Granting, Revoking, and Listing LF-Tag Permissions - AWS Lake Formation

Granting, Revoking, and Listing LF-Tag Permissions

You can grant the DESCRIBE and ASSOCIATE Lake Formation permissions on LF-tags to principals so that they can view the LF-tags and assign them to Data Catalog resources (databases, tables, and columns). When LF-tags are assigned to Data Catalog resources, you can use the Lake Formation tag-based access control (LF-TBAC) method to secure those resources. For more information, see Lake Formation Tag-based access control.

At first, only the data lake administrator can grant these permissions. If the data lake administrator grants these permissions with the grant option, other principals can grant them. The DESCRIBE and ASSOCIATE permissions are explained in Lake Formation tag-based access control permissions model.

You can grant the DESCRIBE and ASSOCIATE permissions on a LF-tag to an external AWS account. A data lake administrator in that account can then grant those permissions to other principals in the account. Principals to whom the data lake administrator in the external account grants the ASSOCIATE permission can then assign LF-tags to Data Catalog resources that you shared with their account.

When granting to an external account, you must include the grant option.

You can grant permissions on LF-tags by using the AWS Lake Formation console, the API, or the AWS Command Line Interface (AWS CLI).

For more information see Managing LF-Tags for metadata access control and Lake Formation Tag-based access control.