Interface ICfnDataLakeSettingsProps
Properties for defining a CfnDataLakeSettings
.
Namespace: Amazon.CDK.AWS.LakeFormation
Assembly: Amazon.CDK.Lib.dll
Syntax (csharp)
public interface ICfnDataLakeSettingsProps
Syntax (vb)
Public Interface ICfnDataLakeSettingsProps
Remarks
ExampleMetadata: infused
Examples
using Amazon.CDK;
using Amazon.CDK.AWS.Glue.Alpha;
using Amazon.CDK.AWS.LakeFormation;
Stack stack;
string accountId;
var tagKey = "aws";
var tagValues = new [] { "dev" };
var database = new Database(this, "Database");
var table = new S3Table(this, "Table", new S3TableProps {
Database = database,
Columns = new [] { new Column {
Name = "col1",
Type = Schema.STRING
}, new Column {
Name = "col2",
Type = Schema.STRING
} },
DataFormat = DataFormat.CSV
});
var synthesizer = (DefaultStackSynthesizer)stack.Synthesizer;
new CfnDataLakeSettings(this, "DataLakeSettings", new CfnDataLakeSettingsProps {
Admins = new [] { new DataLakePrincipalProperty {
DataLakePrincipalIdentifier = stack.FormatArn(new ArnComponents {
Service = "iam",
Resource = "role",
Region = "",
Account = accountId,
ResourceName = "Admin"
})
}, new DataLakePrincipalProperty {
// The CDK cloudformation execution role.
DataLakePrincipalIdentifier = synthesizer.CloudFormationExecutionRoleArn.Replace("${AWS::Partition}", "aws")
} }
});
var tag = new CfnTag(this, "Tag", new CfnTagProps {
CatalogId = accountId,
TagKey = tagKey,
TagValues = tagValues
});
var lfTagPairProperty = new LFTagPairProperty {
CatalogId = accountId,
TagKey = tagKey,
TagValues = tagValues
};
var tagAssociation = new CfnTagAssociation(this, "TagAssociation", new CfnTagAssociationProps {
LfTags = new [] { lfTagPairProperty },
Resource = new ResourceProperty {
TableWithColumns = new TableWithColumnsResourceProperty {
DatabaseName = database.DatabaseName,
ColumnNames = new [] { "col1", "col2" },
CatalogId = accountId,
Name = table.TableName
}
}
});
tagAssociation.Node.AddDependency(tag);
tagAssociation.Node.AddDependency(table);
Synopsis
Properties
Admins | A list of AWS Lake Formation principals. |
AllowExternalDataFiltering | Whether to allow Amazon EMR clusters or other third-party query engines to access data managed by Lake Formation . |
AllowFullTableExternalDataAccess | Specifies whether query engines and applications can get credentials without IAM session tags if the user has full table access. |
AuthorizedSessionTagValueList | Lake Formation relies on a privileged process secured by Amazon EMR or the third party integrator to tag the user's role while assuming it. |
CreateDatabaseDefaultPermissions | Specifies whether access control on a newly created database is managed by Lake Formation permissions or exclusively by IAM permissions. |
CreateTableDefaultPermissions | Specifies whether access control on a newly created table is managed by Lake Formation permissions or exclusively by IAM permissions. |
ExternalDataFilteringAllowList | A list of the account IDs of AWS accounts with Amazon EMR clusters or third-party engines that are allwed to perform data filtering. |
MutationType | Specifies whether the data lake settings are updated by adding new values to the current settings ( |
Parameters | A key-value map that provides an additional configuration on your data lake. |
TrustedResourceOwners | An array of UTF-8 strings. |
Properties
Admins
A list of AWS Lake Formation principals.
virtual object Admins { get; }
Property Value
System.Object
Remarks
AllowExternalDataFiltering
Whether to allow Amazon EMR clusters or other third-party query engines to access data managed by Lake Formation .
virtual object AllowExternalDataFiltering { get; }
Property Value
System.Object
Remarks
If set to true, you allow Amazon EMR clusters or other third-party engines to access data in Amazon S3 locations that are registered with Lake Formation .
