AWS Lake Formation 2017-03-31
- Client: Aws\LakeFormation\LakeFormationClient
- Service ID: lakeformation
- Version: 2017-03-31
This page describes the parameters and results for the operations of the AWS Lake Formation (2017-03-31), and shows how to use the Aws\LakeFormation\LakeFormationClient object to call the described operations. This documentation is specific to the 2017-03-31 API version of the service.
Operation Summary
Each of the following operations can be created from a client using
$client->getCommand('CommandName')
, where "CommandName" is the
name of one of the following operations. Note: a command is a value that
encapsulates an operation and the parameters used to create an HTTP request.
You can also create and send a command immediately using the magic methods
available on a client object: $client->commandName(/* parameters */)
.
You can send the command asynchronously (returning a promise) by appending the
word "Async" to the operation name: $client->commandNameAsync(/* parameters */)
.
- BatchGrantPermissions ( array $params = [] )
Batch operation to grant permissions to the principal.
- BatchRevokePermissions ( array $params = [] )
Batch operation to revoke permissions from the principal.
- DeregisterResource ( array $params = [] )
Deregisters the resource as managed by the Data Catalog.
- DescribeResource ( array $params = [] )
Retrieves the current data access role for the given resource registered in AWS Lake Formation.
- GetDataLakeSettings ( array $params = [] )
Retrieves the list of the data lake administrators of a Lake Formation-managed data lake.
- GetEffectivePermissionsForPath ( array $params = [] )
Returns the Lake Formation permissions for a specified table or database resource located at a path in Amazon S3.
- GrantPermissions ( array $params = [] )
Grants permissions to the principal to access metadata in the Data Catalog and data organized in underlying data storage such as Amazon S3.
- ListPermissions ( array $params = [] )
Returns a list of the principal permissions on the resource, filtered by the permissions of the caller.
- ListResources ( array $params = [] )
Lists the resources registered to be managed by the Data Catalog.
- PutDataLakeSettings ( array $params = [] )
Sets the list of data lake administrators who have admin privileges on all resources managed by Lake Formation.
- RegisterResource ( array $params = [] )
Registers the resource as managed by the Data Catalog.
- RevokePermissions ( array $params = [] )
Revokes permissions to the principal to access metadata in the Data Catalog and data organized in underlying data storage such as Amazon S3.
- UpdateResource ( array $params = [] )
Updates the data access role used for vending access to the given (registered) resource in AWS Lake Formation.
Paginators
Paginators handle automatically iterating over paginated API results. Paginators are associated with specific API operations, and they accept the parameters that the corresponding API operation accepts. You can get a paginator from a client class using getPaginator($paginatorName, $operationParameters). This client supports the following paginators:
Operations
BatchGrantPermissions
$result = $client->batchGrantPermissions
([/* ... */]); $promise = $client->batchGrantPermissionsAsync
([/* ... */]);
Batch operation to grant permissions to the principal.
Parameter Syntax
$result = $client->batchGrantPermissions([ 'CatalogId' => '<string>', 'Entries' => [ // REQUIRED [ 'Id' => '<string>', // REQUIRED 'Permissions' => ['<string>', ...], 'PermissionsWithGrantOption' => ['<string>', ...], 'Principal' => [ 'DataLakePrincipalIdentifier' => '<string>', ], 'Resource' => [ 'Catalog' => [ ], 'DataLocation' => [ 'CatalogId' => '<string>', 'ResourceArn' => '<string>', // REQUIRED ], 'Database' => [ 'CatalogId' => '<string>', 'Name' => '<string>', // REQUIRED ], 'Table' => [ 'CatalogId' => '<string>', 'DatabaseName' => '<string>', // REQUIRED 'Name' => '<string>', 'TableWildcard' => [ ], ], 'TableWithColumns' => [ 'CatalogId' => '<string>', 'ColumnNames' => ['<string>', ...], 'ColumnWildcard' => [ 'ExcludedColumnNames' => ['<string>', ...], ], 'DatabaseName' => '<string>', // REQUIRED 'Name' => '<string>', // REQUIRED ], ], ], // ... ], ]);
Parameter Details
Members
- CatalogId
-
- Type: string
The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your AWS Lake Formation environment.
- Entries
-
- Required: Yes
- Type: Array of BatchPermissionsRequestEntry structures
A list of up to 20 entries for resource permissions to be granted by batch operation to the principal.
