Granting, revoking, and listing LF-Tag value permissions - Amazon Lake Formation
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Granting, revoking, and listing LF-Tag value permissions

You can grant the Drop, Alter permissions on LF-Tags to principals to manage LF-Tag value expressions. You can also grant Describe, Associate, and Grant with LF-Tag expressions permissions on LF-Tags to principals to view the LF-Tags and assign them to Data Catalog resources (databases, tables, and columns). When LF-Tags are assigned to Data Catalog resources, you can use the Lake Formation tag-based access control (LF-TBAC) method to secure those resources. For more information, see Lake Formation tag-based access control.

You can grant these permissions with the grant option so that other principals can grant them. The Grant with LF-Tag expressions, Describe, and Associate permissions are explained in Add LF-Tag creators.

You can grant the Describe and Associate permissions on a LF-Tag to an external Amazon account. A data lake administrator in that account can then grant those permissions to other principals in the account. Principals to whom the data lake administrator in the external account grants the Associate permission can then assign LF-Tags to Data Catalog resources that you shared with their account.

When granting to an external account, you must include the grant option.

You can grant permissions on LF-Tags by using the Lake Formation console, the API, or the Amazon Command Line Interface (Amazon CLI).

Topics

For more information see Managing LF-Tags for metadata access control and Lake Formation tag-based access control.