Supported Actions in ABAC
IAM provides system-defined policies to define common actions supported by cloud services. You can also create custom policies using the actions supported by cloud services for more refined access control.
In addition to IAM, Organizations also provides Service Control Policies (SCP) to set access control policies.
SCPs do not actually grant any permissions to an entity. They only set the permissions boundary for the entity. When SCPs are attached to an organizational unit (OU) or a member account, the SCPs do not directly grant permissions to that OU or member account. Instead, the SCPs only determine what permissions are available for that member account or those member accounts under that OU. The granted permissions can be applied only if they are allowed by the SCPs.
This section describes the elements used by IAM custom policies in ABAC and Organizations SCPs. The elements include actions, resources, and conditions.
Actions
Actions are specific operations that are allowed or denied in a policy.
- The Access Level column describes how the action is classified (List, Read, or Write). This classification helps you understand the level of access that an action grants when you use it in a policy.
- The Resource Type column indicates whether the action supports resource-level permissions.
- You can use a wildcard (*) to indicate all resource types. If this column is empty (-), the action does not support resource-level permissions and you must specify all resources ("*") in your policy statements.
- If this column includes a resource type, you must specify the URN in the Resource element of your policy statements.
- Required resources are marked with asterisks (*) in the table. If you specify a resource in a statement using this action, then it must be of this type.
For details about the resource types defined by LakeFormation, see Resources.
- The Condition Key column includes keys that you can specify in the Condition element of a policy statement.
- If the Resource Type column has values for an action, the condition key takes effect only for the listed resource types.
- If the Resource Type column is empty (-) for an action, the condition key takes effect for all resources that action supports.
- If the Condition Key column is empty (-) for an action, the action does not support any condition keys.
For details about the condition keys defined by LakeFormation, see Conditions.
- For details about the actions supported by LakeFormation and the relationships between APIs and actions, see the following parts:
- LakeFormation APIs that support enterprise project authorization:
- GET /v1/{project_id}/instances
- API whose request contains instance_id, for example, GET /v1/{project_id}/instances/{instance_id}.
LakeFormation Console API
Table 1 lists the actions that you can define in custom policies for LakeFormation Console APIs.
Action |
Description |
Access Level |
Resource Type (*: required) |
Condition Key |
|---|---|---|---|---|
lakeformation:job:create |
Create a LakeFormation task. |
write |
- |
- |
lakeformation:job:describe |
Obtain a LakeFormation task. |
read |
- |
- |
lakeformation:job:drop |
Delete a LakeFormation task. |
write |
- |
- |
lakeformation:job:alter |
Modify a LakeFormation task. |
write |
- |
- |
lakeformation:job:exec |
Execute a LakeFormation task. |
write |
- |
- |
lakeformation:instanceJob:create |
Create a LakeFormation task. |
write |
- |
- |
lakeformation:instanceJob:describe |
Obtain a LakeFormation task. |
read |
- |
- |
lakeformation:instanceJob:drop |
Delete a LakeFormation task. |
write |
- |
- |
lakeformation:instanceJob:alter |
Modify a LakeFormation task. |
write |
- |
- |
lakeformation:instanceJob:exec |
Execute a LakeFormation task. |
write |
- |
- |
lakeformation:instance:create |
Create a LakeFormation instance. |
write |
- |
- |
lakeformation:instance:describe |
Obtain a LakeFormation instance. |
read |
- |
- |
lakeformation:instance:drop |
Delete a LakeFormation instance. |
write |
- |
- |
lakeformation:instance:alter |
Modify a LakeFormation instance. |
write |
- |
- |
lakeformation:access:describe |
Obtain a client for accessing LakeFormation. |
read |
- |
- |
lakeformation:instance:access |
Obtain a LakeFormation instance or apply for the access to it. |
write |
- |
- |
lakeformation:access:create |
Create a client for accessing LakeFormation. |
write |
- |
- |
lakeformation:access:delete |
Delete a client for accessing LakeFormation. |
write |
- |
- |
lakeformation:agency:create |
Create a LakeFormation agency. |
write |
- |
- |
lakeformation:agency:drop |
Delete a LakeFormation agency. |
write |
- |
- |
lakeformation:agency:describe |
Obtain a LakeFormation agency. |
read |
- |
- |
lakeformation:accessService:describe |
Check services connected to LakeFormation. |
permission_management |
- |
- |
lakeformation:accessService:grant |
Grant permissions to services connected to LakeFormation. |
permission_management |
- |
- |
lakeformation:accessTenant:grant |
Grant permissions to a tenant for accessing LakeFormation. |
permission_management |
- |
- |
lakeformation:accessAgency:describe |
Obtain the LakeFormation agency information. |
permission_management |
- |
- |
lakeformation:agreement:describe |
Obtain LakeFormation service agreements. |
permission_management |
- |
- |
lakeformation:agreement:cancel |
Cancel LakeFormation service agreements. |
permission_management |
- |
- |
lakeformation:agreement:grant |
Grant LakeFormation service agreements. |
permission_management |
- |
- |
lakeformation:obs:describe |
Obtain OBS buckets. |
read |
- |
- |
lakeformation:tag:describe |
Obtain LakeFormation pre-defined resource tags. |
read |
- |
- |
Each LakeFormation Console API usually supports one or more actions. Table 2 lists the actions and dependencies supported by LakeFormation Console APIs.