If false or null, no third-party query engines will be able to access data in Amazon S3 locations that are registered with Lake Formation.
For more information, see External data filtering setting .
AllowFullTableExternalDataAccess
Specifies whether query engines and applications can get credentials without IAM session tags if the user has full table access.
virtual object AllowFullTableExternalDataAccess { get; }
Property Value
System.Object
Remarks
It provides query engines and applications performance benefits as well as simplifies data access. Amazon EMR on Amazon EC2 is able to leverage this setting.
AuthorizedSessionTagValueList
Lake Formation relies on a privileged process secured by Amazon EMR or the third party integrator to tag the user's role while assuming it.
virtual string[] AuthorizedSessionTagValueList { get; }
Property Value
System.String[]
Remarks
Lake Formation will publish the acceptable key-value pair, for example key = "LakeFormationTrustedCaller" and value = "TRUE" and the third party integrator must properly tag the temporary security credentials that will be used to call Lake Formation 's administrative API operations.
CreateDatabaseDefaultPermissions
Specifies whether access control on a newly created database is managed by Lake Formation permissions or exclusively by IAM permissions.
virtual object CreateDatabaseDefaultPermissions { get; }
Property Value
System.Object
Remarks
A null value indicates that the access is controlled by Lake Formation permissions. ALL
permissions assigned to IAM_ALLOWED_PRINCIPALS
group indicates that the user's IAM permissions determine the access to the database. This is referred to as the setting "Use only IAM access control," and is to support backward compatibility with the AWS Glue permission model implemented by IAM permissions.
The only permitted values are an empty array or an array that contains a single JSON object that grants ALL
to IAM_ALLOWED_PRINCIPALS
.
For more information, see Changing the default security settings for your data lake .
CreateTableDefaultPermissions
Specifies whether access control on a newly created table is managed by Lake Formation permissions or exclusively by IAM permissions.
virtual object CreateTableDefaultPermissions { get; }
Property Value
System.Object
Remarks
A null value indicates that the access is controlled by Lake Formation permissions. ALL
permissions assigned to IAM_ALLOWED_PRINCIPALS
group indicate that the user's IAM permissions determine the access to the table. This is referred to as the setting "Use only IAM access control," and is to support the backward compatibility with the AWS Glue permission model implemented by IAM permissions.
The only permitted values are an empty array or an array that contains a single JSON object that grants ALL
permissions to IAM_ALLOWED_PRINCIPALS
.
For more information, see Changing the default security settings for your data lake .
ExternalDataFilteringAllowList
A list of the account IDs of AWS accounts with Amazon EMR clusters or third-party engines that are allwed to perform data filtering.
virtual object ExternalDataFilteringAllowList { get; }
Property Value
System.Object
Remarks
MutationType
Specifies whether the data lake settings are updated by adding new values to the current settings ( APPEND
) or by replacing the current settings with new settings ( REPLACE
).
virtual string MutationType { get; }
Property Value
System.String
Remarks
If you choose REPLACE
, your current data lake settings will be replaced with the new values in your template.
Parameters
A key-value map that provides an additional configuration on your data lake.
virtual object Parameters { get; }
Property Value
System.Object
Remarks
CrossAccountVersion
is the key you can configure in the Parameters
field. Accepted values for the CrossAccountVersion
key are 1, 2, and 3.
TrustedResourceOwners
An array of UTF-8 strings.
virtual string[] TrustedResourceOwners { get; }
Property Value
System.String[]
Remarks
A list of the resource-owning account IDs that the caller's account can use to share their user access details (user ARNs). The user ARNs can be logged in the resource owner's CloudTrail log. You may want to specify this property when you are in a high-trust boundary, such as the same team or company.