Supported Actions in ABAC
IAM provides system-defined policies to define common actions supported by cloud services. You can also create custom policies using the actions supported by cloud services for more refined access control.
In addition to IAM, Organizations also provides Service Control Policies (SCP) to set access control policies.
SCPs do not actually grant any permissions to an entity. They only set the permissions boundary for the entity. When SCPs are attached to an organizational unit (OU) or a member account, the SCPs do not directly grant permissions to that OU or member account. Instead, the SCPs only determine what permissions are available for that member account or those member accounts under that OU. The granted permissions can be applied only if they are allowed by the SCPs.
This section describes the elements used by IAM custom policies in ABAC and Organizations SCPs. The elements include actions, resources, and conditions.
Actions
Actions are specific operations that are allowed or denied in a policy.
- The Access Level column describes how the action is classified (List, Read, or Write). This classification helps you understand the level of access that an action grants when you use it in a policy.
- The Resource Type column indicates whether the action supports resource-level permissions.
- You can use a wildcard (*) to indicate all resource types. If this column is empty (-), the action does not support resource-level permissions and you must specify all resources ("*") in your policy statements.
- If this column includes a resource type, you must specify the URN in the Resource element of your policy statements.
- Required resources are marked with asterisks (*) in the table. If you specify a resource in a statement using this action, then it must be of this type.
For details about the resource types defined by LakeFormation, see Resources.
- The Condition Key column includes keys that you can specify in the Condition element of a policy statement.
- If the Resource Type column has values for an action, the condition key takes effect only for the listed resource types.
- If the Resource Type column is empty (-) for an action, the condition key takes effect for all resources that action supports.
- If the Condition Key column is empty (-) for an action, the action does not support any condition keys.
For details about the condition keys defined by LakeFormation, see Conditions.
- For details about the actions supported by LakeFormation and the relationships between APIs and actions, see the following parts:
- LakeFormation APIs that support enterprise project authorization:
- GET /v1/{project_id}/instances
- API whose request contains instance_id, for example, GET /v1/{project_id}/instances/{instance_id}.
LakeFormation Console API
Table 1 lists the actions that you can define in custom policies for LakeFormation Console APIs.
|
Action |
Description |
Access Level |
Resource Type (*: required) |
Condition Key |
|---|---|---|---|---|
|
lakeformation:job:create |
Create a LakeFormation task. |
write |
- |
- |
|
lakeformation:job:describe |
Obtain a LakeFormation task. |
read |
- |
- |
|
lakeformation:job:drop |
Delete a LakeFormation task. |
write |
- |
- |
|
lakeformation:job:alter |
Modify a LakeFormation task. |
write |
- |
- |
|
lakeformation:job:exec |
Execute a LakeFormation task. |
write |
- |
- |
|
lakeformation:instanceJob:create |
Create a LakeFormation task. |
write |
- |
- |
|
lakeformation:instanceJob:describe |
Obtain a LakeFormation task. |
read |
- |
- |
|
lakeformation:instanceJob:drop |
Delete a LakeFormation task. |
write |
- |
- |
|
lakeformation:instanceJob:alter |
Modify a LakeFormation task. |
write |
- |
- |
|
lakeformation:instanceJob:exec |
Execute a LakeFormation task. |
write |
- |
- |
|
lakeformation:instance:create |
Grants permission to create an instance. |
write |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
- |
|
- |
|
|||
|
lakeformation:instance:describe |
Obtain a LakeFormation instance. |
read |
- |
- |
|
lakeformation:instance:drop |
Grants permission to delete an instance. |
write |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:instance:alter |
Grants permission to alter an instance. |
write |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:access:describe |
Obtain a client for accessing LakeFormation. |
read |
- |
- |
|
lakeformation:instance:access |
Obtain a LakeFormation instance or apply for the access to it. |
write |
- |
- |
|
lakeformation:access:create |
Create a client for accessing LakeFormation. |
write |
- |
- |
|
lakeformation:access:delete |
Delete a client for accessing LakeFormation. |
write |
- |
- |
|
lakeformation:agency:create |
Create a LakeFormation agency. |
write |
- |
- |
|
lakeformation:agency:drop |
Delete a LakeFormation agency. |
write |
- |
- |
|
lakeformation:agency:describe |
Obtain a LakeFormation agency. |
read |
- |
- |
|
lakeformation:accessService:describe |
Check services connected to LakeFormation. |
permission_management |
- |
- |
|
lakeformation:accessService:grant |
Grant permissions to services connected to LakeFormation. |
permission_management |
- |
- |
|
lakeformation:accessTenant:grant |
Grant permissions to a tenant for accessing LakeFormation. |
permission_management |
- |
- |
|
lakeformation:accessAgency:describe |
Obtain the LakeFormation agency information. |
permission_management |
- |
- |
|
lakeformation:agreement:describe |
Obtain LakeFormation service agreements. |
permission_management |
- |
- |
|
lakeformation:agreement:cancel |
Cancel LakeFormation service agreements. |
permission_management |
- |
- |
|
lakeformation:agreement:grant |
Grant LakeFormation service agreements. |
permission_management |
- |
- |
|
lakeformation:obs:describe |
