • DatabaseName (string) -- [REQUIRED]

      The name of the database for the table. Unique to a Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database privileges to a principal.

    • Name (string) --

      The name of the table.

    • TableWildcard (dict) --

      A wildcard object representing every table under a database.

      At least one of TableResource$Name or TableResource$TableWildcard is required.

  • TableWithColumns (dict) --

    The table with columns for the resource. A principal with permissions to this resource can select metadata from the columns of a table in the Data Catalog and the underlying data in Amazon S3.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, it is the account ID of the caller.

    • DatabaseName (string) -- [REQUIRED]

      The name of the database for the table with columns resource. Unique to the Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database privileges to a principal.

    • Name (string) -- [REQUIRED]

      The name of the table resource. A table is a metadata definition that represents your data. You can Grant and Revoke table privileges to a principal.

    • ColumnNames (list) --

      The list of column names for the table. At least one of ColumnNames or ColumnWildcard is required.

      • (string) --

    • ColumnWildcard (dict) --

      A wildcard specified by a ColumnWildcard object. At least one of ColumnNames or ColumnWildcard is required.

      • ExcludedColumnNames (list) --

        Excludes column names. Any column with this name will be excluded.

        • (string) --

  • DataLocation (dict) --

    The location of an Amazon S3 path where permissions are granted or revoked.

    • CatalogId (string) --

      The identifier for the Data Catalog where the location is registered with Lake Formation. By default, it is the account ID of the caller.

    • ResourceArn (string) -- [REQUIRED]

      The Amazon Resource Name (ARN) that uniquely identifies the data location resource.

  • DataCellsFilter (dict) --

    A data cell filter.

    • TableCatalogId (string) --

      The ID of the catalog to which the table belongs.

    • DatabaseName (string) --

      A database in the Glue Data Catalog.

    • TableName (string) --

      The name of the table.

    • Name (string) --

      The name of the data cells filter.

  • LFTag (dict) --

    The LF-tag key and values attached to a resource.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

    • TagKey (string) -- [REQUIRED]

      The key-name for the LF-tag.

    • TagValues (list) -- [REQUIRED]

      A list of possible values an attribute can take.

      • (string) --

  • LFTagPolicy (dict) --

    A list of LF-tag conditions that define a resource's LF-tag policy.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

    • ResourceType (string) -- [REQUIRED]

      The resource type for which the LF-tag policy applies.

    • Expression (list) -- [REQUIRED]

      A list of LF-tag conditions that apply to the resource's LF-tag policy.

      • (dict) --

        A structure that allows an admin to grant user permissions on certain conditions. For example, granting a role access to all columns that do not have the LF-tag 'PII' in tables that have the LF-tag 'Prod'.

        • TagKey (string) -- [REQUIRED]

          The key-name for the LF-tag.

        • TagValues (list) -- [REQUIRED]

          A list of possible values an attribute can take.

          • (string) --

type Permissions:

list

param Permissions:

[REQUIRED]

The permissions granted to the principal on the resource. Lake Formation defines privileges to grant and revoke access to metadata in the Data Catalog and data organized in underlying data storage such as Amazon S3. Lake Formation requires that each principal be authorized to perform a specific task on Lake Formation resources.

  • (string) --

type PermissionsWithGrantOption:

list

param PermissionsWithGrantOption:

Indicates a list of the granted permissions that the principal may pass to other users. These permissions may only be a subset of the permissions granted in the Privileges.

  • (string) --

rtype:

dict

returns:

Response Syntax

{}

Response Structure

  • (dict) --

ListPermissions (updated) Link ¶
Changes (response)
{'PrincipalResourcePermissions': {'Permissions': {'ASSOCIATE'},
                                  'PermissionsWithGrantOption': {'ASSOCIATE'}}}

Returns a list of the principal permissions on the resource, filtered by the permissions of the caller. For example, if you are granted an ALTER permission, you are able to see only the principal permissions for ALTER.

This operation returns only those permissions that have been explicitly granted.

For information about permissions, see Security and Access Control to Metadata and Data.

