Help Center/ DataArts Lake Formation/ User Guide/ Preparations/ Managing Permissions/ Creating a Custom Policy
Updated on 2024-02-02 GMT+08:00
View PDF
Share

Creating a Custom Policy

Custom policies can be created for LakeFormation to supplement system-defined policies.

To create a custom policy, choose either visual editor or JSON.

  • Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy syntax.
  • JSON: Create a policy in the JSON format from scratch or based on an existing policy.

For details, see Creating a Custom Policy.

The following section contains examples of common LakeFormation custom policies.

Example Custom Policies

  • Example 1: Grant the read-only permission on LakeFormation in batches to a user. 
    {
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "lakeformation:instance:describe",
                "lakeformation:role:describe",
                "lakeformation:policy:export",
                "lakeformation:group:describe",
                "lakeformation:function:describe",
                "lakeformation:catalog:describe",
                "lakeformation:policy:describe",
                "lakeformation:table:describe",
                "lakeformation:database:describe"
            ]
        }
    ]
}
  • Example 2: Deny data deletion.

    A policy with only "Deny" permissions must be used together with other policies. If the permissions granted to an IAM user contain both "Allow" and "Deny", the "Deny" permissions take precedence over the "Allow" permissions.

    The following method can be used if you need to assign permissions of the Admin policy to a user but you want to prevent the user from deleting LakeFormation catalogs, databases, and tables. Create a custom policy for denying deletion, and attach both policies to the group to which the user belongs. Then, the user can perform all operations on catalogs, databases, and tables except deleting them.

    Example policy denying MRS cluster deletion:

    {
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "lakeformation:database:drop",
                "lakeformation:table:drop",
                "lakeformation:catalog:drop"
            ]
        }
    ]
}
  • Example 3: Create a custom policy that contains the actions of multiple services. 
    {
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "obs:bucket:CreateBucket"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "lakeformation:table:create",
                "lakeformation:database:create",
                "lakeformation:catalog:create"
            ]
        }
    ]
}
Parent topic: Managing Permissions