Reputation: 7217
Grant Lake Formation read permission to all tables in a Glue database through CloudFormation
I am working on defining a reader role in a data lake that uses Lake Formation for access control. I would like to grant this role Select permission to all the tables in relevant databases, so that it automatically picks up new tables that are created. In the documentation of CloudFormation I can see that this is currently marked as not supported, TableWildcard looks like a solution that I would like to use.
I am currently looking at either hardcoding the table names that this role should have access to or writing a boto3 script that would pick up all the tables in the database and adding the permissions to them through Lake Formation. This could be running with Lambda on a regular schedule, which would automate this process, but of course it will not be the prettiest approach.
Upvotes: 2
Views: 6842
Answers (3)
Reputation: 172
An easier way is to use lf-tags.
Assign all databases, the same lf-tag (tables in the database will inherit the lf-tags). Grant permissions to the users for the lf-tag.
Upvotes: 0
Reputation: 7217
Contrary to the current documentation, it is possible to use "TableWildcard": {} construct as shown in the example below to grant permissions to the role to all the tables in a given database.
"ExamplePermission": {
"Type": "AWS::LakeFormation::Permissions",
"Properties": {
"DataLakePrincipal": {
"DataLakePrincipalIdentifier": {
"Fn::GetAtt": [
"ExampleRole",
"Arn"
]
}
},
"Resource": {
"TableResource": {
"DatabaseName": "example_database",
"TableWildcard": {}
}
},
"Permissions": [
"SELECT"
],
"PermissionsWithGrantOption": []
}
}
For anyone using CDK, here is a Python flavour of the table resource property:
import aws_cdk.aws_lakeformation as lakeformation
table_property = lakeformation.CfnPermissions.TableResourceProperty(
database_name="example_database",
table_wildcard={}
)
Upvotes: 3
Reputation: 6998
If you want to have all the tables in your relevant databases, why don't you use the DataBaseResource? This is what I am using and it works like a charm.
Upvotes: 0
Related Questions
- Control access on Athena tables federated from DynamoDB
- AWS Glue cannot create database from crawler: permission denied
- GlueJobRunnerSession is not authorized to perform: lakeformation:GetDataAccess on resource
- AWS Lake Formation: Grant permission for one role to ALL databases
- "Permission denied" error when sending a query with Athena
- Fetching data from Athena and glue permissions
- Athena reports "Insufficient permissions to execute the query. Caller does not have full access to table"
- How set "Inherit schema from table" for glue crawler via cloudformation?
- AWS Glue: Access denied for accessing table with S3 source data
- Cloudformation create encrypted athena glue table