Managing LF-Tag expressions for metadata access control
LF-Tag expressions are logical expressions composed of one or more LF-Tags (key-value pairs) used to grant permissions on Amazon Glue Data Catalog resources. LF-Tag expressions allow you to define rules that govern access to your data resources based on their metadata tags. You can save these expressions and reuse them across multiple permission grants, ensuring consistency and making it straight-forward to manage changes to the tag ontology over time.
Within a given LF-Tag expression, the tag keys are combined using the AND
operation, while the values are combined using the OR operation. For example, the tag expression
content_type:Sales AND location:US
represents resources related to sales data in
the US.
You can create up to 1000 LF-Tag expressions in an Amazon Web Services account. These expressions provide a flexible and scalable way to manage permissions based on metadata tags, ensuring that only authorized users or applications can access specific data resources based on the defined tag rules.
LF-Tag expressions offer the following benefits:
-
Reusability – By defining and saving LF-Tag expressions, you no longer need to manually replicate the same expressions when assigning permissions to other resources or principals.
-
Consistency – Reusing LF-Tag expressions across multiple permission grants ensures consistency in how permissions are granted and managed.
-
Tag ontology management – LF-Tag expressions help manage changes to the tag ontology over time, as you can update the saved expressions instead of modifying individual permission grants.
For more information about tag-based access control, please refer to the Lake Formation tag-based access control.
LF-Tag expression creators
LF-Tag expression creator is a principal who has permissions to create and manage LF-Tag expressions. Data lake administrators can add LF-Tag expression creators using the Lake Formation console, CLI, API, or SDK. LF-Tag expression creators have implicit Lake Formation permissions to create, update, and delete LF-Tag expressions, and to grant LF-Tag expression permissions to other principals.
LF-Tag expression creators that are not data lake administrators receive implicit Alter
,
Drop
, Describe
, and Grant with LF-Tag expression
permissions only for expressions they created.
Data lake administrators can also grant LF-Tag expression creators grantable Create
LF-Tag expression
permissions. Then, the LF-Tag expression creator can grant the
permission to create LF-Tag expressions to other principals.
Topics
See also
IAM permissions required to create LF-Tag expressions
You must configure permissions to allow a Lake Formation principal to create LF-Tag expressions. Add the following statement to the permissions policy for the principal that needs to be an LF-Tag expression creator.
Note
Although data lake administrators have implicit Lake Formation permissions to create, update, and delete LF-Tags and LF-Tag expressions, to assign LF-Tags to resources, and to grant LF-Tags and LF-Tag expression permission to principals, data lake administrators also need the following IAM permissions.
For more information, see Lake Formation personas and IAM permissions reference.
{ "Sid": "Transformational", "Effect": "Allow", "Action": [ "lakeformation:AddLFTagsToResource", "lakeformation:RemoveLFTagsFromResource", "lakeformation:GetResourceLFTags", "lakeformation:ListLFTags", "lakeformation:CreateLFTag", "lakeformation:GetLFTag", "lakeformation:UpdateLFTag", "lakeformation:DeleteLFTag", "lakeformation:SearchTablesByLFTags", "lakeformation:SearchDatabasesByLFTags", "lakeformation:CreateLFTagExpression", "lakeformation:DeleteLFTagExpression", "lakeformation:UpdateLFTagExpression", "lakeformation:GetLFTagExpression", "lakeformation:ListLFTagExpressions", "lakeformation:GrantPermissions", "lakeformation:RevokePermissions", "lakeformation:BatchGrantPermissions", "lakeformation:BatchRevokePermissions" ] }
Add LF-Tag expression creators
LF-Tag expression creators can create and save reusable LF-Tag expressions, update tag key and values, delete expressions, and grant permissions on Data Catalog resources to principals using LF-TBAC method. The LF-Tag expression creator can also grant these permissions to principals.
You can create LF-Tag expression creator roles by using the Amazon Lake Formation console, the API, or the Amazon Command Line Interface (Amazon CLI).
The LF-Tag expression creator role gets the ability to create, update, or delete LF-Tag expressions.
Permission | Description |
---|---|
Create |
A principal with this permission can add LF-Tag expressions in the data lake. |
Drop |
A principal with this permission on an LF-Tag expression can delete an LF-Tag expression from the data lake. |
Alter |
A principal with this permission on an LF-Tag expression can update the expression body of an LF-Tag expression. |
Describe |
A principal with this permission on an LF-Tag expression can view the contents of an LF-Tag expression. |
Grant with LF-Tag expression |
This permission allows the recipient to use the tag expression as the resource
when granting data or metadata access permissions. Granting Grant
with LF-Tag expression implicitly grants Describe . |
Super |
For LF-Tag expressions,
the Super permission grants the ability to Describe ,
Alter , Drop , and grant permissions on the tag expression to other principals. |
These permissions are grantable. A principal who has been granted these permissions with the grant option can grant them to other principals.