See also: AWS API Documentation

Request Syntax

client.list_permissions(
    CatalogId='string',
    Principal={
        'DataLakePrincipalIdentifier': 'string'
    },
    ResourceType='CATALOG'|'DATABASE'|'TABLE'|'DATA_LOCATION'|'LF_TAG'|'LF_TAG_POLICY'|'LF_TAG_POLICY_DATABASE'|'LF_TAG_POLICY_TABLE',
    Resource={
        'Catalog': {}
        ,
        'Database': {
            'CatalogId': 'string',
            'Name': 'string'
        },
        'Table': {
            'CatalogId': 'string',
            'DatabaseName': 'string',
            'Name': 'string',
            'TableWildcard': {}

        },
        'TableWithColumns': {
            'CatalogId': 'string',
            'DatabaseName': 'string',
            'Name': 'string',
            'ColumnNames': [
                'string',
            ],
            'ColumnWildcard': {
                'ExcludedColumnNames': [
                    'string',
                ]
            }
        },
        'DataLocation': {
            'CatalogId': 'string',
            'ResourceArn': 'string'
        },
        'DataCellsFilter': {
            'TableCatalogId': 'string',
            'DatabaseName': 'string',
            'TableName': 'string',
            'Name': 'string'
        },
        'LFTag': {
            'CatalogId': 'string',
            'TagKey': 'string',
            'TagValues': [
                'string',
            ]
        },
        'LFTagPolicy': {
            'CatalogId': 'string',
            'ResourceType': 'DATABASE'|'TABLE',
            'Expression': [
                {
                    'TagKey': 'string',
                    'TagValues': [
                        'string',
                    ]
                },
            ]
        }
    },
    NextToken='string',
    MaxResults=123,
    IncludeRelated='string'
)
type CatalogId:

string

param CatalogId:

The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

type Principal:

dict

param Principal:

Specifies a principal to filter the permissions returned.

  • DataLakePrincipalIdentifier (string) --

    An identifier for the Lake Formation principal.

type ResourceType:

string

param ResourceType:

Specifies a resource type to filter the permissions returned.

type Resource:

dict

param Resource:

A resource where you will get a list of the principal permissions.

This operation does not support getting privileges on a table with columns. Instead, call this operation on the table, and the operation returns the table and the table w columns.

  • Catalog (dict) --

    The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

  • Database (dict) --

    The database for the resource. Unique to the Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database permissions to a principal.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, it is the account ID of the caller.

    • Name (string) -- [REQUIRED]

      The name of the database resource. Unique to the Data Catalog.

  • Table (dict) --

    The table for the resource. A table is a metadata definition that represents your data. You can Grant and Revoke table privileges to a principal.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, it is the account ID of the caller.

    • DatabaseName (string) -- [REQUIRED]

      The name of the database for the table. Unique to a Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database privileges to a principal.

    • Name (string) --

      The name of the table.

    • TableWildcard (dict) --

      A wildcard object representing every table under a database.

      At least one of TableResource$Name or TableResource$TableWildcard is required.

  • TableWithColumns (dict) --

    The table with columns for the resource. A principal with permissions to this resource can select metadata from the columns of a table in the Data Catalog and the underlying data in Amazon S3.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, it is the account ID of the caller.

    • DatabaseName (string) -- [REQUIRED]

      The name of the database for the table with columns resource. Unique to the Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database privileges to a principal.

    • Name (string) -- [REQUIRED]

      The name of the table resource. A table is a metadata definition that represents your data. You can Grant and Revoke table privileges to a principal.

    • ColumnNames (list) --

      The list of column names for the table. At least one of ColumnNames or ColumnWildcard is required.

      • (string) --

    • ColumnWildcard (dict) --

      A wildcard specified by a ColumnWildcard object. At least one of ColumnNames or ColumnWildcard is required.

      • ExcludedColumnNames (list) --

        Excludes column names. Any column with this name will be excluded.

        • (string) --

  • DataLocation (dict) --

    The location of an Amazon S3 path where permissions are granted or revoked.

    • CatalogId (string) --

      The identifier for the Data Catalog where the location is registered with Lake Formation. By default, it is the account ID of the caller.

    • ResourceArn (string) -- [REQUIRED]

      The Amazon Resource Name (ARN) that uniquely identifies the data location resource.

  • DataCellsFilter (dict) --

    A data cell filter.

