Resource: aws_lakeformation_permissions

Grants permissions to the principal to access metadata in the Data Catalog and data organized in underlying data storage such as Amazon S3. Permissions are granted to a principal, in a Data Catalog, relative to a Lake Formation resource, which includes the Data Catalog, databases, tables, LF-tags, and LF-tag policies. For more information, see Security and Access Control to Metadata and Data in Lake Formation.

Default Behavior and IAMAllowedPrincipals

_Lake Formation permissions are not in effect by default within AWS._ IAMAllowedPrincipals (i.e., IAM_ALLOWED_PRINCIPALS) conflicts with individual Lake Formation permissions (i.e., non-IAMAllowedPrincipals permissions), will cause unexpected behavior, and may result in errors.

When using Lake Formation, choose ONE of the following options as they are mutually exclusive:

  1. Use this resource (aws_lakeformation_permissions), change the default security settings using aws_lakeformation_data_lake_settings, and remove existing IAMAllowedPrincipals permissions
  2. Use IAMAllowedPrincipals without aws_lakeformation_permissions

This example shows removing the IAMAllowedPrincipals default security settings and making the caller a Lake Formation admin. Since create_database_default_permissions and create_table_default_permissions are not set in the aws_lakeformation_data_lake_settings resource, they are cleared.

data "aws_caller_identity" "current" {}

data "aws_iam_session_context" "current" {
  arn = data.aws_caller_identity.current.arn
}

resource "aws_lakeformation_data_lake_settings" "test" {
  admins = [data.aws_iam_session_context.current.issuer_arn]
}

To remove existing IAMAllowedPrincipals permissions, use the AWS Lake Formation Console or AWS CLI.

IAMAllowedPrincipals is a hook to maintain backwards compatibility with AWS Glue. IAMAllowedPrincipals is a pseudo-entity group that acts like a Lake Formation principal. The group includes any IAM users and roles that are allowed access to your Data Catalog resources by your IAM policies.

This is Lake Formation's default behavior:

For more details, see Changing the Default Security Settings for Your Data Lake.

Problem Using IAMAllowedPrincipals

AWS does not support combining IAMAllowedPrincipals permissions and non-IAMAllowedPrincipals permissions. Doing so results in unexpected permissions and behaviors. For example, this configuration grants a user SELECT on a column in a table.

resource "aws_glue_catalog_database" "example" {
  name = "sadabate"
}

resource "aws_glue_catalog_table" "example" {
  name          = "abelt"
  database_name = aws_glue_catalog_database.test.name

  storage_descriptor {
    columns {
      name = "event"
      type = "string"
    }
  }
}

resource "aws_lakeformation_permissions" "example" {
  permissions = ["SELECT"]
  principal   = "arn:aws:iam:us-east-1:123456789012:user/SanHolo"

  table_with_columns {
    database_name = aws_glue_catalog_table.example.database_name
    name          = aws_glue_catalog_table.example.name
    column_names  = ["event"]
  }
}

The resulting permissions depend on whether the table had IAMAllowedPrincipals (IAP) permissions or not.

Result With IAP Result Without IAP
SELECT column wildcard (i.e., all columns) SELECT on "event" (as expected)

Using Lake Formation Permissions

Lake Formation grants implicit permissions to data lake administrators, database creators, and table creators. These implicit permissions cannot be revoked _per se_. If this resource reads implicit permissions, it will attempt to revoke them, which causes an error when the resource is destroyed.

There are two ways to avoid these errors. First, and the way we recommend, is to avoid using this resource with principals that have implicit permissions. A second, error-prone option, is to grant explicit permissions (and permissions_with_grant_option) to "overwrite" a principal's implicit permissions, which you can then revoke with this resource. For more information, see Implicit Lake Formation Permissions.

If the principal is also a data lake administrator, AWS grants implicit permissions that can cause errors using this resource. For example, AWS implicitly grants a principal/administrator permissions and permissions_with_grant_option of ALL, ALTER, DELETE, DESCRIBE, DROP, INSERT, and SELECT on a table. If you use this resource to explicitly grant the principal/administrator permissions but _not_ permissions_with_grant_option of ALL, ALTER, DELETE, DESCRIBE, DROP, INSERT, and SELECT on the table, this resource will read the implicit permissions_with_grant_option and attempt to revoke them when the resource is destroyed. Doing so will cause an InvalidInputException: No permissions revoked error because you cannot revoke implicit permissions _per se_. To workaround this problem, explicitly grant the principal/administrator permissions _and_ permissions_with_grant_option, which can then be revoked. Similarly, granting a principal/administrator permissions on a table with columns and providing column_names, will result in a InvalidInputException: Permissions modification is invalid error because you are narrowing the implicit permissions. Instead, set wildcard to true and remove the column_names.

Example Usage

Grant Permissions For A Lake Formation S3 Resource

resource "aws_lakeformation_permissions" "example" {
  principal   = aws_iam_role.workflow_role.arn
  permissions = ["DATA_LOCATION_ACCESS"]

  data_location {
    arn = aws_lakeformation_resource.example.arn
  }
}

Grant Permissions For A Glue Catalog Database

resource "aws_lakeformation_permissions" "example" {
  principal   = aws_iam_role.workflow_role.arn
  permissions = ["CREATE_TABLE", "ALTER", "DROP"]

  database {
    name       = aws_glue_catalog_database.example.name
    catalog_id = "110376042874"
  }
}

Grant Permissions Using Tag-Based Access Control

resource "aws_lakeformation_permissions" "test" {
  principal   = aws_iam_role.sales_role.arn
  permissions = ["CREATE_TABLE", "ALTER", "DROP"]

  lf_tag_policy {
    resource_type = "DATABASE"

    expression {
      key    = "Team"
      values = ["Sales"]
    }

    expression {
      key    = "Environment"
      values = ["Dev", "Production"]
    }
  }
}

Argument Reference

The following arguments are required:

One of the following is required:

The following arguments are optional:

data_cells_filter

data_location

The following argument is required:

The following argument is optional:

database

The following argument is required:

The following argument is optional:

lf_tag

The following arguments are required:

The following argument is optional:

lf_tag_policy

The following arguments are required:

The following argument is optional:

expression

table

The following argument is required:

The following arguments are optional:

table_with_columns

The following arguments are required:

The following arguments are optional:

Attribute Reference

This resource exports no additional attributes.