Adding LF-Tag creators
By default, data lake administrators can create, update, and delete LF-Tags, assign tags
to Data Catalog resources, and grant tag permissions to principals. If you wish to delegate the tag
creation and management operations to non-admin principals, the data lake administrator can
create LF-Tag creator roles and grant Lake Formation Create LF-Tag permission to the roles.
With grantable Create LF-Tag permission, LF-Tag creators can delegate tag
creation and maintenance tasks to other non-administrative principals.
Note
Cross-account permission grants can include only Describe and
Associate permissions. You can't grant Create LF-Tag,
Drop, Alter, and Grant with LFTag expressions
permissions to principals in a different account.
See also
IAM permissions required to create LF-Tags
You must configure permissions to allow a Lake Formation principal to create LF-Tags. Add the following statement to the permissions policy for the principal that needs to be a LF-Tag creator.
Note
Although data lake administrators have implicit Lake Formation permissions to create, update, and delete LF-Tags, to assign LF-Tags to resources, and to grant LF-Tags to principals, data lake administrators also need the following IAM permissions.
For more information, see Lake Formation personas and IAM permissions reference.
{ "Sid": "Transformational", "Effect": "Allow", "Action": [ "lakeformation:AddLFTagsToResource", "lakeformation:RemoveLFTagsFromResource", "lakeformation:GetResourceLFTags", "lakeformation:ListLFTags", "lakeformation:CreateLFTag", "lakeformation:GetLFTag", "lakeformation:UpdateLFTag", "lakeformation:DeleteLFTag", "lakeformation:SearchTablesByLFTags", "lakeformation:SearchDatabasesByLFTags" ] }
Principals who assign LF-Tags to resources and grant LF-Tags to principals must have the
same permissions, except for the CreateLFTag, UpdateLFTag, and
DeleteLFTag permissions.
Add LF-Tag creators
A LF-Tag creator can create a LF-Tag, update tag key and values, delete tags, associate tags to Data Catalog resources, and grant permissions on Data Catalog resources to principals using LF-TBAC method. The LF-Tag creator can also grant these permissions to principals.
You can create LF-Tag creator roles by using the AWS Lake Formation console, the API, or the AWS Command Line Interface (AWS CLI).
The following are the permissions available for a LF-Tag creator role:
| Permission | Description |
|---|---|
Drop |
A principal with this permission on a LF-Tag can delete a
LF-Tag from the data lake. The principal gets implicit Describe
permission on all tag values of a LF-Tag resource. |
Alter |
A principal with this permission on a LF-Tag can add or remove tag
value from a LF-Tag. The principal gets implicit Alter
permission on all tag values of a LF-Tag. |
Describe |
A principal with this permission on a LF-Tag can view the
LF-Tag and its values when they assign LF-Tags to resources or grant
permissions on LF-Tags. You can grant Describe on all key
values or on specific values. |
Associate |
A principal with this permission on a LF-Tag can assign the
LF-Tag to a Data Catalog resource. Granting Associate implicitly
grants Describe. |
Grant with LF-Tag expression |
A principal with this permission on a LF-Tag can grant permissions on
a Data Catalog resources using the LF-Tag key and values. Granting Grant
with LF-Tag expression implicitly grants Describe. |
These permissions are grantable. A principal who has been granted these permissions with the grant option can grant them to other principals.