Result Syntax
[ 'Failures' => [ [ 'Error' => [ 'ErrorCode' => '<string>', 'ErrorMessage' => '<string>', ], 'RequestEntry' => [ 'Id' => '<string>', 'Permissions' => ['<string>', ...], 'PermissionsWithGrantOption' => ['<string>', ...], 'Principal' => [ 'DataLakePrincipalIdentifier' => '<string>', ], 'Resource' => [ 'Catalog' => [ ], 'DataLocation' => [ 'CatalogId' => '<string>', 'ResourceArn' => '<string>', ], 'Database' => [ 'CatalogId' => '<string>', 'Name' => '<string>', ], 'Table' => [ 'CatalogId' => '<string>', 'DatabaseName' => '<string>', 'Name' => '<string>', 'TableWildcard' => [ ], ], 'TableWithColumns' => [ 'CatalogId' => '<string>', 'ColumnNames' => ['<string>', ...], 'ColumnWildcard' => [ 'ExcludedColumnNames' => ['<string>', ...], ], 'DatabaseName' => '<string>', 'Name' => '<string>', ], ], ], ], // ... ], ]
Result Details
Members
- Failures
-
- Type: Array of BatchPermissionsFailureEntry structures
A list of failures to grant permissions to the resources.
Errors
-
The input provided was not valid.
-
The operation timed out.
BatchRevokePermissions
$result = $client->batchRevokePermissions
([/* ... */]); $promise = $client->batchRevokePermissionsAsync
([/* ... */]);
Batch operation to revoke permissions from the principal.
Parameter Syntax
$result = $client->batchRevokePermissions([ 'CatalogId' => '<string>', 'Entries' => [ // REQUIRED [ 'Id' => '<string>', // REQUIRED 'Permissions' => ['<string>', ...], 'PermissionsWithGrantOption' => ['<string>', ...], 'Principal' => [ 'DataLakePrincipalIdentifier' => '<string>', ], 'Resource' => [ 'Catalog' => [ ], 'DataLocation' => [ 'CatalogId' => '<string>', 'ResourceArn' => '<string>', // REQUIRED ], 'Database' => [ 'CatalogId' => '<string>', 'Name' => '<string>', // REQUIRED ], 'Table' => [ 'CatalogId' => '<string>', 'DatabaseName' => '<string>', // REQUIRED 'Name' => '<string>', 'TableWildcard' => [ ], ], 'TableWithColumns' => [ 'CatalogId' => '<string>', 'ColumnNames' => ['<string>', ...], 'ColumnWildcard' => [ 'ExcludedColumnNames' => ['<string>', ...], ], 'DatabaseName' => '<string>', // REQUIRED 'Name' => '<string>', // REQUIRED ], ], ], // ... ], ]);
Parameter Details
Members
- CatalogId
-
- Type: string
The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your AWS Lake Formation environment.
- Entries
-
- Required: Yes
- Type: Array of BatchPermissionsRequestEntry structures
A list of up to 20 entries for resource permissions to be revoked by batch operation to the principal.
Result Syntax
[ 'Failures' => [ [ 'Error' => [ 'ErrorCode' => '<string>', 'ErrorMessage' => '<string>', ], 'RequestEntry' => [ 'Id' => '<string>', 'Permissions' => ['<string>', ...], 'PermissionsWithGrantOption' => ['<string>', ...], 'Principal' => [ 'DataLakePrincipalIdentifier' => '<string>', ], 'Resource' => [ 'Catalog' => [ ], 'DataLocation' => [ 'CatalogId' => '<string>', 'ResourceArn' => '<string>', ], 'Database' => [ 'CatalogId' => '<string>', 'Name' => '<string>', ], 'Table' => [ 'CatalogId' => '<string>', 'DatabaseName' => '<string>', 'Name' => '<string>', 'TableWildcard' => [ ], ], 'TableWithColumns' => [ 'CatalogId' => '<string>', 'ColumnNames' => ['<string>', ...], 'ColumnWildcard' => [ 'ExcludedColumnNames' => ['<string>', ...], ], 'DatabaseName' => '<string>', 'Name' => '<string>', ], ], ], ], // ... ], ]
Result Details
Members
- Failures
-
- Type: Array of BatchPermissionsFailureEntry structures
A list of failures to revoke permissions to the resources.
