GetTemporaryGlueTableCredentials
Allows a caller in a secure environment to assume a role with permission to access Amazon S3. In order to vend such credentials, AWS Lake Formation assumes the role associated with a registered location, for example an Amazon S3 bucket, with a scope down policy which restricts the access to a single prefix.
To call this API, the role that the service assumes must have lakeformation:GetDataAccess permission on the resource.
Request Syntax
{
"AuditContext": {
"AdditionalAuditContext": "string"
},
"DurationSeconds": number,
"Permissions": [ "string" ],
"QuerySessionContext": {
"AdditionalContext": {
"string" : "string"
},
"ClusterId": "string",
"QueryAuthorizationId": "string",
"QueryId": "string",
"QueryStartTime": number
},
"S3Path": "string",
"SupportedPermissionTypes": [ "string" ],
"TableArn": "string"
}Request Parameters
For information about the parameters that are common to all actions, see Common Parameters.
The request accepts the following data in JSON format.
- AuditContext
-
A structure representing context to access a resource (column names, query ID, etc).
Type: AuditContext object
Required: No
- DurationSeconds
-
The time period, between 900 and 21,600 seconds, for the timeout of the temporary credentials.
Type: Integer
Valid Range: Minimum value of 900. Maximum value of 43200.
Required: No
- Permissions
-
Filters the request based on the user having been granted a list of specified permissions on the requested resource(s).
Type: Array of strings
Valid Values:
ALL | SELECT | ALTER | DROP | DELETE | INSERT | DESCRIBE | CREATE_DATABASE | CREATE_TABLE | DATA_LOCATION_ACCESS | CREATE_LF_TAG | ASSOCIATE | GRANT_WITH_LF_TAG_EXPRESSION | CREATE_LF_TAG_EXPRESSION | CREATE_CATALOG | SUPER_USERRequired: No
- QuerySessionContext
-
A structure used as a protocol between query engines and Lake Formation or AWS Glue. Contains both a Lake Formation generated authorization identifier and information from the request's authorization context.
Type: QuerySessionContext object
Required: No
- S3Path
-
The Amazon S3 path for the table.
Type: String
Required: No
- SupportedPermissionTypes
-
A list of supported permission types for the table. Valid values are
COLUMN_PERMISSIONandCELL_FILTER_PERMISSION.Type: Array of strings
Array Members: Minimum number of 1 item. Maximum number of 255 items.
Valid Values:
COLUMN_PERMISSION | CELL_FILTER_PERMISSION | NESTED_PERMISSION | NESTED_CELL_PERMISSIONRequired: No
- TableArn
-
The ARN identifying a table in the Data Catalog for the temporary credentials request.
Type: String
Required: Yes
Response Syntax
{
"AccessKeyId": "string",
"Expiration": number,
"SecretAccessKey": "string",
"SessionToken": "string",
"VendedS3Path": [ "string" ]
}Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
- AccessKeyId
-
The access key ID for the temporary credentials.
Type: String
- Expiration
-
The date and time when the temporary credentials expire.
Type: Timestamp
- SecretAccessKey
-
The secret key for the temporary credentials.
Type: String
- SessionToken
-
The session token for the temporary credentials.
Type: String
- VendedS3Path
-
The Amazon S3 path for the temporary credentials.
Type: Array of strings
Errors
For information about the errors that are common to all actions, see Common Errors.
- AccessDeniedException
-
Access to a resource was denied.
HTTP Status Code: 400
- EntityNotFoundException
-
A specified entity does not exist.
HTTP Status Code: 400
- InternalServiceException
-
An internal service error occurred.
HTTP Status Code: 500
- InvalidInputException
-
The input provided was not valid.
HTTP Status Code: 400
- OperationTimeoutException
-
The operation timed out.
HTTP Status Code: 400
- PermissionTypeMismatchException
-
The engine does not support filtering data based on the enforced permissions. For example, if you call the
GetTemporaryGlueTableCredentialsoperation withSupportedPermissionTypeequal toColumnPermission, but cell-level permissions exist on the table, this exception is thrown.HTTP Status Code: 400
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