    • TableCatalogId (string) --

      The ID of the catalog to which the table belongs.

    • DatabaseName (string) --

      A database in the Glue Data Catalog.

    • TableName (string) --

      The name of the table.

    • Name (string) --

      The name of the data cells filter.

  • LFTag (dict) --

    The LF-tag key and values attached to a resource.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

    • TagKey (string) -- [REQUIRED]

      The key-name for the LF-tag.

    • TagValues (list) -- [REQUIRED]

      A list of possible values an attribute can take.

      • (string) --

  • LFTagPolicy (dict) --

    A list of LF-tag conditions that define a resource's LF-tag policy.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

    • ResourceType (string) -- [REQUIRED]

      The resource type for which the LF-tag policy applies.

    • Expression (list) -- [REQUIRED]

      A list of LF-tag conditions that apply to the resource's LF-tag policy.

      • (dict) --

        A structure that allows an admin to grant user permissions on certain conditions. For example, granting a role access to all columns that do not have the LF-tag 'PII' in tables that have the LF-tag 'Prod'.

        • TagKey (string) -- [REQUIRED]

          The key-name for the LF-tag.

        • TagValues (list) -- [REQUIRED]

          A list of possible values an attribute can take.

          • (string) --

type NextToken:

string

param NextToken:

A continuation token, if this is not the first call to retrieve this list.

type MaxResults:

integer

param MaxResults:

The maximum number of results to return.

type IncludeRelated:

string

param IncludeRelated:

Indicates that related permissions should be included in the results.

rtype:

dict

returns:

Response Syntax

{
    'PrincipalResourcePermissions': [
        {
            'Principal': {
                'DataLakePrincipalIdentifier': 'string'
            },
            'Resource': {
                'Catalog': {},
                'Database': {
                    'CatalogId': 'string',
                    'Name': 'string'
                },
                'Table': {
                    'CatalogId': 'string',
                    'DatabaseName': 'string',
                    'Name': 'string',
                    'TableWildcard': {}
                },
                'TableWithColumns': {
                    'CatalogId': 'string',
                    'DatabaseName': 'string',
                    'Name': 'string',
                    'ColumnNames': [
                        'string',
                    ],
                    'ColumnWildcard': {
                        'ExcludedColumnNames': [
                            'string',
                        ]
                    }
                },
                'DataLocation': {
                    'CatalogId': 'string',
                    'ResourceArn': 'string'
                },
                'DataCellsFilter': {
                    'TableCatalogId': 'string',
                    'DatabaseName': 'string',
                    'TableName': 'string',
                    'Name': 'string'
                },
                'LFTag': {
                    'CatalogId': 'string',
                    'TagKey': 'string',
                    'TagValues': [
                        'string',
                    ]
                },
                'LFTagPolicy': {
                    'CatalogId': 'string',
                    'ResourceType': 'DATABASE'|'TABLE',
                    'Expression': [
                        {
                            'TagKey': 'string',
                            'TagValues': [
                                'string',
                            ]
                        },
                    ]
                }
            },
            'Permissions': [
                'ALL'|'SELECT'|'ALTER'|'DROP'|'DELETE'|'INSERT'|'DESCRIBE'|'CREATE_DATABASE'|'CREATE_TABLE'|'DATA_LOCATION_ACCESS'|'CREATE_TAG'|'ASSOCIATE',
            ],
            'PermissionsWithGrantOption': [
                'ALL'|'SELECT'|'ALTER'|'DROP'|'DELETE'|'INSERT'|'DESCRIBE'|'CREATE_DATABASE'|'CREATE_TABLE'|'DATA_LOCATION_ACCESS'|'CREATE_TAG'|'ASSOCIATE',
            ],
            'AdditionalDetails': {
                'ResourceShare': [
                    'string',
                ]
            }
        },
    ],
    'NextToken': 'string'
}

Response Structure

  • (dict) --

    • PrincipalResourcePermissions (list) --

      A list of principals and their permissions on the resource for the specified principal and resource types.

      • (dict) --

        The permissions granted or revoked on a resource.

        • Principal (dict) --

          The Data Lake principal to be granted or revoked permissions.

