Lake Formation tag-based access control notes and restrictions

The following are notes and restrictions for Lake Formation tag-based access control:

• Using Lake Formation tag-based access control (LF-TBAC) to grant cross-account access to Data Catalog resources requires additions to the Data Catalog resource policy for your AWS account. For more information, see Prerequisites.

• LF-Tag keys and LF-Tag values can't exceed 50 characters in length.

• The maximum number of LF-Tags that can be assigned to a Data Catalog resource is 50.

• The following limits are soft limits:

  • The maximum number of LF-Tags that can be created is 1000.

  • The maximum number of values that can be defined for a LF-Tag is 1000.

• Tags keys and values are converted to all lower case when they are stored.

• Only one value for a LF-Tag can be assigned to a particular resource.

• If multiple LF-Tags are granted to a principal with a single grant, the principal can access only Data Catalog resources that have all of the LF-Tags.

• AWS Glue ETL jobs require full table access. The jobs will fail if AWS Glue ETL role does not have access to all columns in a table. It is possible to apply LF-Tags at a column-level, but it may cause AWS Glue ETL roles to lose full table access and have jobs fail. Using data filters for column and/or row filtering is not affected by this limitation.

• If a LF-Tag expression evaluation results in access to only a subset of table columns, but the Lake Formation permission granted when there is a match is one of the permissions that required full column access, namely Alter, Drop, Insert, or Delete, then none of those permissions is granted. Instead, only Describe is granted. If the granted permission is All (Super), then only Select and Describe are granted.