Data
Manages Lake Formation principals designated as data lake administrators and lists of principal permission entries for default create database and default create table permissions.
NOTE: Lake Formation introduces fine-grained access control for data in your data lake. Part of the changes include the
IAMAllowedPrincipalsprincipal in order to make Lake Formation backwards compatible with existing IAM and Glue permissions. For more information, see Changing the Default Security Settings for Your Data Lake and Upgrading AWS Glue Data Permissions to the AWS Lake Formation Model.
Example Usage
Data Lake Admins
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.lakeformation.DataLakeSettings("example", {admins: [
test.arn,
testAwsIamRole.arn,
]});Content copied to clipboard
import pulumi
import pulumi_aws as aws
example = aws.lakeformation.DataLakeSettings("example", admins=[
test["arn"],
test_aws_iam_role["arn"],
])Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.LakeFormation.DataLakeSettings("example", new()
{
Admins = new[]
{
test.Arn,
testAwsIamRole.Arn,
},
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/lakeformation"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := lakeformation.NewDataLakeSettings(ctx, "example", &lakeformation.DataLakeSettingsArgs{
Admins: pulumi.StringArray{
test.Arn,
testAwsIamRole.Arn,
},
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.lakeformation.DataLakeSettings;
import com.pulumi.aws.lakeformation.DataLakeSettingsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new DataLakeSettings("example", DataLakeSettingsArgs.builder()
.admins(
test.arn(),
testAwsIamRole.arn())
.build());
}
}Content copied to clipboard
resources:
example:
type: aws:lakeformation:DataLakeSettings
properties:
admins:
- ${test.arn}
- ${testAwsIamRole.arn}Content copied to clipboard
Create Default Permissions
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.lakeformation.DataLakeSettings("example", {
admins: [
test.arn,
testAwsIamRole.arn,
],
createDatabaseDefaultPermissions: [{
permissions: [
"SELECT",
"ALTER",
"DROP",
],
principal: test.arn,
}],
createTableDefaultPermissions: [{
permissions: ["ALL"],
principal: testAwsIamRole.arn,
}],
});Content copied to clipboard
import pulumi
import pulumi_aws as aws
example = aws.lakeformation.DataLakeSettings("example",
admins=[
test["arn"],
test_aws_iam_role["arn"],
],
create_database_default_permissions=[{
"permissions": [
"SELECT",
"ALTER",
"DROP",
],
"principal": test["arn"],
}],
create_table_default_permissions=[{
"permissions": ["ALL"],
"principal": test_aws_iam_role["arn"],
}])Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.LakeFormation.DataLakeSettings("example", new()
{
Admins = new[]
{
test.Arn,
testAwsIamRole.Arn,
},
CreateDatabaseDefaultPermissions = new[]
{
new Aws.LakeFormation.Inputs.DataLakeSettingsCreateDatabaseDefaultPermissionArgs
{
Permissions = new[]
{
"SELECT",
"ALTER",
"DROP",
},
Principal = test.Arn,
},
},
CreateTableDefaultPermissions = new[]
{
new Aws.LakeFormation.Inputs.DataLakeSettingsCreateTableDefaultPermissionArgs
{
Permissions = new[]
{
"ALL",
},
Principal = testAwsIamRole.Arn,
},
},
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/lakeformation"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := lakeformation.NewDataLakeSettings(ctx, "example", &lakeformation.DataLakeSettingsArgs{
Admins: pulumi.StringArray{
test.Arn,
testAwsIamRole.Arn,
},
CreateDatabaseDefaultPermissions: lakeformation.DataLakeSettingsCreateDatabaseDefaultPermissionArray{
&lakeformation.DataLakeSettingsCreateDatabaseDefaultPermissionArgs{
Permissions: pulumi.StringArray{
pulumi.String("SELECT"),
pulumi.String("ALTER"),
pulumi.String("DROP"),
},
Principal: pulumi.Any(test.Arn),
},
},
CreateTableDefaultPermissions: lakeformation.DataLakeSettingsCreateTableDefaultPermissionArray{
&lakeformation.DataLakeSettingsCreateTableDefaultPermissionArgs{
Permissions: pulumi.StringArray{
pulumi.String("ALL"),
},
Principal: pulumi.Any(testAwsIamRole.Arn),
},
},
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.lakeformation.DataLakeSettings;
import com.pulumi.aws.lakeformation.DataLakeSettingsArgs;
import com.pulumi.aws.lakeformation.inputs.DataLakeSettingsCreateDatabaseDefaultPermissionArgs;
