Granting table permissions using the AWS CLI and the named resource method - AWS Lake Formation

Granting table permissions using the AWS CLI and the named resource method

You can grant table permissions by using the named resource method and the AWS Command Line Interface (AWS CLI).

To grant table permissions using the AWS CLI

  • Run a grant-permissions command, and specify a table as the resource.

Example – Grant on a single table - no filtering

The following example grants SELECT and ALTER to user datalake_user1 in AWS account 1111-2222-3333 on the table inventory in the database retail.

aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=arn:aws:iam::111122223333:user/datalake_user1 --permissions "SELECT" "ALTER" --resource '{ "Table": {"DatabaseName":"retail", "Name":"inventory"}}'
Note

If you grant the ALTER permission on a table that has its underlying data in a registered location, be sure to also grant data location permissions on the location to the principals. For more information, see Granting data location permissions.

Example – Grant on All Tables with the Grant option - no filtering

The next example grants SELECT with the grant option on all tables in database retail.

aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=arn:aws:iam::111122223333:user/datalake_user1 --permissions "SELECT" --permissions-with-grant-option "SELECT" --resource '{ "Table": { "DatabaseName": "retail", "TableWildcard": {} } }'
Example – Grant with simple column filtering

This next example grants SELECT on a subset of columns in the table persons. It uses simple column filtering.

aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=arn:aws:iam::111122223333:user/datalake_user1 --permissions "SELECT" --resource '{ "TableWithColumns": {"DatabaseName":"hr", "Name":"persons", "ColumnNames":["family_name", "given_name", "gender"]}}'
Example – Grant with a data filter

This example grants SELECT on the orders table and applies the restrict-pharma data filter.

aws lakeformation grant-permissions --cli-input-json file://grant-params.json

The following are the contents of file grant-params.json.

{
    "Principal": {"DataLakePrincipalIdentifier": "arn:aws:iam::111122223333:user/datalake_user1"},
    "Resource": {
        "DataCellsFilter": {
            "TableCatalogId": "111122223333",
            "DatabaseName": "sales",
            "TableName": "orders",
            "Name": "restrict-pharma"
        }
    },
    "Permissions": ["SELECT"],
    "PermissionsWithGrantOption": ["SELECT"]
}
See also