Obtain OBS buckets. |
read |
- |
- |
|
lakeformation:tag:describe |
Obtain LakeFormation pre-defined resource tags. |
read |
- |
- |
|
lakeformation:instance:createSubscriber |
Grants permission to add metadata event subscriber. |
write |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:instance:deleteSubscriber |
Grants permission to delete metadata event subscriber. |
write |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation::authorizeLocation |
Grants permission to authorize obs locations with the LakeFormation service. |
permission_management |
- |
- |
|
lakeformation::listAuthorizedLocation |
Grants permission to query OBS locations authorized with the LakeFormation service. |
list |
- |
- |
|
lakeformation::cancelAuthorizeLocation |
Grants permission to deauthorize OBS locations from the LakeFormation service. |
permission_management |
- |
- |
|
lakeformation:instance:list |
Grants permission to query the instance list. |
list |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:instance:listLifecycle |
Grants permission to query Instance-level lifecycle rule list. |
list |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:instance:alterLifecycle |
Grants permission to alter Instance-level lifecycle rule list. |
write |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:instance:show |
Grants permission to describe the instance detail. |
read |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:instance:recover |
Grants permission to recover an instance. |
write |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:instance:createJob |
Grants permission to create a lakeformation job. |
write |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:instance:listJob |
Grants permission to query lakeformation job list. |
list |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:instance:showJob |
Grants permission to query lakeformation job log. |
read |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:instance:dropJob |
Grants permission to delete a lakeformation job. |
write |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:instance:alterJob |
Grants permission to alter a lakeformation job. |
write |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:instance:startJob |
Grants permission to start a LakeFormation task. |
write |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:instance:stopJob |
Grants permission to stop a LakeFormation task. |
write |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation::grantAccessService |
Grants permission to authorize access service. |
permission_management |
- |
- |
|
lakeformation::showAccessService |
Grants permission to query user access service. |
read |
- |
- |
|
lakeformation::createAgreement |
Grants permission to register agreement. |
permission_management |
- |
- |
|
lakeformation::showAgreement |
Grants permission to query user agreement. |
read |
- |
- |
|
lakeformation::cancelAgreement |
Grants permission to cancle agreement. |
permission_management |
- |
- |
|
lakeformation:instance:listAccess |
Grants permission to query access info list. |
list |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:instance:createAccess |
Grants permission to access a lakeformation instance. |
write |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
- |
lakeformation:vpcepIds |
|||
|
lakeformation:instance:listAccessClient |
Grants permission to query access client list. |
list |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:instance:createAccessClient |
Grants permission to create access client. |
write |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
- |
lakeformation:vpcId |
|||
|
lakeformation:instance:showAccessClient |
Grants permission to query the lakeformation instance's access-client. |
read |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:instance:deleteAccessClient |
Grants permission to delete the lakeformation instance's access-client. |
write |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:instance:alterAccessClient |
Grants permission to alter the lakeformation instance's access-client. |
write |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation::listTag |
Grants permission to query tags list. |
list |
- |
- |
|
lakeformation:instance:alterInstanceTag |
Grants permission to add, alter, or delete tags for the lakeformation instance. |
tagging |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
- |
|
|||
|
lakeformation::createAgency |
Grants permission to create agency for LakeFormation service. |
write |
- |
- |
|
lakeformation::showAgency |
Grants permission to query agency created for LakeFormation service. |
read |
- |
- |
|
lakeformation::dropAgency |
Grants permission to delete agency created for LakeFormation service. |
write |
- |
- |
|
lakeformation:instance:createInstance |
Grants permission to create an instance. |
write |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
- |
|
- |
|
|||
|
lakeformation:instance:update |
Grants permission to alter an instance. |
write |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation::tagResource |
Grants permission to tag resources. |
tagging |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
- |
|
|||
|
lakeformation::unTagResource |
Grants permission to remove resource tag. |
tagging |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
- |
|
|||
|
lakeformation::listResourcesByTag |
Grants permission to query resources based on tags. |
list |
- |
|
|
lakeformation::listTagsForResource |
Grants permission to querying tags of a single resource. |
list |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
Each LakeFormation Console API usually supports one or more actions. Table 2 lists the actions and dependencies supported by LakeFormation Console APIs.
