This is the new *Amazon CloudFormation Template Reference Guide*. Please update your bookmarks and links. For help getting started with CloudFormation, see the [Amazon CloudFormation User Guide](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/Welcome.html). # AWS::LakeFormation::PrincipalPermissions LFTagPolicyResource A list of LF-tag conditions that define a resource's LF-tag policy. A structure that allows an admin to grant user permissions on certain conditions. For example, granting a role access to all columns that do not have the LF-tag 'PII' in tables that have the LF-tag 'Prod'. ## Syntax To declare this entity in your Amazon CloudFormation template, use the following syntax: ### JSON ``` { "[CatalogId](#cfn-lakeformation-principalpermissions-lftagpolicyresource-catalogid)" : {{String}}, "[Expression](#cfn-lakeformation-principalpermissions-lftagpolicyresource-expression)" : {{[ LFTag, ... ]}}, "[ResourceType](#cfn-lakeformation-principalpermissions-lftagpolicyresource-resourcetype)" : {{String}} } ``` ### YAML ``` [CatalogId](#cfn-lakeformation-principalpermissions-lftagpolicyresource-catalogid): {{String}} [Expression](#cfn-lakeformation-principalpermissions-lftagpolicyresource-expression): {{ - LFTag}} [ResourceType](#cfn-lakeformation-principalpermissions-lftagpolicyresource-resourcetype): {{String}} ``` ## Properties `CatalogId` The identifier for the Data Catalog. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Amazon Lake Formation environment. *Required*: Yes *Type*: String *Minimum*: `12` *Maximum*: `12` *Update requires*: [Replacement](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `Expression` A list of LF-tag conditions that apply to the resource's LF-tag policy. *Required*: Yes *Type*: Array of [LFTag](aws-properties-lakeformation-principalpermissions-lftag.md) *Minimum*: `1` *Maximum*: `5` *Update requires*: [Replacement](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `ResourceType` The resource type for which the LF-tag policy applies. *Required*: Yes *Type*: String *Allowed values*: `DATABASE | TABLE` *Update requires*: [Replacement](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) ## Examples ### Permissions on LF-tag policy resource The following example demonstrates how to grant permissions on a `LFTagPolicy` resource. #### JSON ``` { "SamplePermission": { "LFTagPolicy": { "CatalogId": "12345678910", "ResourceType": "TABLE", "Expression": [ { "TagKey": "sample_key", "TagValues": ["sample_value"] } ] } }, "Permissions": ["DESCRIBE"], "PermissionsWithGrantOption": ["DESCRIBE"] } ``` #### YAML ``` SamplePermission: Type: AWS::LakeFormation::PrincipalPermissions Properties: Principal: DataLakePrincipalIdentifier: "arn:sample_principal" Resource: LFTagPolicy: CatalogId: "12345678910" ResourceType: "TABLE" Expression: - TagKey: "sample_key" TagValues: "sample_value" Permissions: - "DESCRIBE" PermissionsWithGrantOption: - "DESCRIBE" ```