Errors
-
The input provided was not valid.
-
The operation timed out.
DeregisterResource
$result = $client->deregisterResource
([/* ... */]); $promise = $client->deregisterResourceAsync
([/* ... */]);
Deregisters the resource as managed by the Data Catalog.
When you deregister a path, Lake Formation removes the path from the inline policy attached to your service-linked role.
Parameter Syntax
$result = $client->deregisterResource([ 'ResourceArn' => '<string>', // REQUIRED ]);
Parameter Details
Members
Result Syntax
[]
Result Details
Errors
-
The input provided was not valid.
-
An internal service error occurred.
-
The operation timed out.
-
A specified entity does not exist
DescribeResource
$result = $client->describeResource
([/* ... */]); $promise = $client->describeResourceAsync
([/* ... */]);
Retrieves the current data access role for the given resource registered in AWS Lake Formation.
Parameter Syntax
$result = $client->describeResource([ 'ResourceArn' => '<string>', // REQUIRED ]);
Parameter Details
Result Syntax
[ 'ResourceInfo' => [ 'LastModified' => <DateTime>, 'ResourceArn' => '<string>', 'RoleArn' => '<string>', ], ]
Result Details
Members
- ResourceInfo
-
- Type: ResourceInfo structure
A structure containing information about an AWS Lake Formation resource.
Errors
-
The input provided was not valid.
-
An internal service error occurred.
-
The operation timed out.
-
A specified entity does not exist
GetDataLakeSettings
$result = $client->getDataLakeSettings
([/* ... */]); $promise = $client->getDataLakeSettingsAsync
([/* ... */]);
Retrieves the list of the data lake administrators of a Lake Formation-managed data lake.
Parameter Syntax
$result = $client->getDataLakeSettings([ 'CatalogId' => '<string>', ]);
Parameter Details
Members
Result Syntax
[ 'DataLakeSettings' => [ 'CreateDatabaseDefaultPermissions' => [ [ 'Permissions' => ['<string>', ...], 'Principal' => [ 'DataLakePrincipalIdentifier' => '<string>', ], ], // ... ], 'CreateTableDefaultPermissions' => [ [ 'Permissions' => ['<string>', ...], 'Principal' => [ 'DataLakePrincipalIdentifier' => '<string>', ], ], // ... ], 'DataLakeAdmins' => [ [ 'DataLakePrincipalIdentifier' => '<string>', ], // ... ], 'TrustedResourceOwners' => ['<string>', ...], ], ]
Result Details
Members
- DataLakeSettings
-
- Type: DataLakeSettings structure
A structure representing a list of AWS Lake Formation principals designated as data lake administrators.
Errors
-
An internal service error occurred.
-
The input provided was not valid.
-
A specified entity does not exist
GetEffectivePermissionsForPath
$result = $client->getEffectivePermissionsForPath
([/* ... */]); $promise = $client->getEffectivePermissionsForPathAsync
([/* ... */]);
Returns the Lake Formation permissions for a specified table or database resource located at a path in Amazon S3. GetEffectivePermissionsForPath
will not return databases and tables if the catalog is encrypted.
Parameter Syntax
$result = $client->getEffectivePermissionsForPath([ 'CatalogId' => '<string>', 'MaxResults' => <integer>, 'NextToken' => '<string>', 'ResourceArn' => '<string>', // REQUIRED ]);
Parameter Details
Members
- CatalogId
-
- Type: string
The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your AWS Lake Formation environment.
- MaxResults
-
- Type: int
The maximum number of results to return.
- NextToken
-
- Type: string
A continuation token, if this is not the first call to retrieve this list.
- ResourceArn
-
- Required: Yes
- Type: string
The Amazon Resource Name (ARN) of the resource for which you want to get permissions.
Result Syntax
[ 'NextToken' => '<string>', 'Permissions' => [ [ 'AdditionalDetails' => [ 'ResourceShare' => ['<string>', ...], ], 'Permissions' => ['<string>', ...], 'PermissionsWithGrantOption' => ['<string>', ...], 'Principal' => [ 'DataLakePrincipalIdentifier' => '<string>', ], 'Resource' => [ 'Catalog' => [ ], 'DataLocation' => [ 'CatalogId' => '<string>', 'ResourceArn' => '<string>', ], 'Database' => [ 'CatalogId' => '<string>', 'Name' => '<string>', ], 'Table' => [ 'CatalogId' => '<string>', 'DatabaseName' => '<string>', 'Name' => '<string>', 'TableWildcard' => [ ], ], 'TableWithColumns' => [ 'CatalogId' => '<string>', 'ColumnNames' => ['<string>', ...], 'ColumnWildcard' => [ 'ExcludedColumnNames' => ['<string>', ...], ], 'DatabaseName' => '<string>', 'Name' => '<string>', ], ], ], // ... ], ]
Result Details
Members
- NextToken
-
- Type: string
A continuation token, if this is not the first call to retrieve this list.
- Permissions
-
- Type: Array of PrincipalResourcePermissions structures
A list of the permissions for the specified table or database resource located at the path in Amazon S3.
Errors
-
The input provided was not valid.
-
A specified entity does not exist
-
The operation timed out.
-
An internal service error occurred.
GrantPermissions
$result = $client->grantPermissions
([/* ... */]); $promise = $client->grantPermissionsAsync
([/* ... */]);
Grants permissions to the principal to access metadata in the Data Catalog and data organized in underlying data storage such as Amazon S3.
For information about permissions, see Security and Access Control to Metadata and Data.
Parameter Syntax
$result = $client->grantPermissions([ 'CatalogId' => '<string>', 'Permissions' => ['<string>', ...], // REQUIRED 'PermissionsWithGrantOption' => ['<string>', ...], 'Principal' => [ // REQUIRED 'DataLakePrincipalIdentifier' => '<string>', ], 'Resource' => [ // REQUIRED 'Catalog' => [ ], 'DataLocation' => [ 'CatalogId' => '<string>', 'ResourceArn' => '<string>', // REQUIRED ], 'Database' => [ 'CatalogId' => '<string>', 'Name' => '<string>', // REQUIRED ], 'Table' => [ 'CatalogId' => '<string>', 'DatabaseName' => '<string>', // REQUIRED 'Name' => '<string>', 'TableWildcard' => [ ], ], 'TableWithColumns' => [ 'CatalogId' => '<string>', 'ColumnNames' => ['<string>', ...], 'ColumnWildcard' => [ 'ExcludedColumnNames' => ['<string>', ...], ], 'DatabaseName' => '<string>', // REQUIRED 'Name' => '<string>', // REQUIRED ], ], ]);
Parameter Details
Members
- CatalogId
-
- Type: string
The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your AWS Lake Formation environment.
- Permissions
-
- Required: Yes
- Type: Array of strings
The permissions granted to the principal on the resource. AWS Lake Formation defines privileges to grant and revoke access to metadata in the Data Catalog and data organized in underlying data storage such as Amazon S3. AWS Lake Formation requires that each principal be authorized to perform a specific task on AWS Lake Formation resources.
- PermissionsWithGrantOption
-
- Type: Array of strings
Indicates a list of the granted permissions that the principal may pass to other users. These permissions may only be a subset of the permissions granted in the
Privileges
. - Principal
-
- Required: Yes
- Type: DataLakePrincipal structure
The principal to be granted the permissions on the resource. Supported principals are IAM users or IAM roles, and they are defined by their principal type and their ARN.
Note that if you define a resource with a particular ARN, then later delete, and recreate a resource with that same ARN, the resource maintains the permissions already granted.
- Resource
-
- Required: Yes
- Type: Resource structure
The resource to which permissions are to be granted. Resources in AWS Lake Formation are the Data Catalog, databases, and tables.
Result Syntax
[]
Result Details
Errors
-
ConcurrentModificationException:
Two processes are trying to modify a resource simultaneously.
-
A specified entity does not exist
-
The input provided was not valid.
ListPermissions
$result = $client->listPermissions
([/* ... */]); $promise = $client->listPermissionsAsync
([/* ... */]);
Returns a list of the principal permissions on the resource, filtered by the permissions of the caller. For example, if you are granted an ALTER permission, you are able to see only the principal permissions for ALTER.
This operation returns only those permissions that have been explicitly granted.
For information about permissions, see Security and Access Control to Metadata and Data.