|
API |
Action |
Dependencies |
|---|---|---|
|
lakeformation:instance:createInstance |
- |
|
|
lakeformation:instance:list |
- |
|
|
lakeformation:instance:show |
- |
|
|
lakeformation:instance:update |
- |
|
|
lakeformation:instance:update |
- |
|
|
lakeformation:instance:update |
- |
|
|
lakeformation:instance:recover |
- |
|
|
lakeformation::grantAccessService |
- |
|
|
lakeformation::showAccessService |
- |
|
|
lakeformation:instance:drop |
- |
|
|
lakeformation:agreement:grant |
- |
|
|
lakeformation:agreement:describe |
- |
|
|
lakeformation:agreement:cancel |
- |
|
|
lakeformation:obs:describe |
obs:bucket:ListAllMyBuckets |
|
|
lakeformation:obs:describe |
|
|
|
lakeformation:instance:listAccess |
- |
|
|
lakeformation:instance:createAccess |
- |
|
|
lakeformation:instance:listAccessClient |
- |
|
|
POST /v1/{project_id}/instances/{instance_id}/access-clients |
lakeformation:instance:createAccessClient |
- |
|
GET /v1/{project_id}/instances/{instance_id}/access-clients/{client_id} |
lakeformation:instance:showAccessClient |
- |
|
DELETE /v1/{project_id}/instances/{instance_id}/access-clients/{client_id} |
lakeformation:instance:deleteAccessClient |
- |
|
PUT /v1/{project_id}/instances/{instance_id}/access-clients/{client_id} |
lakeformation:instance:alterAccessClient |
- |
|
lakeformation:agency:create |
- |
|
|
lakeformation:agency:drop |
- |
|
|
lakeformation:agency:describe |
- |
|
|
lakeformation:instance:alterInstanceTag |
- |
|
|
- |
lakeformation:instance:listLifecycle |
- |
|
- |
lakeformation:instance:alterLifecycle |
- |
|
POST /v1/{project_id}/instances/{instance_id}/metadata-event/subscribers |
lakeformation:instance:createSubscriber |
- |
|
DELETE /v1/{project_id}/instances/{instance_id}/metadata-event/subscribers/{subscriber_name} |
lakeformation:instance:deleteSubscriber |
- |
|
lakeformation::authorizeLocation |
- |
|
|
lakeformation::listAuthorizedLocation |
- |
|
|
lakeformation::cancelAuthorizeLocation |
- |
|
|
lakeformation:instance:createJob |
- |
|
|
lakeformation:instance:listJob |
- |
|
|
DELETE /v1/{project_id}/instances/{instance_id}/lf-jobs/{job_id} |
lakeformation:instance:dropJob |
- |
|
GET /v1/{project_id}/instances/{instance_id}/lf-jobs/{job_id} |
lakeformation:instance:showJob |
- |
|
PUT /v1/{project_id}/instances/{instance_id}/lf-jobs/{job_id} |
lakeformation:instance:alterJob |
- |
|
POST /v1/{project_id}/instances/{instance_id}/lf-jobs/{job_id}/start |
lakeformation:instance:startJob |
- |
|
POST /v1/{project_id}/instances/{instance_id}/lf-jobs/{job_id}/stop |
lakeformation:instance:stopJob |
- |
|
GET /v1/{project_id}/instances/{instance_id}/lf-jobs/{job_id}/log |
lakeformation:instance:showJob |
- |
|
GET /v1/{project_id}/instances/{instance_id}/lf-jobs/{job_id}/history |
lakeformation:instance:showJob |
- |
|
lakeformation::createAgreement |
- |
|
|
lakeformation::showAgreement |
- |
|
|
lakeformation::cancelAgreement |
- |
|
|
lakeformation::createAgency |
|
|
|
lakeformation::dropAgency |
|
|
|
lakeformation::showAgency |
iam:agencies:listAgencies |
|
|
lakeformation::listTag |
- |
|
|
- |
lakeformation::listResourcesByTag |
- |
|
- |
lakeformation::listResourcesByTag |
- |
|
- |
lakeformation::tagResource |
- |
|
- |
lakeformation::unTagResource |
- |
|
- |
lakeformation::listTagsForResource |
- |
LakeFormation LakeCat API
Table 3 lists the actions that you can define in custom policies for LakeFormation LakeCat APIs.
|
Action |
Description |
Access Level |
Resource Type (*: required) |
Condition Key |
|---|---|---|---|---|
|
lakeformation:model:describe |
Permission to query the model for LakeFormation metadata. |
read |
- |
- |
|
lakeformation:model:create |
Grants permission to create model. |
write |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:<region>:<account-id>:catalog:<instance-id>/<catalog-name> * |
- |
|||
|
lakeformation:<region>:<account-id>:model:<instance-id>/<catalog-name>/<model-name> * |
- |
|||
|
lakeformation:model:alter |
Grants permission to alter model. |
write |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:<region>:<account-id>:catalog:<instance-id>/<catalog-name> * |
- |
|||
|
lakeformation:<region>:<account-id>:model:<instance-id>/<catalog-name>/<model-name> * |
- |
|||
|
lakeformation:model:drop |
Grants permission to delete model. |
write |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:<region>:<account-id>:catalog:<instance-id>/<catalog-name> * |
- |
|||
|
lakeformation:<region>:<account-id>:model:<instance-id>/<catalog-name>/<model-name> * |
- |
|||
|
lakeformation:model:describeFile |
Permission to query the model file for LakeFormation metadata. |
read |
- |
- |
|
lakeformation:model:createFile |
Grants permission to create model file. |
write |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:<region>:<account-id>:catalog:<instance-id>/<catalog-name> * |
- |
|||
|
lakeformation:<region>:<account-id>:model:<instance-id>/<catalog-name>/<model-name> * |
- |
|||
|
lakeformation:model:alterFile |
Grants permission to alter model file. |
write |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:<region>:<account-id>:catalog:<instance-id>/<catalog-name> * |
- |
|||
|
lakeformation:<region>:<account-id>:model:<instance-id>/<catalog-name>/<model-name> * |
- |
|||
|
lakeformation:model:dropFile |
Grants permission to delete model file. |
