GetTemporaryGlueTableCredentials - Lake Formation

GetTemporaryGlueTableCredentials

Allows a caller in a secure environment to assume a role with permission to access Amazon S3. In order to vend such credentials, AWS Lake Formation assumes the role associated with a registered location, for example an Amazon S3 bucket, with a scope down policy which restricts the access to a single prefix.

To call this API, the role that the service assumes must have lakeformation:GetDataAccess permission on the resource.

Request Syntax

{ "AuditContext": { "AdditionalAuditContext": "string" }, "DurationSeconds": number, "Permissions": [ "string" ], "QuerySessionContext": { "AdditionalContext": { "string" : "string" }, "ClusterId": "string", "QueryAuthorizationId": "string", "QueryId": "string", "QueryStartTime": number }, "S3Path": "string", "SupportedPermissionTypes": [ "string" ], "TableArn": "string" }

Request Parameters

For information about the parameters that are common to all actions, see Common Parameters.

The request accepts the following data in JSON format.

AuditContext

A structure representing context to access a resource (column names, query ID, etc).

Type: AuditContext object

Required: No

DurationSeconds

The time period, between 900 and 21,600 seconds, for the timeout of the temporary credentials.

Type: Integer

Valid Range: Minimum value of 900. Maximum value of 43200.

Required: No

Permissions

Filters the request based on the user having been granted a list of specified permissions on the requested resource(s).

Type: Array of strings

Valid Values: ALL | SELECT | ALTER | DROP | DELETE | INSERT | DESCRIBE | CREATE_DATABASE | CREATE_TABLE | DATA_LOCATION_ACCESS | CREATE_LF_TAG | ASSOCIATE | GRANT_WITH_LF_TAG_EXPRESSION | CREATE_LF_TAG_EXPRESSION | CREATE_CATALOG | SUPER_USER

Required: No

QuerySessionContext

A structure used as a protocol between query engines and Lake Formation or AWS Glue. Contains both a Lake Formation generated authorization identifier and information from the request's authorization context.

Type: QuerySessionContext object

Required: No

S3Path

The Amazon S3 path for the table.

Type: String

Required: No

SupportedPermissionTypes

A list of supported permission types for the table. Valid values are COLUMN_PERMISSION and CELL_FILTER_PERMISSION.

Type: Array of strings

Array Members: Minimum number of 1 item. Maximum number of 255 items.

Valid Values: COLUMN_PERMISSION | CELL_FILTER_PERMISSION | NESTED_PERMISSION | NESTED_CELL_PERMISSION

Required: No

TableArn

The ARN identifying a table in the Data Catalog for the temporary credentials request.

Type: String

Required: Yes

Response Syntax

{ "AccessKeyId": "string", "Expiration": number, "SecretAccessKey": "string", "SessionToken": "string", "VendedS3Path": [ "string" ] }

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

AccessKeyId

The access key ID for the temporary credentials.

Type: String

Expiration

The date and time when the temporary credentials expire.

Type: Timestamp

SecretAccessKey

The secret key for the temporary credentials.

Type: String

SessionToken

The session token for the temporary credentials.

Type: String

VendedS3Path

The Amazon S3 path for the temporary credentials.

Type: Array of strings

Errors

For information about the errors that are common to all actions, see Common Errors.

AccessDeniedException

Access to a resource was denied.

HTTP Status Code: 400

EntityNotFoundException

A specified entity does not exist.

HTTP Status Code: 400

InternalServiceException

An internal service error occurred.

HTTP Status Code: 500

InvalidInputException

The input provided was not valid.

HTTP Status Code: 400

OperationTimeoutException

The operation timed out.

HTTP Status Code: 400

PermissionTypeMismatchException

The engine does not support filtering data based on the enforced permissions. For example, if you call the GetTemporaryGlueTableCredentials operation with SupportedPermissionType equal to ColumnPermission, but cell-level permissions exist on the table, this exception is thrown.

HTTP Status Code: 400

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: