AWS::LakeFormation::PrincipalPermissions LFTagPolicyResource
A list of LF-tag conditions that define a resource's LF-tag policy.
A structure that allows an admin to grant user permissions on certain conditions. For example, granting a role access to all columns that do not have the LF-tag 'PII' in tables that have the LF-tag 'Prod'.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "CatalogId" :String, "Expression" :[ LFTag, ... ], "ResourceType" :String}
YAML
CatalogId:StringExpression:- LFTagResourceType:String
Properties
CatalogId-
The identifier for the Data Catalog. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your AWS Lake Formation environment.
Required: Yes
Type: String
Minimum:
12Maximum:
12Update requires: Replacement
Expression-
A list of LF-tag conditions that apply to the resource's LF-tag policy.
Required: Yes
Type: Array of LFTag
Minimum:
1Maximum:
5Update requires: Replacement
ResourceType-
The resource type for which the LF-tag policy applies.
Required: Yes
Type: String
Allowed values:
DATABASE | TABLEUpdate requires: Replacement
Examples
Permissions on LF-tag policy resource
The following example demonstrates how to grant permissions on a LFTagPolicy resource.
JSON
{ "SamplePermission": { "LFTagPolicy": { "CatalogId": "12345678910", "ResourceType": "TABLE", "Expression": [ { "TagKey": "sample_key", "TagValues": ["sample_value"] } ] } }, "Permissions": ["DESCRIBE"], "PermissionsWithGrantOption": ["DESCRIBE"] }
YAML
SamplePermission: Type: AWS::LakeFormation::PrincipalPermissions Properties: Principal: DataLakePrincipalIdentifier: "arn:sample_principal" Resource: LFTagPolicy: CatalogId: "12345678910" ResourceType: "TABLE" Expression: - TagKey: "sample_key" TagValues: "sample_value" Permissions: - "DESCRIBE" PermissionsWithGrantOption: - "DESCRIBE"