import com.pulumi.aws.lakeformation.inputs.DataLakeSettingsCreateTableDefaultPermissionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new DataLakeSettings("example", DataLakeSettingsArgs.builder()
.admins(
test.arn(),
testAwsIamRole.arn())
.createDatabaseDefaultPermissions(DataLakeSettingsCreateDatabaseDefaultPermissionArgs.builder()
.permissions(
"SELECT",
"ALTER",
"DROP")
.principal(test.arn())
.build())
.createTableDefaultPermissions(DataLakeSettingsCreateTableDefaultPermissionArgs.builder()
.permissions("ALL")
.principal(testAwsIamRole.arn())
.build())
.build());
}
}Content copied to clipboard
resources:
example:
type: aws:lakeformation:DataLakeSettings
properties:
admins:
- ${test.arn}
- ${testAwsIamRole.arn}
createDatabaseDefaultPermissions:
- permissions:
- SELECT
- ALTER
- DROP
principal: ${test.arn}
createTableDefaultPermissions:
- permissions:
- ALL
principal: ${testAwsIamRole.arn}Content copied to clipboard
Enable EMR access to LakeFormation resources
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.lakeformation.DataLakeSettings("example", {
admins: [
test.arn,
testAwsIamRole.arn,
],
createDatabaseDefaultPermissions: [{
permissions: [
"SELECT",
"ALTER",
"DROP",
],
principal: test.arn,
}],
createTableDefaultPermissions: [{
permissions: ["ALL"],
principal: testAwsIamRole.arn,
}],
allowExternalDataFiltering: true,
externalDataFilteringAllowLists: [
current.accountId,
thirdParty.accountId,
],
authorizedSessionTagValueLists: ["Amazon EMR"],
allowFullTableExternalDataAccess: true,
});Content copied to clipboard
import pulumi
import pulumi_aws as aws
example = aws.lakeformation.DataLakeSettings("example",
admins=[
test["arn"],
test_aws_iam_role["arn"],
],
create_database_default_permissions=[{
"permissions": [
"SELECT",
"ALTER",
"DROP",
],
"principal": test["arn"],
}],
create_table_default_permissions=[{
"permissions": ["ALL"],
"principal": test_aws_iam_role["arn"],
}],
allow_external_data_filtering=True,
external_data_filtering_allow_lists=[
current["accountId"],
third_party["accountId"],
],
authorized_session_tag_value_lists=["Amazon EMR"],
allow_full_table_external_data_access=True)Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.LakeFormation.DataLakeSettings("example", new()
{
Admins = new[]
{
test.Arn,
testAwsIamRole.Arn,
},
CreateDatabaseDefaultPermissions = new[]
{
new Aws.LakeFormation.Inputs.DataLakeSettingsCreateDatabaseDefaultPermissionArgs
{
Permissions = new[]
{
"SELECT",
"ALTER",
"DROP",
},
Principal = test.Arn,
},
},
CreateTableDefaultPermissions = new[]
{
new Aws.LakeFormation.Inputs.DataLakeSettingsCreateTableDefaultPermissionArgs
{
Permissions = new[]
{
"ALL",
},
Principal = testAwsIamRole.Arn,
},
},
AllowExternalDataFiltering = true,
ExternalDataFilteringAllowLists = new[]
{
current.AccountId,
thirdParty.AccountId,
},
AuthorizedSessionTagValueLists = new[]
{
"Amazon EMR",
},
AllowFullTableExternalDataAccess = true,
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/lakeformation"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := lakeformation.NewDataLakeSettings(ctx, "example", &lakeformation.DataLakeSettingsArgs{
Admins: pulumi.StringArray{
test.Arn,
testAwsIamRole.Arn,
},
CreateDatabaseDefaultPermissions: lakeformation.DataLakeSettingsCreateDatabaseDefaultPermissionArray{
&lakeformation.DataLakeSettingsCreateDatabaseDefaultPermissionArgs{
Permissions: pulumi.StringArray{
pulumi.String("SELECT"),
pulumi.String("ALTER"),
pulumi.String("DROP"),
},
Principal: pulumi.Any(test.Arn),
},
},
CreateTableDefaultPermissions: lakeformation.DataLakeSettingsCreateTableDefaultPermissionArray{
&lakeformation.DataLakeSettingsCreateTableDefaultPermissionArgs{
Permissions: pulumi.StringArray{
pulumi.String("ALL"),
},
Principal: pulumi.Any(testAwsIamRole.Arn),
},
},
AllowExternalDataFiltering: pulumi.Bool(true),
ExternalDataFilteringAllowLists: pulumi.StringArray{
current.AccountId,
thirdParty.AccountId,
},
AuthorizedSessionTagValueLists: pulumi.StringArray{
pulumi.String("Amazon EMR"),
},
AllowFullTableExternalDataAccess: pulumi.Bool(true),
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.lakeformation.DataLakeSettings;
import com.pulumi.aws.lakeformation.DataLakeSettingsArgs;