Parameter Syntax
$result = $client->listPermissions([ 'CatalogId' => '<string>', 'MaxResults' => <integer>, 'NextToken' => '<string>', 'Principal' => [ 'DataLakePrincipalIdentifier' => '<string>', ], 'Resource' => [ 'Catalog' => [ ], 'DataLocation' => [ 'CatalogId' => '<string>', 'ResourceArn' => '<string>', // REQUIRED ], 'Database' => [ 'CatalogId' => '<string>', 'Name' => '<string>', // REQUIRED ], 'Table' => [ 'CatalogId' => '<string>', 'DatabaseName' => '<string>', // REQUIRED 'Name' => '<string>', 'TableWildcard' => [ ], ], 'TableWithColumns' => [ 'CatalogId' => '<string>', 'ColumnNames' => ['<string>', ...], 'ColumnWildcard' => [ 'ExcludedColumnNames' => ['<string>', ...], ], 'DatabaseName' => '<string>', // REQUIRED 'Name' => '<string>', // REQUIRED ], ], 'ResourceType' => 'CATALOG|DATABASE|TABLE|DATA_LOCATION', ]);
Parameter Details
Members
- CatalogId
-
- Type: string
The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your AWS Lake Formation environment.
- MaxResults
-
- Type: int
The maximum number of results to return.
- NextToken
-
- Type: string
A continuation token, if this is not the first call to retrieve this list.
- Principal
-
- Type: DataLakePrincipal structure
Specifies a principal to filter the permissions returned.
- Resource
-
- Type: Resource structure
A resource where you will get a list of the principal permissions.
This operation does not support getting privileges on a table with columns. Instead, call this operation on the table, and the operation returns the table and the table w columns.
- ResourceType
-
- Type: string
Specifies a resource type to filter the permissions returned.
Result Syntax
[ 'NextToken' => '<string>', 'PrincipalResourcePermissions' => [ [ 'AdditionalDetails' => [ 'ResourceShare' => ['<string>', ...], ], 'Permissions' => ['<string>', ...], 'PermissionsWithGrantOption' => ['<string>', ...], 'Principal' => [ 'DataLakePrincipalIdentifier' => '<string>', ], 'Resource' => [ 'Catalog' => [ ], 'DataLocation' => [ 'CatalogId' => '<string>', 'ResourceArn' => '<string>', ], 'Database' => [ 'CatalogId' => '<string>', 'Name' => '<string>', ], 'Table' => [ 'CatalogId' => '<string>', 'DatabaseName' => '<string>', 'Name' => '<string>', 'TableWildcard' => [ ], ], 'TableWithColumns' => [ 'CatalogId' => '<string>', 'ColumnNames' => ['<string>', ...], 'ColumnWildcard' => [ 'ExcludedColumnNames' => ['<string>', ...], ], 'DatabaseName' => '<string>', 'Name' => '<string>', ], ], ], // ... ], ]
Result Details
Members
- NextToken
-
- Type: string
A continuation token, if this is not the first call to retrieve this list.
- PrincipalResourcePermissions
-
- Type: Array of PrincipalResourcePermissions structures
A list of principals and their permissions on the resource for the specified principal and resource types.
Errors
-
The input provided was not valid.
-
The operation timed out.
-
An internal service error occurred.
ListResources
$result = $client->listResources
([/* ... */]); $promise = $client->listResourcesAsync
([/* ... */]);
Lists the resources registered to be managed by the Data Catalog.
Parameter Syntax
$result = $client->listResources([ 'FilterConditionList' => [ [ 'ComparisonOperator' => 'EQ|NE|LE|LT|GE|GT|CONTAINS|NOT_CONTAINS|BEGINS_WITH|IN|BETWEEN', 'Field' => 'RESOURCE_ARN|ROLE_ARN|LAST_MODIFIED', 'StringValueList' => ['<string>', ...], ], // ... ], 'MaxResults' => <integer>, 'NextToken' => '<string>', ]);
Parameter Details
Members
- FilterConditionList
-
- Type: Array of FilterCondition structures
Any applicable row-level and/or column-level filtering conditions for the resources.
- MaxResults
-
- Type: int
The maximum number of resource results.
- NextToken
-
- Type: string
A continuation token, if this is not the first call to retrieve these resources.
Result Syntax
[ 'NextToken' => '<string>', 'ResourceInfoList' => [ [ 'LastModified' => <DateTime>, 'ResourceArn' => '<string>', 'RoleArn' => '<string>', ], // ... ], ]
Result Details
Members
- NextToken
-
- Type: string
A continuation token, if this is not the first call to retrieve these resources.