write |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:<region>:<account-id>:catalog:<instance-id>/<catalog-name> * |
- |
|||
|
lakeformation:<region>:<account-id>:model:<instance-id>/<catalog-name>/<model-name> * |
- |
|||
|
lakeformation:dataset:describe |
Permission to query datasets for LakeFormation metadata. |
read |
- |
- |
|
lakeformation:dataset:create |
Grants permission to create dataset. |
write |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:<region>:<account-id>:catalog:<instance-id>/<catalog-name> * |
- |
|||
|
lakeformation:<region>:<account-id>:dataset:<instance-id>/<catalog-name>/<dataset-name> * |
- |
|||
|
lakeformation:dataset:alter |
Grants permission to alter dataset. |
write |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:<region>:<account-id>:catalog:<instance-id>/<catalog-name> * |
- |
|||
|
lakeformation:<region>:<account-id>:dataset:<instance-id>/<catalog-name>/<dataset-name> * |
- |
|||
|
lakeformation:dataset:drop |
Grants permission to delete dataset. |
write |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:<region>:<account-id>:catalog:<instance-id>/<catalog-name> * |
- |
|||
|
lakeformation:<region>:<account-id>:dataset:<instance-id>/<catalog-name>/<dataset-name> * |
- |
|||
|
lakeformation:dataset:describeFileGroup |
Permission to query dataset file groupings for LakeFormation metadata. |
read |
- |
- |
|
lakeformation:dataset:createFileGroup |
Grants permission to create dataset file group. |
write |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:<region>:<account-id>:catalog:<instance-id>/<catalog-name> * |
- |
|||
|
lakeformation:<region>:<account-id>:dataset:<instance-id>/<catalog-name>/<dataset-name> * |
- |
|||
|
lakeformation:dataset:alterFileGroup |
Grants permission to alter dataset file group. |
write |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:<region>:<account-id>:catalog:<instance-id>/<catalog-name> * |
- |
|||
|
lakeformation:<region>:<account-id>:dataset:<instance-id>/<catalog-name>/<dataset-name> * |
- |
|||
|
lakeformation:dataset:dropFileGroup |
Grants permission to delete dataset file group. |
write |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:<region>:<account-id>:catalog:<instance-id>/<catalog-name> * |
- |
|||
|
lakeformation:<region>:<account-id>:dataset:<instance-id>/<catalog-name>/<dataset-name> * |
- |
|||
|
lakeformation:dataset:describeFile |
Permission to query the dataset file for LakeFormation metadata. |
read |
- |
- |
|
lakeformation:dataset:createFile |
Grants permission to create dataset file. |
write |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:<region>:<account-id>:catalog:<instance-id>/<catalog-name> * |
- |
|||
|
lakeformation:<region>:<account-id>:dataset:<instance-id>/<catalog-name>/<dataset-name> * |
- |
|||
|
lakeformation:dataset:alterFile |
Grants permission to alter dataset file. |
write |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:<region>:<account-id>:catalog:<instance-id>/<catalog-name> * |
- |
|||
|
lakeformation:<region>:<account-id>:dataset:<instance-id>/<catalog-name>/<dataset-name> * |
- |
|||
|
lakeformation:dataset:dropFile |
Grants permission to delete dataset file. |
write |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:<region>:<account-id>:catalog:<instance-id>/<catalog-name> * |
- |
|||
|
lakeformation:<region>:<account-id>:dataset:<instance-id>/<catalog-name>/<dataset-name> * |
- |
|||
|
lakeformation:function:describe |
Obtain the functions of LakeFormation metadata. |
read |
- |
- |
|
lakeformation:function:drop |
Grants permission to delete function. |
write |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:<region>:<account-id>:catalog:<instance-id>/<catalog-name> * |
- |
|||
|
lakeformation:<region>:<account-id>:database:<instance-id>/<catalog-name>/<database-name> * |
- |
|||
|
lakeformation:<region>:<account-id>:table:<instance-id>/<catalog-name>/<database-name>/<table-name> * |
- |
|||
|
lakeformation:function:alter |
Grants permission to alter function. |
write |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:<region>:<account-id>:catalog:<instance-id>/<catalog-name> * |
- |
|||
|
lakeformation:<region>:<account-id>:database:<instance-id>/<catalog-name>/<database-name> * |
- |
|||
|
lakeformation:<region>:<account-id>:table:<instance-id>/<catalog-name>/<database-name>/<table-name> * |
- |
|||
|
lakeformation:function:create |
Grants permission to create function. |
write |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:<region>:<account-id>:catalog:<instance-id>/<catalog-name> * |
- |
|||
|
lakeformation:<region>:<account-id>:database:<instance-id>/<catalog-name>/<database-name> * |
- |
|||
|
lakeformation:<region>:<account-id>:table:<instance-id>/<catalog-name>/<database-name>/<table-name> * |
- |
|||
|
lakeformation:catalog:describe |
Obtain a data directory of LakeFormation metadata. |
read |
- |
- |
|
lakeformation:catalog:create |
Grants permission to create catalog list. |
write |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:<region>:<account-id>:catalog:<instance-id>/<catalog-name> * |
- |
|||
|
lakeformation:catalog:alter |
Grants permission to alter catalog list. |
write |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:<region>:<account-id>:catalog:<instance-id>/<catalog-name> * |
- |
|||
|
lakeformation:catalog:drop |
Grants permission to delete catalog list. |