          • DataLakePrincipalIdentifier (string) --

            An identifier for the Lake Formation principal.

        • Resource (dict) --

          The resource where permissions are to be granted or revoked.

          • Catalog (dict) --

            The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

          • Database (dict) --

            The database for the resource. Unique to the Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database permissions to a principal.

            • CatalogId (string) --

              The identifier for the Data Catalog. By default, it is the account ID of the caller.

            • Name (string) --

              The name of the database resource. Unique to the Data Catalog.

          • Table (dict) --

            The table for the resource. A table is a metadata definition that represents your data. You can Grant and Revoke table privileges to a principal.

            • CatalogId (string) --

              The identifier for the Data Catalog. By default, it is the account ID of the caller.

            • DatabaseName (string) --

              The name of the database for the table. Unique to a Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database privileges to a principal.

            • Name (string) --

              The name of the table.

            • TableWildcard (dict) --

              A wildcard object representing every table under a database.

              At least one of TableResource$Name or TableResource$TableWildcard is required.

          • TableWithColumns (dict) --

            The table with columns for the resource. A principal with permissions to this resource can select metadata from the columns of a table in the Data Catalog and the underlying data in Amazon S3.

            • CatalogId (string) --

              The identifier for the Data Catalog. By default, it is the account ID of the caller.

            • DatabaseName (string) --

              The name of the database for the table with columns resource. Unique to the Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database privileges to a principal.

            • Name (string) --

              The name of the table resource. A table is a metadata definition that represents your data. You can Grant and Revoke table privileges to a principal.

            • ColumnNames (list) --

              The list of column names for the table. At least one of ColumnNames or ColumnWildcard is required.

              • (string) --

            • ColumnWildcard (dict) --

              A wildcard specified by a ColumnWildcard object. At least one of ColumnNames or ColumnWildcard is required.

              • ExcludedColumnNames (list) --

                Excludes column names. Any column with this name will be excluded.

                • (string) --

          • DataLocation (dict) --

            The location of an Amazon S3 path where permissions are granted or revoked.

            • CatalogId (string) --

              The identifier for the Data Catalog where the location is registered with Lake Formation. By default, it is the account ID of the caller.

            • ResourceArn (string) --

              The Amazon Resource Name (ARN) that uniquely identifies the data location resource.

          • DataCellsFilter (dict) --

            A data cell filter.

            • TableCatalogId (string) --

              The ID of the catalog to which the table belongs.

            • DatabaseName (string) --

              A database in the Glue Data Catalog.

            • TableName (string) --

              The name of the table.

            • Name (string) --

              The name of the data cells filter.

          • LFTag (dict) --

            The LF-tag key and values attached to a resource.

            • CatalogId (string) --

              The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

            • TagKey (string) --

              The key-name for the LF-tag.

            • TagValues (list) --

              A list of possible values an attribute can take.

              • (string) --

          • LFTagPolicy (dict) --

            A list of LF-tag conditions that define a resource's LF-tag policy.

            • CatalogId (string) --

              The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

            • ResourceType (string) --

              The resource type for which the LF-tag policy applies.

            • Expression (list) --

              A list of LF-tag conditions that apply to the resource's LF-tag policy.

              • (dict) --

                A structure that allows an admin to grant user permissions on certain conditions. For example, granting a role access to all columns that do not have the LF-tag 'PII' in tables that have the LF-tag 'Prod'.

                • TagKey (string) --

                  The key-name for the LF-tag.

                • TagValues (list) --

                  A list of possible values an attribute can take.

                  • (string) --

        • Permissions (list) --

          The permissions to be granted or revoked on the resource.

          • (string) --

        • PermissionsWithGrantOption (list) --

          Indicates whether to grant the ability to grant permissions (as a subset of permissions granted).

          • (string) --

        • AdditionalDetails (dict) --

          This attribute can be used to return any additional details of PrincipalResourcePermissions. Currently returns only as a RAM resource share ARN.

          • ResourceShare (list) --

            A resource share ARN for a catalog resource shared through RAM.

            • (string) --

    • NextToken (string) --

      A continuation token, if this is not the first call to retrieve this list.

PutDataLakeSettings (updated) Link ¶
Changes (request)
{'DataLakeSettings': {'CreateDatabaseDefaultPermissions': {'Permissions': {'ASSOCIATE'}},
                      'CreateTableDefaultPermissions': {'Permissions': {'ASSOCIATE'}}}}

Sets the list of data lake administrators who have admin privileges on all resources managed by Lake Formation. For more information on admin privileges, see Granting Lake Formation Permissions.

This API replaces the current list of data lake admins with the new list being passed. To add an admin, fetch the current list and add the new admin to that list and pass that list in this API.

See also: AWS API Documentation

Request Syntax

client.put_data_lake_settings(
    CatalogId='string',
    DataLakeSettings={
        'DataLakeAdmins': [
            {
                'DataLakePrincipalIdentifier': 'string'
            },
        ],
        'CreateDatabaseDefaultPermissions': [
            {
                'Principal': {
                    'DataLakePrincipalIdentifier': 'string'
                },
                'Permissions': [
                    'ALL'|'SELECT'|'ALTER'|'DROP'|'DELETE'|'INSERT'|'DESCRIBE'|'CREATE_DATABASE'|'CREATE_TABLE'|'DATA_LOCATION_ACCESS'|'CREATE_TAG'|'ASSOCIATE',
                ]
            },
        ],
        'CreateTableDefaultPermissions': [
            {
                'Principal': {
                    'DataLakePrincipalIdentifier': 'string'
                },
                'Permissions': [
                    'ALL'|'SELECT'|'ALTER'|'DROP'|'DELETE'|'INSERT'|'DESCRIBE'|'CREATE_DATABASE'|'CREATE_TABLE'|'DATA_LOCATION_ACCESS'|'CREATE_TAG'|'ASSOCIATE',
                ]
            },
        ],
        'TrustedResourceOwners': [
            'string',
        ],
        'AllowExternalDataFiltering': True|False,
        'ExternalDataFilteringAllowList': [
            {
                'DataLakePrincipalIdentifier': 'string'
            },
        ],
        'AuthorizedSessionTagValueList': [
            'string',
        ]
    }
)
type CatalogId:

string

param CatalogId:

The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

type DataLakeSettings:

dict

param DataLakeSettings:

[REQUIRED]

A structure representing a list of Lake Formation principals designated as data lake administrators.

  • DataLakeAdmins (list) --

    A list of Lake Formation principals. Supported principals are IAM users or IAM roles.

    • (dict) --

      The Lake Formation principal. Supported principals are IAM users or IAM roles.

      • DataLakePrincipalIdentifier (string) --

        An identifier for the Lake Formation principal.

  • CreateDatabaseDefaultPermissions (list) --

    Specifies whether access control on newly created database is managed by Lake Formation permissions or exclusively by IAM permissions. You can override this default setting when you create a database.

    A null value indicates access control by Lake Formation permissions. A value that assigns ALL to IAM_ALLOWED_PRINCIPALS indicates access control by IAM permissions. This is referred to as the setting "Use only IAM access control," and is for backward compatibility with the Glue permission model implemented by IAM permissions.

    The only permitted values are an empty array or an array that contains a single JSON object that grants ALL to IAM_ALLOWED_PRINCIPALS.

    For more information, see Changing the Default Security Settings for Your Data Lake.

    • (dict) --

      Permissions granted to a principal.

      • Principal (dict) --

        The principal who is granted permissions.

        • DataLakePrincipalIdentifier (string) --

          An identifier for the Lake Formation principal.

      • Permissions (list) --

        The permissions that are granted to the principal.

        • (string) --

  • CreateTableDefaultPermissions (list) --

    Specifies whether access control on newly created table is managed by Lake Formation permissions or exclusively by IAM permissions.

    A null value indicates access control by Lake Formation permissions. A value that assigns ALL to IAM_ALLOWED_PRINCIPALS indicates access control by IAM permissions. This is referred to as the setting "Use only IAM access control," and is for backward compatibility with the Glue permission model implemented by IAM permissions.

    The only permitted values are an empty array or an array that contains a single JSON object that grants ALL to IAM_ALLOWED_PRINCIPALS.

    For more information, see Changing the Default Security Settings for Your Data Lake.

    • (dict) --

      Permissions granted to a principal.