- ResourceInfoList
-
- Type: Array of ResourceInfo structures
A summary of the data lake resources.
Errors
-
The input provided was not valid.
-
An internal service error occurred.
-
The operation timed out.
PutDataLakeSettings
$result = $client->putDataLakeSettings
([/* ... */]); $promise = $client->putDataLakeSettingsAsync
([/* ... */]);
Sets the list of data lake administrators who have admin privileges on all resources managed by Lake Formation. For more information on admin privileges, see Granting Lake Formation Permissions.
This API replaces the current list of data lake admins with the new list being passed. To add an admin, fetch the current list and add the new admin to that list and pass that list in this API.
Parameter Syntax
$result = $client->putDataLakeSettings([ 'CatalogId' => '<string>', 'DataLakeSettings' => [ // REQUIRED 'CreateDatabaseDefaultPermissions' => [ [ 'Permissions' => ['<string>', ...], 'Principal' => [ 'DataLakePrincipalIdentifier' => '<string>', ], ], // ... ], 'CreateTableDefaultPermissions' => [ [ 'Permissions' => ['<string>', ...], 'Principal' => [ 'DataLakePrincipalIdentifier' => '<string>', ], ], // ... ], 'DataLakeAdmins' => [ [ 'DataLakePrincipalIdentifier' => '<string>', ], // ... ], 'TrustedResourceOwners' => ['<string>', ...], ], ]);
Parameter Details
Members
- CatalogId
-
- Type: string
The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your AWS Lake Formation environment.
- DataLakeSettings
-
- Required: Yes
- Type: DataLakeSettings structure
A structure representing a list of AWS Lake Formation principals designated as data lake administrators.
Result Syntax
[]
Result Details
Errors
-
An internal service error occurred.
-
The input provided was not valid.
RegisterResource
$result = $client->registerResource
([/* ... */]); $promise = $client->registerResourceAsync
([/* ... */]);
Registers the resource as managed by the Data Catalog.
To add or update data, Lake Formation needs read/write access to the chosen Amazon S3 path. Choose a role that you know has permission to do this, or choose the AWSServiceRoleForLakeFormationDataAccess service-linked role. When you register the first Amazon S3 path, the service-linked role and a new inline policy are created on your behalf. Lake Formation adds the first path to the inline policy and attaches it to the service-linked role. When you register subsequent paths, Lake Formation adds the path to the existing policy.
The following request registers a new location and gives AWS Lake Formation permission to use the service-linked role to access that location.
ResourceArn = arn:aws:s3:::my-bucket UseServiceLinkedRole = true
If UseServiceLinkedRole
is not set to true, you must provide or set the RoleArn
:
arn:aws:iam::12345:role/my-data-access-role
Parameter Syntax
$result = $client->registerResource([ 'ResourceArn' => '<string>', // REQUIRED 'RoleArn' => '<string>', 'UseServiceLinkedRole' => true || false, ]);
Parameter Details
Members
- ResourceArn
-
- Required: Yes
- Type: string
The Amazon Resource Name (ARN) of the resource that you want to register.
- RoleArn
-
- Type: string
The identifier for the role that registers the resource.
- UseServiceLinkedRole
-
- Type: boolean
Designates an AWS Identity and Access Management (IAM) service-linked role by registering this role with the Data Catalog. A service-linked role is a unique type of IAM role that is linked directly to Lake Formation.
For more information, see Using Service-Linked Roles for Lake Formation.
Result Syntax
[]
Result Details
Errors
-
The input provided was not valid.
-
An internal service error occurred.
-
The operation timed out.
-
A resource to be created or added already exists.
RevokePermissions
$result = $client->revokePermissions
([/* ... */]); $promise = $client->revokePermissionsAsync
([/* ... */]);
Revokes permissions to the principal to access metadata in the Data Catalog and data organized in underlying data storage such as Amazon S3.