write |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:<region>:<account-id>:catalog:<instance-id>/<catalog-name> * |
- |
|||
|
lakeformation:database:describe |
Permission to query the database for LakeFormation metadata. |
read |
- |
- |
|
lakeformation:database:create |
Grants permission to create database. |
write |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:<region>:<account-id>:catalog:<instance-id>/<catalog-name> * |
- |
|||
|
lakeformation:<region>:<account-id>:database:<instance-id>/<catalog-name>/<database-name> * |
- |
|||
|
lakeformation:database:alter |
Grants permission to alter database. |
write |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:<region>:<account-id>:catalog:<instance-id>/<catalog-name> * |
- |
|||
|
lakeformation:<region>:<account-id>:database:<instance-id>/<catalog-name>/<database-name> * |
- |
|||
|
lakeformation:database:drop |
Grants permission to delete database. |
write |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:<region>:<account-id>:catalog:<instance-id>/<catalog-name> * |
- |
|||
|
lakeformation:<region>:<account-id>:database:<instance-id>/<catalog-name>/<database-name> * |
- |
|||
|
lakeformation:table:describe |
Obtain a data table of LakeFormation metadata. |
read |
- |
- |
|
lakeformation:table:alter |
Grants permission to alter table, including partition info, column statistics, and table data overview. |
write |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:<region>:<account-id>:catalog:<instance-id>/<catalog-name> * |
- |
|||
|
lakeformation:<region>:<account-id>:database:<instance-id>/<catalog-name>/<database-name> * |
- |
|||
|
lakeformation:<region>:<account-id>:table:<instance-id>/<catalog-name>/<database-name>/<table-name> * |
- |
|||
|
lakeformation:table:create |
Grants permission to create table. |
write |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:<region>:<account-id>:catalog:<instance-id>/<catalog-name> * |
- |
|||
|
lakeformation:<region>:<account-id>:database:<instance-id>/<catalog-name>/<database-name> * |
- |
|||
|
lakeformation:<region>:<account-id>:table:<instance-id>/<catalog-name>/<database-name>/<table-name> * |
- |
|||
|
lakeformation:table:drop |
Grants permission to delete table. |
write |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:<region>:<account-id>:catalog:<instance-id>/<catalog-name> * |
- |
|||
|
lakeformation:<region>:<account-id>:database:<instance-id>/<catalog-name>/<database-name> * |
- |
|||
|
lakeformation:<region>:<account-id>:table:<instance-id>/<catalog-name>/<database-name>/<table-name> * |
- |
|||
|
lakeformation:transaction:operate |
Operate LakeFormation transactions. |
write |
- |
- |
|
lakeformation:user:describe |
Obtain the relationship between the user and associated roles |
read |
- |
- |
|
lakeformation:policy:create |
Create a LakeFormation permission policy. |
write |
- |
- |
|
lakeformation:policy:export |
Obtain LakeFormation permission policies in batches. |
read |
- |
- |
|
lakeformation:policy:drop |
Delete a LakeFormation permission policy. |
write |
- |
- |
|
lakeformation:policy:describe |
Obtain a LakeFormation permission policy. |
read |
- |
- |
|
lakeformation:group:describe |
Obtain the relationship between the user group and associated roles. |
read |
- |
- |
|
lakeformation:group:alter |
Modify the relationship between the user group and associated roles. |
write |
- |
- |
|
lakeformation:instance:describe |
Obtain a LakeFormation instance. |
read |
- |
- |
|
lakeformation:role:create |
Create a LakeFormation role. |
write |
- |
- |
|
lakeformation:role:describe |
Obtain a LakeFormation role. |
read |
- |
- |
|
lakeformation:role:drop |
Delete a LakeFormation role. |
write |
- |
- |
|
lakeformation:role:alter |
Modify the relationship between a LakeFormation role and associated user group. |
write |
- |
- |
|
lakeformation:credential:describe |
Obtain LakeFormation authentication information. |
read |
- |
- |
|
lakeformation:configuration:describe |
Obtain user configurations. |
read |
- |
- |
|
lakeformation:user:alter |
Modify the relationship between the user and associated roles. - name: lakeformation:tableFile:alter |
write |
- |
- |
|
lakeformation:tableFile:alter |
Alter files |
write |
- |
- |
|
lakeformation:tableFile:describe |
Querying Files |
read |
- |
- |
|
lakeformation:tableFile:drop |
Deletes files |
write |
- |
- |
|
lakeformation:tableFile:create |
Create Files |
write |
- |
- |
|
lakeformation:tableFileGroup:create |
Create TableFileGroups |
write |
- |
- |
|
lakeformation:tableFileGroup:describe |
Permission to query TableFileGroups |
read |
- |
- |
|
lakeformation:tableFileGroup:alter |
Permission to modifying TableFileGroups |
write |
- |
- |
|
lakeformation:tableFileGroup:drop |
Permission to delete TableFileGroups |
write |
- |
- |
|
lakeformation:metadata:restore |
Permission to restore metadata |
write |
- |
- |
|
lakeformation:metadata:clear |
Permission to clear metadata |
write |
- |
- |
|
lakeformation:metadataEvent:describe |
Permission to query metadata events. |
read |
- |
- |
|
lakeformation:policy:delegate |
Permissions to delegate access policies to other users, user groups, or roles. |
write |
- |
- |
|
lakeformation:catalog:list |
Grants permission to query catalog list. |
list |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:<region>:<account-id>:catalog:<instance-id>/<catalog-name> * |
