principal_permissions

Creates, updates, deletes or gets a principal_permission resource or lists principal_permissions in a region

Overview

Name	`principal_permissions`
Type	Resource
Description	The `AWS::LakeFormation::PrincipalPermissions` resource represents the permissions that a principal has on a GLUDC resource (such as GLUlong databases or GLUlong tables). When you create a `PrincipalPermissions` resource, the permissions are granted via the LFlong`GrantPermissions` API operation. When you delete a `PrincipalPermissions` resource, the permissions on principal-resource pair are revoked via the LFlong`RevokePermissions` API operation.
Id	`awscc.lakeformation.principal_permissions`

Fields

Name	Datatype	Description
`catalog`	`string`	The identifier for the GLUDC. By default, the account ID. The GLUDC is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.
▶`principal`	`object`	The principal to be granted a permission.
▶`resource`	`object`	The resource to be granted or revoked permissions.
`permissions`	`array`	The permissions granted or revoked.
`principal_identifier`	`string`
`resource_identifier`	`string`
`region`	`string`	AWS region.

For more information, see AWS::LakeFormation::PrincipalPermissions.

Methods

Name	Accessible by	Required Params
`create_resource`	`INSERT`	`Principal, Resource, Permissions, PermissionsWithGrantOption, region`
`delete_resource`	`DELETE`	`Identifier, region`
`get_resource`	`SELECT`	`Identifier, region`

`SELECT` examples

Gets all properties from an individual principal_permission.

SELECT
  region,
  catalog,
  principal,
  resource,
  permissions,
  permissions_with_grant_option,
  principal_identifier,
  resource_identifier
FROM awscc.lakeformation.principal_permissions
WHERE
  region = '{{ region }}' AND
  Identifier = '{{ principal_identifier }}|{{ resource_identifier }}';

`INSERT` example

Use the following StackQL query and manifest file to create a new principal_permission resource, using stack-deploy.

Required Properties
All Properties
Manifest

/*+ create */
INSERT INTO awscc.lakeformation.principal_permissions (
  Principal,
  Resource,
  Permissions,
  PermissionsWithGrantOption,
  region
)
SELECT
  '{{ principal }}',
  '{{ resource }}',
  '{{ permissions }}',
  '{{ permissions_with_grant_option }}',
  '{{ region }}'
RETURNING
  ErrorCode,
  EventTime,
  Identifier,
  Operation,
  OperationStatus,
  RequestToken,
  ResourceModel,
  RetryAfter,
  StatusMessage,
  TypeName
;

/*+ create */
INSERT INTO awscc.lakeformation.principal_permissions (
  Catalog,
  Principal,
  Resource,
  Permissions,
  PermissionsWithGrantOption,
  region
)
SELECT
  '{{ catalog }}',
  '{{ principal }}',
  '{{ resource }}',
  '{{ permissions }}',
  '{{ permissions_with_grant_option }}',
  '{{ region }}'
RETURNING
  ErrorCode,
  EventTime,
  Identifier,
  Operation,
  OperationStatus,
  RequestToken,
  ResourceModel,
  RetryAfter,
  StatusMessage,
  TypeName
;

version: 1
name: stack name
description: stack description
providers:
- aws
globals:
- name: region
  value: '{{ vars.AWS_REGION }}'
resources:
- name: principal_permission
  props:
    - name: catalog
      value: '{{ catalog }}'
    - name: principal
      value:
        data_lake_principal_identifier: '{{ data_lake_principal_identifier }}'
    - name: resource
      value:
        catalog: {}
        database:
          catalog_id: null
          name: '{{ name }}'
        table:
          catalog_id: null
          database_name: null
          name: null
          table_wildcard: {}
        table_with_columns:
          catalog_id: null
          database_name: null
          name: null
          column_names:
            - null
    - name: permissions
      value:
        - '{{ permissions[0] }}'
    - name: permissions_with_grant_option
      value: null

`DELETE` example

/*+ delete */
DELETE FROM awscc.lakeformation.principal_permissions
WHERE
  Identifier = '{{ principal_identifier }}|{{ resource_identifier }}' AND
  region = '{{ region }}'
RETURNING
  ErrorCode,
  EventTime,
  Identifier,
  Operation,
  OperationStatus,
  RequestToken,
  ResourceModel,
  RetryAfter,
  StatusMessage,
  TypeName
;

Additional Parameters

Mutable resources in the Cloud Control provider support additional optional parameters which can be supplied with INSERT, UPDATE, or DELETE operations. These include:

Parameter	Description
`ClientToken`	A unique identifier to ensure the idempotency of the resource request. This allows the provider to accurately distinguish between retries and new requests. A client token is valid for 36 hours once used. After that, a resource request with the same client token is treated as a new request. If you do not specify a client token, one is generated for inclusion in the request.
`RoleArn`	The ARN of the IAM role used to perform this resource operation. The role specified must have the permissions required for this operation. If you do not specify a role, a temporary session is created using your AWS user credentials.
`TypeVersionId`	For private resource types, the type version to use in this resource operation. If you do not specify a resource version, the default version is used.

Permissions

To operate on the principal_permissions resource, the following permissions are required:

Create
Read
Delete

lakeformation:GrantPermissions,
lakeformation:ListPermissions,
glue:GetTable,
glue:GetDatabase

lakeformation:ListPermissions,
glue:GetTable,
glue:GetDatabase

lakeformation:RevokePermissions,
lakeformation:ListPermissions,
glue:GetTable,
glue:GetDatabase

Overview​

Fields​

Methods​

SELECT examples​

INSERT example​

DELETE example​

Additional Parameters​

Permissions​