Parameter Syntax
$result = $client->revokePermissions([ 'CatalogId' => '<string>', 'Permissions' => ['<string>', ...], // REQUIRED 'PermissionsWithGrantOption' => ['<string>', ...], 'Principal' => [ // REQUIRED 'DataLakePrincipalIdentifier' => '<string>', ], 'Resource' => [ // REQUIRED 'Catalog' => [ ], 'DataLocation' => [ 'CatalogId' => '<string>', 'ResourceArn' => '<string>', // REQUIRED ], 'Database' => [ 'CatalogId' => '<string>', 'Name' => '<string>', // REQUIRED ], 'Table' => [ 'CatalogId' => '<string>', 'DatabaseName' => '<string>', // REQUIRED 'Name' => '<string>', 'TableWildcard' => [ ], ], 'TableWithColumns' => [ 'CatalogId' => '<string>', 'ColumnNames' => ['<string>', ...], 'ColumnWildcard' => [ 'ExcludedColumnNames' => ['<string>', ...], ], 'DatabaseName' => '<string>', // REQUIRED 'Name' => '<string>', // REQUIRED ], ], ]);
Parameter Details
Members
- CatalogId
-
- Type: string
The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your AWS Lake Formation environment.
- Permissions
-
- Required: Yes
- Type: Array of strings
The permissions revoked to the principal on the resource. For information about permissions, see Security and Access Control to Metadata and Data.
- PermissionsWithGrantOption
-
- Type: Array of strings
Indicates a list of permissions for which to revoke the grant option allowing the principal to pass permissions to other principals.
- Principal
-
- Required: Yes
- Type: DataLakePrincipal structure
The principal to be revoked permissions on the resource.
- Resource
-
- Required: Yes
- Type: Resource structure
The resource to which permissions are to be revoked.
Result Syntax
[]
Result Details
Errors
-
ConcurrentModificationException:
Two processes are trying to modify a resource simultaneously.
-
A specified entity does not exist
-
The input provided was not valid.
UpdateResource
$result = $client->updateResource
([/* ... */]); $promise = $client->updateResourceAsync
([/* ... */]);
Updates the data access role used for vending access to the given (registered) resource in AWS Lake Formation.
Parameter Syntax
$result = $client->updateResource([ 'ResourceArn' => '<string>', // REQUIRED 'RoleArn' => '<string>', // REQUIRED ]);
Parameter Details
Members
Result Syntax
[]
Result Details
Errors
-
The input provided was not valid.
-
An internal service error occurred.
-
The operation timed out.
-
A specified entity does not exist
Shapes
AlreadyExistsException
Description
A resource to be created or added already exists.
Members
BatchPermissionsFailureEntry
Description
A list of failures when performing a batch grant or batch revoke operation.
Members
- Error
-
- Type: ErrorDetail structure
An error message that applies to the failure of the entry.
- RequestEntry
-
- Type: BatchPermissionsRequestEntry structure
An identifier for an entry of the batch request.
BatchPermissionsRequestEntry
Description
A permission to a resource granted by batch operation to the principal.
Members
- Id
-
- Required: Yes
- Type: string
A unique identifier for the batch permissions request entry.
- Permissions
-
- Type: Array of strings
The permissions to be granted.
- PermissionsWithGrantOption
-
- Type: Array of strings
Indicates if the option to pass permissions is granted.
- Principal
-
- Type: DataLakePrincipal structure
The principal to be granted a permission.
- Resource
-
- Type: Resource structure
The resource to which the principal is to be granted a permission.
CatalogResource
Description
A structure for the catalog object.
Members
ColumnWildcard
Description
A wildcard object, consisting of an optional list of excluded column names or indexes.
Members
ConcurrentModificationException
Description
Two processes are trying to modify a resource simultaneously.
Members
DataLakePrincipal
Description
The AWS Lake Formation principal. Supported principals are IAM users or IAM roles.
Members
DataLakeSettings
Description
A structure representing a list of AWS Lake Formation principals designated as data lake administrators and lists of principal permission entries for default create database and default create table permissions.
Members
- CreateDatabaseDefaultPermissions
-
- Type: Array of PrincipalPermissions structures
A structure representing a list of up to three principal permissions entries for default create database permissions.
- CreateTableDefaultPermissions
-
- Type: Array of PrincipalPermissions structures
A structure representing a list of up to three principal permissions entries for default create table permissions.
- DataLakeAdmins
-
- Type: Array of DataLakePrincipal structures
A list of AWS Lake Formation principals. Supported principals are IAM users or IAM roles.
- TrustedResourceOwners
-
- Type: Array of strings
A list of the resource-owning account IDs that the caller's account can use to share their user access details (user ARNs). The user ARNs can be logged in the resource owner's AWS CloudTrail log.