- |
|||
|
lakeformation:catalog:show |
Grants permission to query catalog detail info. |
read |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:<region>:<account-id>:catalog:<instance-id>/<catalog-name> * |
- |
|||
|
lakeformation:database:list |
Grants permission to query database list. |
list |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:<region>:<account-id>:catalog:<instance-id>/<catalog-name> * |
- |
|||
|
lakeformation:<region>:<account-id>:database:<instance-id>/<catalog-name>/<database-name> * |
- |
|||
|
lakeformation:database:show |
Grants permission to query database detail info. |
read |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:<region>:<account-id>:catalog:<instance-id>/<catalog-name> * |
- |
|||
|
lakeformation:<region>:<account-id>:database:<instance-id>/<catalog-name>/<database-name> * |
- |
|||
|
lakeformation:table:list |
Grants permission to query table list. |
list |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:<region>:<account-id>:catalog:<instance-id>/<catalog-name> * |
- |
|||
|
lakeformation:<region>:<account-id>:database:<instance-id>/<catalog-name>/<database-name> * |
- |
|||
|
lakeformation:<region>:<account-id>:table:<instance-id>/<catalog-name>/<database-name>/<table-name> * |
- |
|||
|
lakeformation:table:show |
Grants permission to query table detail info, including partition info, column statistics, and table data overview. |
read |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:<region>:<account-id>:catalog:<instance-id>/<catalog-name> * |
- |
|||
|
lakeformation:<region>:<account-id>:database:<instance-id>/<catalog-name>/<database-name> * |
- |
|||
|
lakeformation:<region>:<account-id>:table:<instance-id>/<catalog-name>/<database-name>/<table-name> * |
- |
|||
|
lakeformation:function:list |
Grants permission to query function list. |
list |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:<region>:<account-id>:catalog:<instance-id>/<catalog-name> * |
- |
|||
|
lakeformation:<region>:<account-id>:database:<instance-id>/<catalog-name>/<database-name> * |
- |
|||
|
lakeformation:<region>:<account-id>:table:<instance-id>/<catalog-name>/<database-name>/<table-name> * |
- |
|||
|
lakeformation:function:show |
Grants permission to query function detail info. |
read |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:<region>:<account-id>:catalog:<instance-id>/<catalog-name> * |
- |
|||
|
lakeformation:<region>:<account-id>:database:<instance-id>/<catalog-name>/<database-name> * |
- |
|||
|
lakeformation:<region>:<account-id>:table:<instance-id>/<catalog-name>/<database-name>/<table-name> * |
- |
|||
|
lakeformation:model:list |
Grants permission to query model list. |
list |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:<region>:<account-id>:catalog:<instance-id>/<catalog-name> * |
- |
|||
|
lakeformation:<region>:<account-id>:model:<instance-id>/<catalog-name>/<model-name> * |
- |
|||
|
lakeformation:model:show |
Grants permission to query model detail info. |
read |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:<region>:<account-id>:catalog:<instance-id>/<catalog-name> * |
- |
|||
|
lakeformation:<region>:<account-id>:model:<instance-id>/<catalog-name>/<model-name> * |
- |
|||
|
lakeformation:model:listFile |
Grants permission to query model file list. |
list |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:<region>:<account-id>:catalog:<instance-id>/<catalog-name> * |
- |
|||
|
lakeformation:<region>:<account-id>:model:<instance-id>/<catalog-name>/<model-name> * |
- |
|||
|
lakeformation:dataset:list |
Grants permission to query dataset list. |
list |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:<region>:<account-id>:catalog:<instance-id>/<catalog-name> * |
- |
|||
|
lakeformation:<region>:<account-id>:dataset:<instance-id>/<catalog-name>/<dataset-name> * |
- |
|||
|
lakeformation:dataset:show |
Grants permission to query dataset detail info. |
read |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:<region>:<account-id>:catalog:<instance-id>/<catalog-name> * |
- |
|||
|
lakeformation:<region>:<account-id>:dataset:<instance-id>/<catalog-name>/<dataset-name> * |
- |
|||
|
lakeformation:dataset:listFileGroup |
Grants permission to query dataset file group list. |
list |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:<region>:<account-id>:catalog:<instance-id>/<catalog-name> * |
- |
|||
|
lakeformation:<region>:<account-id>:dataset:<instance-id>/<catalog-name>/<dataset-name> * |
- |
|||
|
lakeformation:dataset:showFileGroup |
Grants permission to query dataset file group detail info. |
read |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:<region>:<account-id>:catalog:<instance-id>/<catalog-name> * |
- |
|||
|
lakeformation:<region>:<account-id>:dataset:<instance-id>/<catalog-name>/<dataset-name> * |
- |
|||
|
lakeformation:dataset:listFile |
Grants permission to create dataset file. |
list |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:<region>:<account-id>:catalog:<instance-id>/<catalog-name> * |
- |
|||
|
lakeformation:<region>:<account-id>:dataset:<instance-id>/<catalog-name>/<dataset-name> * |
- |
|||
|
lakeformation:instance:authorization |
Grants permission to authorize Metadata to authorizing Principals. |
permission_management |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:instance:listPolicy |
Grants permission to query metadata authorization policy list. |
