AWS Identity and Access Management
User Guide

The AWS Documentation website is getting a new look!
Try it now and let us know what you think. Switch to the new look >>

You can return to the original look by selecting English in the language selector above.

Actions, Resources, and Condition Keys for AWS Lake Formation

AWS Lake Formation (service prefix: lakeformation) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by AWS Lake Formation

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
BatchGrantPermissions Grants data lake permissions to one or more principals in a batch. Permissions management
BatchRevokePermissions Revokes data lake permissions from one or more principals in a batch. Permissions management
DeregisterResource Deregisters a registered location. Write
DescribeResource Describes a registered location. Read
GetDataAccess Grants virtual data lake access permissions. Write
GetDataLakeSettings Retrieves data lake settings such as the list of data lake administrators and database and table default permissions. Read
GetEffectivePermissionsForPath Retrieves permissions attached to resources in the given path. Read
GrantPermissions Grants data lake permissions to a principal. Permissions management
ListPermissions Lists permissions filtered by principal or resource. List
ListResources Lists registered locations. List
PutDataLakeSettings Overwrites data lake settings such as the list of data lake administrators and database and table default permissions. Permissions management
RegisterResource Registers a new location to be managed by Lake Formation. Write
RevokePermissions Revokes data lake permissions from a principal. Permissions management
UpdateResource Updates a registered location. Write

Resources Defined by AWS Lake Formation

AWS Lake Formation has no service-defined resources that can be used as the Resource element of an IAM policy statement.

Condition Keys for AWS Lake Formation

Lake Formation has no service-specific context keys that can be used in the Condition element of policy statements. For the list of the global context keys that are available to all services, see Available Keys for Conditions in the IAM Policy Reference.