import com.pulumi.aws.lakeformation.inputs.DataLakeSettingsCreateDatabaseDefaultPermissionArgs;
import com.pulumi.aws.lakeformation.inputs.DataLakeSettingsCreateTableDefaultPermissionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new DataLakeSettings("example", DataLakeSettingsArgs.builder()
.admins(
test.arn(),
testAwsIamRole.arn())
.createDatabaseDefaultPermissions(DataLakeSettingsCreateDatabaseDefaultPermissionArgs.builder()
.permissions(
"SELECT",
"ALTER",
"DROP")
.principal(test.arn())
.build())
.createTableDefaultPermissions(DataLakeSettingsCreateTableDefaultPermissionArgs.builder()
.permissions("ALL")
.principal(testAwsIamRole.arn())
.build())
.allowExternalDataFiltering(true)
.externalDataFilteringAllowLists(
current.accountId(),
thirdParty.accountId())
.authorizedSessionTagValueLists("Amazon EMR")
.allowFullTableExternalDataAccess(true)
.build());
}
}Content copied to clipboard
resources:
example:
type: aws:lakeformation:DataLakeSettings
properties:
admins:
- ${test.arn}
- ${testAwsIamRole.arn}
createDatabaseDefaultPermissions:
- permissions:
- SELECT
- ALTER
- DROP
principal: ${test.arn}
createTableDefaultPermissions:
- permissions:
- ALL
principal: ${testAwsIamRole.arn}
allowExternalDataFiltering: true
externalDataFilteringAllowLists:
- ${current.accountId}
- ${thirdParty.accountId}
authorizedSessionTagValueLists:
- Amazon EMR
allowFullTableExternalDataAccess: trueContent copied to clipboard
Change Cross Account Version
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.lakeformation.DataLakeSettings("example", {parameters: {
CROSS_ACCOUNT_VERSION: "3",
}});Content copied to clipboard
import pulumi
import pulumi_aws as aws
example = aws.lakeformation.DataLakeSettings("example", parameters={
"CROSS_ACCOUNT_VERSION": "3",
})Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.LakeFormation.DataLakeSettings("example", new()
{
Parameters =
{
{ "CROSS_ACCOUNT_VERSION", "3" },
},
});
});Content copied to clipboard
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/lakeformation"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := lakeformation.NewDataLakeSettings(ctx, "example", &lakeformation.DataLakeSettingsArgs{
Parameters: pulumi.StringMap{
"CROSS_ACCOUNT_VERSION": pulumi.String("3"),
},
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.lakeformation.DataLakeSettings;
import com.pulumi.aws.lakeformation.DataLakeSettingsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new DataLakeSettings("example", DataLakeSettingsArgs.builder()
.parameters(Map.of("CROSS_ACCOUNT_VERSION", "3"))
.build());
}
}Content copied to clipboard
resources:
example:
type: aws:lakeformation:DataLakeSettings
properties:
parameters:
CROSS_ACCOUNT_VERSION: '3'Content copied to clipboard
Properties
Link copied to clipboard
Whether to allow Amazon EMR clusters to access data managed by Lake Formation.
Link copied to clipboard
Whether to allow a third-party query engine to get data access credentials without session tags when a caller has full data access permissions.
Link copied to clipboard
Lake Formation relies on a privileged process secured by Amazon EMR or the third party integrator to tag the user's role while assuming it.
Link copied to clipboard
Up to three configuration blocks of principal permissions for default create database permissions. Detailed below.
Link copied to clipboard
Up to three configuration blocks of principal permissions for default create table permissions. Detailed below.
Link copied to clipboard
A list of the account IDs of Amazon Web Services accounts with Amazon EMR clusters that are to perform data filtering.
Link copied to clipboard
Key-value map of additional configuration. Valid values for the CROSS_ACCOUNT_VERSION key are "1", "2", "3", or "4". SET_CONTEXT is also returned with a value of TRUE. In a fresh account, prior to configuring, CROSS_ACCOUNT_VERSION is "1". Destroying this resource sets the CROSS_ACCOUNT_VERSION to "1".
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Set of ARNs of AWS Lake Formation principals (IAM users or roles) with only view access to the resources.
Link copied to clipboard
List of the resource-owning account IDs that the caller's account can use to share their user access details (user ARNs).