list |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:instance:revokeAuthorization |
Grants permission to cancel metadata authorization. |
permission_management |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:instance:checkPermission |
Grants permission to authenticate whether a principal has permissions to metadata. |
permission_management |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:instance:listUser |
Grants permission to query user list. |
list |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:instance:bindingRole |
Grants permission to bind roles to principal. |
permission_management |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
g:ResourceTag/<tag-key> |
|
lakeformation:instance:unbindingRole |
Grants permission to unbind roles from principal. |
permission_management |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:instance:updateRole |
Grants permission to update roles from principal. |
permission_management |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:instance:listPrincipalRole |
Grants permission to query roles from principal. |
list |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:instance:listUserGroup |
Grants permission to query user group list of the account. |
list |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:instance:createRole |
Grants permission to create role. |
write |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:instance:listRole |
Grants permission to query role list. |
list |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:instance:dropRole |
Grants permission to delete role. |
write |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:instance:describeRole |
Grants permission to query role detail info. |
read |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:instance:alterRole |
Grants permission to alter role. |
write |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:instance:listPrincipal |
Grants permission to query all principals bound to a role. |
list |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:instance:bindingPrincipal |
Grants permission to add principal to roles. |
permission_management |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:instance:unbindingPrincipal |
Grants permission to revoke principals from roles. |
permission_management |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:instance:updatePrincipal |
Grants permission to revoke principal from roles. |
permission_management |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:instance:describeCountMeta |
Grants permission to query the number of metadata. |
read |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:instance:createCredential |
Grants permission to create a temporaries access key for a LakeFormation authorized principal. |
permission_management |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:instance:listConfig |
Grants permission to query user config list. |
list |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
|
lakeformation:instance:describeMetadataEvent |
Grants permission to query metadata events. |
read |
lakeformation:<region>:<account-id>:instance:<instance-id> * |
|
Each LakeFormation LakeCat API usually supports one or more actions. Table 4 lists the actions and dependencies supported by LakeFormation LakeCat APIs.
|
API |
Action |
Dependencies |
|---|---|---|
|
- |
lakeformation:model:create |
- |
|
- |
lakeformation:model:describe |
- |
|
- |
lakeformation:model:describe |
- |
|
- |
lakeformation:model:alter |
- |
|
- |
lakeformation:model:drop |
- |
|
- |
lakeformation:model:createFile |
- |
|
- |
lakeformation:model:describeFile |
- |
|
- |
lakeformation:model:alterFile |
- |
|
- |
lakeformation:model:dropFile |
- |
|
- |
lakeformation:dataset:create |
- |
|
- |
lakeformation:dataset:describe |
- |
|
- |
lakeformation:dataset:describe |
- |
|
- |
lakeformation:dataset:alter |
- |
|
- |
lakeformation:dataset:createFileGroup |
- |
|
- |
lakeformation:dataset:describeFileGroup |
- |
|
- |
lakeformation:dataset:describeFileGroup |
- |
|
- |
lakeformation:dataset:alterFileGroup |
- |
|
- |
lakeformation:dataset:dropFileGroup |
- |
|
- |
lakeformation:dataset:describeFile |
- |
|
- |
lakeformation:dataset:alterFile |
- |
|
GET /v1/{project_id}/instances/{instance_id}/catalogs/{catalog_name}/functions |
lakeformation:function:describe |
- |
|
lakeformation:function:describe |
- |
|
|
lakeformation:function:describe |
- |
|
|
lakeformation:function:drop |
- |
|
|
lakeformation:function:alter |
- |
|
|
lakeformation:function:create |
- |
|
|
lakeformation:function:describe |
- |
|
|
- |
lakeformation:function:describe |
- |
|
lakeformation:catalog:describe |
- |
|
|
- |
lakeformation:catalog:describe |
- |
|
lakeformation:catalog:create |
- |
|
|
PUT /v1/{project_id}/instances/{instance_id}/catalogs/{catalog_name} |
lakeformation:catalog:alter |
- |
|
DELETE /v1/{project_id}/instances/{instance_id}/catalogs/{catalog_name} |
lakeformation:catalog:drop |
- |
|
GET /v1/{project_id}/instances/{instance_id}/catalogs/{catalog_name} |
lakeformation:catalog:describe |
- |
|
GET /v1/{project_id}/instances/{instance_id}/catalogs/{catalog_name}/databases |
lakeformation:database:describe |
- |
|
- |
lakeformation:database:describe |
- |
|
POST /v1/{project_id}/instances/{instance_id}/catalogs/{catalog_name}/databases |
