principal_permissions
Creates, updates, deletes or gets a principal_permission resource or lists principal_permissions in a region
Overview
| Name | principal_permissions |
| Type | Resource |
| Description | The AWS::LakeFormation::PrincipalPermissions resource represents the permissions that a principal has on a GLUDC resource (such as GLUlong databases or GLUlong tables). When you create a PrincipalPermissions resource, the permissions are granted via the LFlong GrantPermissions API operation. When you delete a PrincipalPermissions resource, the permissions on principal-resource pair are revoked via the LFlong RevokePermissions API operation. |
| Id | aws.lakeformation.principal_permissions |
Fields
| Name | Datatype | Description |
|---|---|---|
catalog | string | The identifier for the GLUDC. By default, the account ID. The GLUDC is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment. |
principal | object | The principal to be granted a permission. |
resource | object | The resource to be granted or revoked permissions. |
permissions | array | The permissions granted or revoked. |
permissions_with_grant_option | array | Indicates the ability to grant permissions (as a subset of permissions granted). |
principal_identifier | string | |
resource_identifier | string | |
region | string | AWS region. |
Methods
| Name | Accessible by | Required Params |
|---|---|---|
create_resource | INSERT | Principal, Resource, Permissions, PermissionsWithGrantOption, region |
delete_resource | DELETE | data__Identifier, region |
get_resource | SELECT | data__Identifier, region |
SELECT examples
Gets all properties from an individual principal_permission.
SELECT
region,
catalog,
principal,
resource,
permissions,
permissions_with_grant_option,
principal_identifier,
resource_identifier
FROM aws.lakeformation.principal_permissions
WHERE region = 'us-east-1' AND data__Identifier = '<PrincipalIdentifier>|<ResourceIdentifier>';
INSERT example
Use the following StackQL query and manifest file to create a new principal_permission resource, using stack-deploy.
- Required Properties
- All Properties
- Manifest
/*+ create */
INSERT INTO aws.lakeformation.principal_permissions (
Principal,
Resource,
Permissions,
PermissionsWithGrantOption,
region
)
SELECT
'{{ Principal }}',
'{{ Resource }}',
'{{ Permissions }}',
'{{ PermissionsWithGrantOption }}',
'{{ region }}';
/*+ create */
INSERT INTO aws.lakeformation.principal_permissions (
Catalog,
Principal,
Resource,
Permissions,
PermissionsWithGrantOption,
region
)
SELECT
'{{ Catalog }}',
'{{ Principal }}',
'{{ Resource }}',
'{{ Permissions }}',
'{{ PermissionsWithGrantOption }}',
'{{ region }}';
version: 1
name: stack name
description: stack description
providers:
- aws
globals:
- name: region
value: '{{ vars.AWS_REGION }}'
resources:
- name: principal_permission
props:
- name: Catalog
value: '{{ Catalog }}'
- name: Principal
value:
DataLakePrincipalIdentifier: '{{ DataLakePrincipalIdentifier }}'
- name: Resource
value:
Catalog: {}
Database:
CatalogId: null
Name: '{{ Name }}'
Table:
CatalogId: null
DatabaseName: null
Name: null
TableWildcard: {}
TableWithColumns:
CatalogId: null
DatabaseName: null
Name: null
ColumnNames:
- null
- name: Permissions
value:
- '{{ Permissions[0] }}'
- name: PermissionsWithGrantOption
value: null
DELETE example
/*+ delete */
DELETE FROM aws.lakeformation.principal_permissions
WHERE data__Identifier = '<PrincipalIdentifier|ResourceIdentifier>'
AND region = 'us-east-1';
Permissions
To operate on the principal_permissions resource, the following permissions are required:
Create
lakeformation:GrantPermissions,
lakeformation:ListPermissions,
glue:GetTable,
glue:GetDatabase
Read
lakeformation:ListPermissions,
glue:GetTable,
glue:GetDatabase
Delete
lakeformation:RevokePermissions,
lakeformation:ListPermissions,
glue:GetTable,
glue:GetDatabase