GrantPermissions
Grants permissions to the principal to access metadata in the Data Catalog and data organized in underlying data storage such as Amazon S3.
For information about permissions, see Security and Access Control to Metadata and Data.
Request Syntax
{
"CatalogId": "string",
"Permissions": [ "string" ],
"PermissionsWithGrantOption": [ "string" ],
"Principal": {
"DataLakePrincipalIdentifier": "string"
},
"Resource": {
"Catalog": {
},
"Database": {
"CatalogId": "string",
"Name": "string"
},
"DataCellsFilter": {
"DatabaseName": "string",
"Name": "string",
"TableCatalogId": "string",
"TableName": "string"
},
"DataLocation": {
"CatalogId": "string",
"ResourceArn": "string"
},
"LFTag": {
"CatalogId": "string",
"TagKey": "string",
"TagValues": [ "string" ]
},
"LFTagPolicy": {
"CatalogId": "string",
"Expression": [
{
"TagKey": "string",
"TagValues": [ "string" ]
}
],
"ResourceType": "string"
},
"Table": {
"CatalogId": "string",
"DatabaseName": "string",
"Name": "string",
"TableWildcard": {
}
},
"TableWithColumns": {
"CatalogId": "string",
"ColumnNames": [ "string" ],
"ColumnWildcard": {
"ExcludedColumnNames": [ "string" ]
},
"DatabaseName": "string",
"Name": "string"
}
}
}Request Parameters
For information about the parameters that are common to all actions, see Common Parameters.
The request accepts the following data in JSON format.
- CatalogId
-
The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your AWS Lake Formation environment.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 255.
Pattern:
[\u0020-\uD7FF\uE000-\uFFFD\uD800\uDC00-\uDBFF\uDFFF\t]*Required: No
- Permissions
-
The permissions granted to the principal on the resource. AWS Lake Formation defines privileges to grant and revoke access to metadata in the Data Catalog and data organized in underlying data storage such as Amazon S3. Lake Formation requires that each principal be authorized to perform a specific task on Lake Formation resources.
Type: Array of strings
Valid Values:
ALL | SELECT | ALTER | DROP | DELETE | INSERT | DESCRIBE | CREATE_DATABASE | CREATE_TABLE | DATA_LOCATION_ACCESS | CREATE_LF_TAG | ASSOCIATE | GRANT_WITH_LF_TAG_EXPRESSIONRequired: Yes
- PermissionsWithGrantOption
-
Indicates a list of the granted permissions that the principal may pass to other users. These permissions may only be a subset of the permissions granted in the
Privileges.Type: Array of strings
Valid Values:
ALL | SELECT | ALTER | DROP | DELETE | INSERT | DESCRIBE | CREATE_DATABASE | CREATE_TABLE | DATA_LOCATION_ACCESS | CREATE_LF_TAG | ASSOCIATE | GRANT_WITH_LF_TAG_EXPRESSIONRequired: No
- Principal
-
The principal to be granted the permissions on the resource. Supported principals are IAM users or IAM roles, and they are defined by their principal type and their ARN.
Note that if you define a resource with a particular ARN, then later delete, and recreate a resource with that same ARN, the resource maintains the permissions already granted.
Type: DataLakePrincipal object
Required: Yes
- Resource
-
The resource to which permissions are to be granted. Resources in AWS Lake Formation are the Data Catalog, databases, and tables.
Type: Resource object
Required: Yes
Response Elements
If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.
Errors
For information about the errors that are common to all actions, see Common Errors.
- ConcurrentModificationException
-
Two processes are trying to modify a resource simultaneously.
HTTP Status Code: 400
- EntityNotFoundException
-
A specified entity does not exist.
HTTP Status Code: 400
- InvalidInputException
-
The input provided was not valid.
HTTP Status Code: 400
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