lakeformation:database:create |
- |
|
GET /v1/{project_id}/instances/{instance_id}/catalogs/{catalog_name}/databases/{database_name} |
lakeformation:database:describe |
- |
|
PUT /v1/{project_id}/instances/{instance_id}/catalogs/{catalog_name}/databases/{database_name} |
lakeformation:database:alter |
- |
|
DELETE /v1/{project_id}/instances/{instance_id}/catalogs/{catalog_name}/databases/{database_name} |
lakeformation:database:drop |
- |
|
GET /v1/{project_id}/instances/{instance_id}/catalogs/{catalog_name}/databases/names |
lakeformation:database:describe |
- |
|
GET /v1/{project_id}/instances/{instance_id}/catalogs/{catalog_name}/databases/tables |
lakeformation:table:describe |
- |
|
lakeformation:table:describe |
- |
|
|
lakeformation:table:describe |
- |
|
|
- |
lakeformation:table:describe |
- |
|
lakeformation:table:create |
- |
|
|
lakeformation:table:describe |
- |
|
|
lakeformation:table:alter |
- |
|
|
lakeformation:table:drop |
- |
|
|
lakeformation:table:describe |
- |
|
|
lakeformation:table:describe |
- |
|
|
lakeformation:table:alter |
- |
|
|
lakeformation:table:alter |
- |
|
|
lakeformation:table:alter |
- |
|
|
lakeformation:table:describe |
- |
|
|
lakeformation:table:alter |
- |
|
|
lakeformation:table:alter |
- |
|
|
lakeformation:table:describe |
- |
|
|
lakeformation:table:describe |
- |
|
|
lakeformation:table:describe |
- |
|
|
lakeformation:table:describe |
- |
|
|
lakeformation:table:alter |
- |
|
|
lakeformation:table:alter |
- |
|
|
lakeformation:user:describe |
- |
|
|
POST /v1/{project_id}/instances/{instance_id}/policies/grant |
lakeformation:policy:create |
- |
|
- |
lakeformation:policy:create |
- |
|
GET /v1/{project_id}/instances/{instance_id}/policies/policy |
lakeformation:policy:export |
- |
|
POST /v1/{project_id}/instances/{instance_id}/policies/revoke |
lakeformation:policy:drop |
- |
|
lakeformation:policy:describe |
- |
|
|
lakeformation:policy:export |
- |
|
|
lakeformation:group:describe |
- |
|
|
- |
lakeformation:group:alter |
- |
|
- |
lakeformation:group:alter |
- |
|
- |
lakeformation:group:alter |
- |
|
- |
lakeformation:group:describe |
- |
|
lakeformation:instance:describe |
- |
|
|
lakeformation:role:create |
- |
|
|
lakeformation:role:describe |
- |
|
|
DELETE /v1/{project_id}/instances/{instance_id}/roles/{role_name} |
lakeformation:role:drop |
- |
|
GET /v1/{project_id}/instances/{instance_id}/roles/{role_name} |
lakeformation:role:describe |
- |
|
PUT /v1/{project_id}/instances/{instance_id}/roles/{role_name} |
lakeformation:role:alter |
- |
|
lakeformation:role:describe |
- |
|
|
GET /v1/{project_id}/instances/{instance_id}/roles/{role_name}/principals |
lakeformation:role:describe |
- |
|
POST /v1/{project_id}/instances/{instance_id}/roles/{role_name}/grant-principals |
lakeformation:role:alter |
- |
|
POST /v1/{project_id}/instances/{instance_id}/roles/{role_name}/revoke-principals |
lakeformation:role:alter |
- |
|
PUT /v1/{project_id}/instances/{instance_id}/roles/{role_name}/update-principals |
lakeformation:role:alter |
- |
|
lakeformation:credential:describe |
- |
|
|
lakeformation:configuration:describe |
- |
|
|
POST /v1/{project_id}/instances/{instance_id}/users/{user_name}/grant-roles |
lakeformation:user:alter |
- |
|
POST /v1/{project_id}/instances/{instance_id}/users/{user_name}/revoke-roles |
lakeformation:user:alter |
- |
|
PUT /v1/{project_id}/instances/{instance_id}/users/{user_name}/update-roles |
lakeformation:user:alter |
- |
|
GET /v1/{project_id}/instances/{instance_id}/users/{user_name}/roles |
lakeformation:user:describe |
- |
|
POST /v1/{project_id}/instances/{instance_id}/policies/check-permission |
lakeformation:policy:describe |
- |
|
- |
lakeformation:metadata:restore |
- |
|
- |
lakeformation:metadata:clear |
- |
|
- |
lakeformation:table:describe |
- |
|
- |
lakeformation:table:alter |
- |
|
- |
lakeformation:table:describe |
- |
|
- |
lakeformation:dataset:dropFile |
- |
|
- |
lakeformation:dataset:createFile |
- |
|
- |
lakeformation:dataset:drop |
- |
Resources
A resource type indicates the resources that a policy applies to. If you specify a resource type for any action in Table 5, the resource URN must be specified in the policy statements using that action, and the policy applies only to resources of this type. If no resource type is specified, the Resource element is marked with an asterisk (*) and the policy applies to all resources. You can also set condition keys in a policy to define resource types.
The following table lists the resource types that you can define in policy statements for LakeFormation.
|
Resource Type |
URN |
|---|---|
|
catalog |
lakeformation:<region>:<account-id>:catalog:<instance-id>/<catalog-name> |
|
database |
lakeformation:<region>:<account-id>:database:<instance-id>/<catalog-name>/<database-name> |
|
table |
lakeformation:<region>:<account-id>:table:<instance-id>/<catalog-name>/<database-name>/<table-name> |
|
function |
lakeformation:<region>:<account-id>:function:<instance-id>/<catalog-name>/<database-name>/<function-name> |
|
model |
lakeformation:<region>:<account-id>:model:<instance-id>/<catalog-name>/<model-name> |
|
dataset |
lakeformation:<region>:<account-id>:dataset:<instance-id>/<catalog-name>/<dataset-name> |
|
instance |
lakeformation:<region>:<account-id>:instance:<instance-id> |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