      • Principal (dict) --

        The principal who is granted permissions.

        • DataLakePrincipalIdentifier (string) --

          An identifier for the Lake Formation principal.

      • Permissions (list) --

        The permissions that are granted to the principal.

        • (string) --

  • TrustedResourceOwners (list) --

    A list of the resource-owning account IDs that the caller's account can use to share their user access details (user ARNs). The user ARNs can be logged in the resource owner's CloudTrail log.

    You may want to specify this property when you are in a high-trust boundary, such as the same team or company.

    • (string) --

  • AllowExternalDataFiltering (boolean) --

    Whether to allow Amazon EMR clusters to access data managed by Lake Formation.

    If true, you allow Amazon EMR clusters to access data in Amazon S3 locations that are registered with Lake Formation.

    If false or null, no Amazon EMR clusters will be able to access data in Amazon S3 locations that are registered with Lake Formation.

    For more information, see (Optional) Allow Data Filtering on Amazon EMR.

  • ExternalDataFilteringAllowList (list) --

    A list of the account IDs of Amazon Web Services accounts with Amazon EMR clusters that are to perform data filtering.>

    • (dict) --

      The Lake Formation principal. Supported principals are IAM users or IAM roles.

      • DataLakePrincipalIdentifier (string) --

        An identifier for the Lake Formation principal.

  • AuthorizedSessionTagValueList (list) --

    Lake Formation relies on a privileged process secured by Amazon EMR or the third party integrator to tag the user's role while assuming it. Lake Formation will publish the acceptable key-value pair, for example key = "LakeFormationTrustedCaller" and value = "TRUE" and the third party integrator must properly tag the temporary security credentials that will be used to call Lake Formation's administrative APIs.

    • (string) --

rtype:

dict

returns:

Response Syntax

{}

Response Structure

  • (dict) --

RevokePermissions (updated) Link ¶
Changes (request)
{'Permissions': {'ASSOCIATE'}, 'PermissionsWithGrantOption': {'ASSOCIATE'}}

Revokes permissions to the principal to access metadata in the Data Catalog and data organized in underlying data storage such as Amazon S3.

See also: AWS API Documentation

Request Syntax

client.revoke_permissions(
    CatalogId='string',
    Principal={
        'DataLakePrincipalIdentifier': 'string'
    },
    Resource={
        'Catalog': {}
        ,
        'Database': {
            'CatalogId': 'string',
            'Name': 'string'
        },
        'Table': {
            'CatalogId': 'string',
            'DatabaseName': 'string',
            'Name': 'string',
            'TableWildcard': {}

        },
        'TableWithColumns': {
            'CatalogId': 'string',
            'DatabaseName': 'string',
            'Name': 'string',
            'ColumnNames': [
                'string',
            ],
            'ColumnWildcard': {
                'ExcludedColumnNames': [
                    'string',
                ]
            }
        },
        'DataLocation': {
            'CatalogId': 'string',
            'ResourceArn': 'string'
        },
        'DataCellsFilter': {
            'TableCatalogId': 'string',
            'DatabaseName': 'string',
            'TableName': 'string',
            'Name': 'string'
        },
        'LFTag': {
            'CatalogId': 'string',
            'TagKey': 'string',
            'TagValues': [
                'string',
            ]
        },
        'LFTagPolicy': {
            'CatalogId': 'string',
            'ResourceType': 'DATABASE'|'TABLE',
            'Expression': [
                {
                    'TagKey': 'string',
                    'TagValues': [
                        'string',
                    ]
                },
            ]
        }
    },
    Permissions=[
        'ALL'|'SELECT'|'ALTER'|'DROP'|'DELETE'|'INSERT'|'DESCRIBE'|'CREATE_DATABASE'|'CREATE_TABLE'|'DATA_LOCATION_ACCESS'|'CREATE_TAG'|'ASSOCIATE',
    ],
    PermissionsWithGrantOption=[
        'ALL'|'SELECT'|'ALTER'|'DROP'|'DELETE'|'INSERT'|'DESCRIBE'|'CREATE_DATABASE'|'CREATE_TABLE'|'DATA_LOCATION_ACCESS'|'CREATE_TAG'|'ASSOCIATE',
    ]
)
type CatalogId:

string

param CatalogId:

The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

type Principal:

dict

param Principal:

[REQUIRED]

The principal to be revoked permissions on the resource.

