Credential Vending API - AWS Lake Formation

Credential Vending API

The Credential Vending API describes the data types and API related to working with the AWS Lake Formation service to vend credentials and to register and manage a data lake resource.

Data Types

FilterCondition Structure

This structure describes the filtering of columns in a table based on a filter condition.

Fields

  • Field – UTF-8 string (valid values: RESOURCE_ARN | ROLE_ARN | LAST_MODIFIED).

    The field to filter in the filter condition.

  • ComparisonOperator – UTF-8 string (valid values: EQ | NE | LE | LT | GE | GT | CONTAINS | NOT_CONTAINS | BEGINS_WITH | IN | BETWEEN).

    The comparison operator used in the filter condition.

  • StringValueList – An array of UTF-8 strings.

    A string with values used in evaluating the filter condition.

ColumnNames list

A list of column names in a table.

An array of UTF-8 strings.

A list of column names in a table.

ResourceInfo Structure

A structure containing information about an AWS Lake Formation resource.

Fields

  • ResourceArn – UTF-8 string.

    The Amazon Resource Name (ARN) of the resource.

  • RoleArn – UTF-8 string, matching the Custom string pattern #5.

    The IAM role that registered a resource.

  • LastModified – Timestamp.

    The date and time the resource was last modified.

Operations

RegisterResource Action (Python: register_resource)

Registers the resource as managed by the Data Catalog.

To add or update data, Lake Formation needs read/write access to the chosen Amazon S3 path. Choose a role that you know has permission to do this, or choose the AWSServiceRoleForLakeFormationDataAccess service-linked role. When you register the first Amazon S3 path, the service-linked role and a new inline policy are created on your behalf. Lake Formation adds the first path to the inline policy and attaches it to the service-linked role. When you register subsequent paths, Lake Formation adds the path to the existing policy.

The following request registers a new location and gives AWS Lake Formation permission to use the service-linked role to access that location.

ResourceArn = arn:aws:s3:::my-bucket UseServiceLinkedRole = true

If UseServiceLinkedRole is not set to true, you must provide or set the RoleArn:

arn:aws:iam::12345:role/my-data-access-role

Request

  • ResourceArnRequired: UTF-8 string.

    The Amazon Resource Name (ARN) of the resource that you want to register.

  • UseServiceLinkedRole – Boolean.

    Designates an AWS Identity and Access Management (IAM) service-linked role by registering this role with the Data Catalog. A service-linked role is a unique type of IAM role that is linked directly to Lake Formation.

    For more information, see Using Service-Linked Roles for Lake Formation.

  • RoleArn – UTF-8 string, matching the Custom string pattern #5.

    The identifier for the role that registers the resource.

Response

  • No Response parameters.

Errors

  • InvalidInputException

  • InternalServiceException

  • OperationTimeoutException

  • AlreadyExistsException

DeregisterResource Action (Python: deregister_resource)

Deregisters the resource as managed by the Data Catalog.

When you deregister a path, Lake Formation removes the path from the inline policy attached to your service-linked role.

Request

  • ResourceArnRequired: UTF-8 string.

    The Amazon Resource Name (ARN) of the resource that you want to deregister.

Response

  • No Response parameters.

Errors

  • InvalidInputException

  • InternalServiceException

  • OperationTimeoutException

  • EntityNotFoundException

ListResources Action (Python: list_resources)

Lists the resources registered to be managed by the Data Catalog.

Request

  • FilterConditionList – An array of FilterCondition objects, not less than 1 or more than 20 structures.

    Any applicable row-level and/or column-level filtering conditions for the resources.

  • MaxResults – Number (integer), not less than 1 or more than 1000.

    The maximum number of resource results.

  • NextToken – UTF-8 string.

    A continuation token, if this is not the first call to retrieve these resources.

Response

  • ResourceInfoList – An array of ResourceInfo objects.

    A summary of the data lake resources.

  • NextToken – UTF-8 string.

    A continuation token, if this is not the first call to retrieve these resources.

Errors

  • InvalidInputException

  • InternalServiceException

  • OperationTimeoutException