Managing LF-Tag permissions using the Amazon CLI
You can grant, revoke, and list permissions on LF-Tags by using the Amazon Command Line Interface (Amazon CLI).
To list LF-Tag permissions (Amazon CLI)
-
Enter a
list-permissions
command. You must be the LF-Tag creator, a data lake administrator, or have theDrop
,Alter
,Describe
,Associate
,Grant with LF-Tag permissions
permission on a LF-Tag to see it.The following command requests all LF-Tags that you have permissions on.
aws lakeformation list-permissions --resource-type LF_TAG
The following is sample output for a data lake administrator, who sees all LF-Tags granted to all principals. Non-administrative users see only LF-Tags granted to them. LF-Tag permissions granted from an external account appear on a separate results page. To see them, repeat the command and supply the
--next-token
argument with the token returned from the previous command run.{ "PrincipalResourcePermissions": [ { "Principal": { "DataLakePrincipalIdentifier": "arn:aws:iam::111122223333:user/datalake_admin" }, "Resource": { "LFTag": { "CatalogId": "111122223333", "TagKey": "environment", "TagValues": [ "*" ] } }, "Permissions": [ "ASSOCIATE" ], "PermissionsWithGrantOption": [ "ASSOCIATE" ] }, { "Principal": { "DataLakePrincipalIdentifier": "arn:aws:iam::111122223333:user/datalake_user1" }, "Resource": { "LFTag": { "CatalogId": "111122223333", "TagKey": "module", "TagValues": [ "Orders", "Sales" ] } }, "Permissions": [ "DESCRIBE" ], "PermissionsWithGrantOption": [] }, ... ], "NextToken": "eyJzaG91bGRRdWVy...Wlzc2lvbnMiOnRydWV9" }
You can list all grants for a specific LF-Tag key. The following command returns all permissions granted on the LF-Tag
module
.aws lakeformation list-permissions --resource-type LF_TAG --resource '{ "LFTag": {"CatalogId":"111122223333","TagKey":"module","TagValues":["*"]}}'
You can also list LF-Tag values granted to a specific principal for a specific LF-Tag. When supplying the
--principal
argument, you must supply the--resource
argument. Therefore, the command can only effectively request the values granted to a specific principal for a specific LF-Tag key. The following command shows how to do this for the principaldatalake_user1
and the LF-Tag keymodule
.aws lakeformation list-permissions --principal DataLakePrincipalIdentifier=arn:aws:iam::111122223333:user/datalake_user1 --resource-type LF_TAG --resource '{ "LFTag": {"CatalogId":"111122223333","TagKey":"module","TagValues":["*"]}}'
The following is sample output.
{ "PrincipalResourcePermissions": [ { "Principal": { "DataLakePrincipalIdentifier": "arn:aws:iam::111122223333:user/datalake_user1" }, "Resource": { "LFTag": { "CatalogId": "111122223333", "TagKey": "module", "TagValues": [ "Orders", "Sales" ] } }, "Permissions": [ "ASSOCIATE" ], "PermissionsWithGrantOption": [] } ] }
To grant permissions on LF-Tags (Amazon CLI)
-
Enter a command similar to the following. This example grants to user
datalake_user1
theAssociate
permission on the LF-Tag with the keymodule
. It grants permissions to view and assign all values for that key, as indicated by the asterisk (*).aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=arn:aws:iam::111122223333:user/datalake_user1 --permissions "ASSOCIATE" --resource '{ "LFTag": {"CatalogId":"111122223333","TagKey":"module","TagValues":["*"]}}'
Granting the
Associate
permission implicitly grants theDescribe
permission.The next example grants
Associate
to the external Amazon account 1234-5678-9012 on the LF-Tag with the keymodule
, with the grant option. It grants permissions to view and assign only the valuessales
andorders
.aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=123456789012 --permissions "ASSOCIATE" --permissions-with-grant-option "ASSOCIATE" --resource '{ "LFTag": {"CatalogId":"111122223333","TagKey":"module","TagValues":["sales", "orders"]}}'
-
Granting the
GrantWithLFTagExpression
permission implicitly grants theDescribe
permission.The next example grants
GrantWithLFTagExpression
to a user on the LF-Tag with the keymodule
, with the grant option. It grants permissions to view and grant permissions on Data Catalog resources using only the valuessales
andorders
.aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=111122223333 --permissions "GrantWithLFTagExpression" --permissions-with-grant-option "GrantWithLFTagExpression" --resource '{ "LFTag": {"CatalogId":"111122223333","TagKey":"module","TagValues":["sales", "orders"]}}'
-
The next example grants
Drop
permissions to a user on the LF-Tag with the keymodule
, with the grant option. It grants permissions to delete the LF-Tag. To delete a LF-Tag, you need permissions on all values for that key.aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=111122223333 --permissions "DROP" --permissions-with-grant-option "DROP" --resource '{ "LFTag": {"CatalogId":"111122223333","TagKey":"module","TagValues":["*"]}}'
-
The next example grants
Alter
permissions to the user on the LF-Tag with the keymodule
, with the grant option. It grants permissions to delete the LF-Tag. To update a LF-Tag, you need permissions on all values for that key.aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=111122223333 --permissions "ALTER" --permissions-with-grant-option "ALTER" --resource '{ "LFTag": {"CatalogId":"111122223333","TagKey":"module","TagValues":["*"]}}'
To revoke permissions on LF-Tags (Amazon CLI)
-
Enter a command similar to the following. This example revokes the
Associate
permission on the LF-Tag with the keymodule
from userdatalake_user1
.aws lakeformation revoke-permissions --principal DataLakePrincipalIdentifier=arn:aws:iam::111122223333:user/datalake_user1 --permissions "ASSOCIATE" --resource '{ "LFTag": {"CatalogId":"111122223333","TagKey":"module","TagValues":["*"]}}'