  • DataLakePrincipalIdentifier (string) --

    An identifier for the Lake Formation principal.

type Resource:

dict

param Resource:

[REQUIRED]

The resource to which permissions are to be revoked.

  • Catalog (dict) --

    The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

  • Database (dict) --

    The database for the resource. Unique to the Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database permissions to a principal.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, it is the account ID of the caller.

    • Name (string) -- [REQUIRED]

      The name of the database resource. Unique to the Data Catalog.

  • Table (dict) --

    The table for the resource. A table is a metadata definition that represents your data. You can Grant and Revoke table privileges to a principal.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, it is the account ID of the caller.

    • DatabaseName (string) -- [REQUIRED]

      The name of the database for the table. Unique to a Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database privileges to a principal.

    • Name (string) --

      The name of the table.

    • TableWildcard (dict) --

      A wildcard object representing every table under a database.

      At least one of TableResource$Name or TableResource$TableWildcard is required.

  • TableWithColumns (dict) --

    The table with columns for the resource. A principal with permissions to this resource can select metadata from the columns of a table in the Data Catalog and the underlying data in Amazon S3.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, it is the account ID of the caller.

    • DatabaseName (string) -- [REQUIRED]

      The name of the database for the table with columns resource. Unique to the Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database privileges to a principal.

    • Name (string) -- [REQUIRED]

      The name of the table resource. A table is a metadata definition that represents your data. You can Grant and Revoke table privileges to a principal.

    • ColumnNames (list) --

      The list of column names for the table. At least one of ColumnNames or ColumnWildcard is required.

      • (string) --

    • ColumnWildcard (dict) --

      A wildcard specified by a ColumnWildcard object. At least one of ColumnNames or ColumnWildcard is required.

      • ExcludedColumnNames (list) --

        Excludes column names. Any column with this name will be excluded.

        • (string) --

  • DataLocation (dict) --

    The location of an Amazon S3 path where permissions are granted or revoked.

    • CatalogId (string) --

      The identifier for the Data Catalog where the location is registered with Lake Formation. By default, it is the account ID of the caller.

    • ResourceArn (string) -- [REQUIRED]

      The Amazon Resource Name (ARN) that uniquely identifies the data location resource.

  • DataCellsFilter (dict) --

    A data cell filter.

    • TableCatalogId (string) --

      The ID of the catalog to which the table belongs.

    • DatabaseName (string) --

      A database in the Glue Data Catalog.

    • TableName (string) --

      The name of the table.

    • Name (string) --

      The name of the data cells filter.

  • LFTag (dict) --

    The LF-tag key and values attached to a resource.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

    • TagKey (string) -- [REQUIRED]

      The key-name for the LF-tag.

    • TagValues (list) -- [REQUIRED]

      A list of possible values an attribute can take.

      • (string) --

  • LFTagPolicy (dict) --

    A list of LF-tag conditions that define a resource's LF-tag policy.

    • CatalogId (string) --

      The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.

    • ResourceType (string) -- [REQUIRED]

      The resource type for which the LF-tag policy applies.

    • Expression (list) -- [REQUIRED]

      A list of LF-tag conditions that apply to the resource's LF-tag policy.

      • (dict) --

        A structure that allows an admin to grant user permissions on certain conditions. For example, granting a role access to all columns that do not have the LF-tag 'PII' in tables that have the LF-tag 'Prod'.

        • TagKey (string) -- [REQUIRED]

          The key-name for the LF-tag.

        • TagValues (list) -- [REQUIRED]

          A list of possible values an attribute can take.

          • (string) --

type Permissions:

list

param Permissions:

[REQUIRED]

The permissions revoked to the principal on the resource. For information about permissions, see Security and Access Control to Metadata and Data.

  • (string) --

type PermissionsWithGrantOption:

list

param PermissionsWithGrantOption:

Indicates a list of permissions for which to revoke the grant option allowing the principal to pass permissions to other principals.

  • (string) --

rtype:

dict

returns:

Response Syntax

{}

Response Structure

  • (dict) --