AWS::LakeFormation::PrincipalPermissions LFTagPolicyResource - AWS CloudFormation

AWS::LakeFormation::PrincipalPermissions LFTagPolicyResource

A list of LF-tag conditions that define a resource's LF-tag policy.

A structure that allows an admin to grant user permissions on certain conditions. For example, granting a role access to all columns that do not have the LF-tag 'PII' in tables that have the LF-tag 'Prod'.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{ "CatalogId" : String, "Expression" : [ LFTag, ... ], "ResourceType" : String }

YAML

CatalogId: String Expression: - LFTag ResourceType: String

Properties

CatalogId

The identifier for the Data Catalog. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your AWS Lake Formation environment.

Required: Yes

Type: String

Minimum: 12

Maximum: 12

Update requires: Replacement

Expression

A list of LF-tag conditions that apply to the resource's LF-tag policy.

Required: Yes

Type: Array of LFTag

Minimum: 1

Maximum: 5

Update requires: Replacement

ResourceType

The resource type for which the LF-tag policy applies.

Required: Yes

Type: String

Allowed values: DATABASE | TABLE

Update requires: Replacement

Examples

Permissions on LF-tag policy resource

The following example demonstrates how to grant permissions on a LFTagPolicy resource.

JSON

{ "SamplePermission": { "LFTagPolicy": { "CatalogId": "12345678910", "ResourceType": "TABLE", "Expression": [ { "TagKey": "sample_key", "TagValues": ["sample_value"] } ] } }, "Permissions": ["DESCRIBE"], "PermissionsWithGrantOption": ["DESCRIBE"] }

YAML

SamplePermission: Type: AWS::LakeFormation::PrincipalPermissions Properties: Principal: DataLakePrincipalIdentifier: "arn:sample_principal" Resource: LFTagPolicy: CatalogId: "12345678910" ResourceType: "TABLE" Expression: - TagKey: "sample_key" TagValues: "sample_value" Permissions: - "DESCRIBE" PermissionsWithGrantOption: - "DESCRIBE"