You may want to specify this property when you are in a high-trust boundary, such as the same team or company.
DataLocationResource
Description
A structure for a data location object where permissions are granted or revoked.
Members
DatabaseResource
Description
A structure for the database object.
Members
DetailsMap
Description
A structure containing the additional details to be returned in the AdditionalDetails
attribute of PrincipalResourcePermissions
.
If a catalog resource is shared through AWS Resource Access Manager (AWS RAM), then there will exist a corresponding RAM share resource ARN.
Members
EntityNotFoundException
Description
A specified entity does not exist
Members
ErrorDetail
Description
Contains details about an error.
Members
FilterCondition
Description
This structure describes the filtering of columns in a table based on a filter condition.
Members
InternalServiceException
Description
An internal service error occurred.
Members
InvalidInputException
Description
The input provided was not valid.
Members
OperationTimeoutException
PrincipalPermissions
Description
Permissions granted to a principal.
Members
- Permissions
-
- Type: Array of strings
The permissions that are granted to the principal.
- Principal
-
- Type: DataLakePrincipal structure
The principal who is granted permissions.
PrincipalResourcePermissions
Description
The permissions granted or revoked on a resource.
Members
- AdditionalDetails
-
- Type: DetailsMap structure
This attribute can be used to return any additional details of
PrincipalResourcePermissions
. Currently returns only as a RAM share resource ARN. - Permissions
-
- Type: Array of strings
The permissions to be granted or revoked on the resource.
- PermissionsWithGrantOption
-
- Type: Array of strings
Indicates whether to grant the ability to grant permissions (as a subset of permissions granted).
- Principal
-
- Type: DataLakePrincipal structure
The Data Lake principal to be granted or revoked permissions.
- Resource
-
- Type: Resource structure
The resource where permissions are to be granted or revoked.
Resource
Description
A structure for the resource.
Members
- Catalog
-
- Type: CatalogResource structure
The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your AWS Lake Formation environment.
- DataLocation
-
- Type: DataLocationResource structure
The location of an Amazon S3 path where permissions are granted or revoked.
- Database
-
- Type: DatabaseResource structure
The database for the resource. Unique to the Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database permissions to a principal.
- Table
-
- Type: TableResource structure
The table for the resource. A table is a metadata definition that represents your data. You can Grant and Revoke table privileges to a principal.
- TableWithColumns
-
- Type: TableWithColumnsResource structure
The table with columns for the resource. A principal with permissions to this resource can select metadata from the columns of a table in the Data Catalog and the underlying data in Amazon S3.
ResourceInfo
Description
A structure containing information about an AWS Lake Formation resource.
Members
TableResource
Description
A structure for the table object. A table is a metadata definition that represents your data. You can Grant and Revoke table privileges to a principal.
Members
- CatalogId
-
- Type: string
The identifier for the Data Catalog. By default, it is the account ID of the caller.
- DatabaseName
-
- Required: Yes
- Type: string
The name of the database for the table. Unique to a Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database privileges to a principal.
- Name
-
- Type: string
The name of the table.
- TableWildcard
-
- Type: TableWildcard structure
A wildcard object representing every table under a database.
At least one of
TableResource$Name
orTableResource$TableWildcard
is required.
TableWildcard
Description
A wildcard object representing every table under a database.
Members
TableWithColumnsResource
Description
A structure for a table with columns object. This object is only used when granting a SELECT permission.
This object must take a value for at least one of ColumnsNames
, ColumnsIndexes
, or ColumnsWildcard
.
Members
- CatalogId
-
- Type: string
The identifier for the Data Catalog. By default, it is the account ID of the caller.
- ColumnNames
-
- Type: Array of strings
The list of column names for the table. At least one of
ColumnNames
orColumnWildcard
is required. - ColumnWildcard
-
- Type: ColumnWildcard structure
A wildcard specified by a
ColumnWildcard
object. At least one ofColumnNames
orColumnWildcard
is required. - DatabaseName
-
- Required: Yes
- Type: string
The name of the database for the table with columns resource. Unique to the Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database privileges to a principal.
- Name
-
- Required: Yes
- Type: string
The name of the table resource. A table is a metadata definition that represents your data. You can Grant and Revoke table privileges to a principal.