API |
Action |
Dependencies |
|---|---|---|
lakeformation:instance:create |
- |
|
lakeformation:instance:describe |
- |
|
lakeformation:instance:drop |
- |
|
lakeformation:instance:describe |
- |
|
lakeformation:instance:alter |
- |
|
lakeformation:instance:alter |
- |
|
lakeformation:instance:alter |
- |
|
lakeformation:instance:create |
- |
|
lakeformation:accessService:grant |
- |
|
lakeformation:accessService:describe |
- |
|
lakeformation:agreement:grant |
- |
|
lakeformation:agreement:describe |
- |
|
lakeformation:agreement:cancel |
- |
|
lakeformation:obs:describe |
obs:bucket:ListAllMyBuckets |
|
lakeformation:obs:describe |
|
|
lakeformation:instance:access |
- |
|
lakeformation:instance:access |
- |
|
lakeformation:access:describe |
- |
|
POST /v1/{project_id}/instances/{instance_id}/access-clients |
lakeformation:access:create |
- |
GET /v1/{project_id}/instances/{instance_id}/access-clients/{client_id} |
lakeformation:access:describe |
- |
DELETE /v1/{project_id}/instances/{instance_id}/access-clients/{client_id} |
lakeformation:access:delete |
- |
PUT /v1/{project_id}/instances/{instance_id}/access-clients/{client_id} |
lakeformation:instance:alter |
- |
lakeformation:instance:alter |
- |
|
lakeformation:agency:create |
- |
|
lakeformation:agency:drop |
- |
|
lakeformation:agency:describe |
- |
|
lakeformation:tag:describe |
tms:predefineTags:list |
|
- |
lakeformation:instance:describe |
- |
- |
lakeformation:instance:alter |
- |
LakeFormation LakeCat API
Table 3 lists the actions that you can define in custom policies for LakeFormation LakeCat APIs.
Action |
Description |
Access Level |
Resource Type (*: required) |
Condition Key |
|---|---|---|---|---|
lakeformation:function:describe |
Obtain the functions of LakeFormation metadata. |
read |
- |
- |
lakeformation:function:drop |
Delete the functions of LakeFormation metadata. |
write |
- |
- |
lakeformation:function:alter |
Modify the functions of LakeFormation metadata. |
write |
- |
- |
lakeformation:function:create |
Create the functions of LakeFormation metadata. |
write |
- |
- |
lakeformation:catalog:describe |
Obtain a data directory of LakeFormation metadata. |
read |
- |
- |
lakeformation:catalog:create |
Create a data directory of LakeFormation metadata. |
write |
- |
- |
lakeformation:catalog:alter |
Modify a data directory of LakeFormation metadata. |
write |
- |
- |
lakeformation:catalog:drop |
Delete a data directory of LakeFormation metadata. |
write |
- |
- |
lakeformation:database:describe |
Permission to query the database for LakeFormation metadata. |
read |
- |
- |
lakeformation:database:create |
Permission to create the database for LakeFormation metadata. |
write |
- |
- |
lakeformation:database:alter |
Modify the database permissions for LakeFormation metadata. |
write |
- |
- |
lakeformation:database:drop |
Permission to delete the database of LakeFormation metadata. |
write |
- |
- |
lakeformation:table:describe |
Obtain a data table of LakeFormation metadata. |
read |
- |
- |
lakeformation:table:alter |
Modify a data table of LakeFormation metadata. |
write |
- |
- |
lakeformation:table:create |
Create a data table of LakeFormation metadata. |
write |
- |
- |
lakeformation:table:drop |
Delete a data table of LakeFormation metadata. |
write |
- |
- |
lakeformation:transaction:operate |
Operate LakeFormation transactions. |
write |
- |
- |
lakeformation:user:describe |
Obtain the relationship between the user and associated roles |
read |
- |
- |
lakeformation:policy:create |
Create a LakeFormation permission policy. |
write |
- |
- |
lakeformation:policy:export |
Obtain LakeFormation permission policies in batches. |
read |
- |
- |
lakeformation:policy:drop |
Delete a LakeFormation permission policy. |
write |
- |
- |
lakeformation:policy:describe |
Obtain a LakeFormation permission policy. |
read |
- |
- |
lakeformation:group:describe |
Obtain the relationship between the user group and associated roles. |
read |
- |
- |
lakeformation:group:alter |
Modify the relationship between the user group and associated roles. |
write |
- |
- |
lakeformation:instance:describe |
Obtain a LakeFormation instance. |
read |
- |
- |
lakeformation:role:create |
Create a LakeFormation role. |
write |
- |
- |
lakeformation:role:describe |
Obtain a LakeFormation role. |
read |
- |
- |
lakeformation:role:drop |
Delete a LakeFormation role. |
write |
- |
- |
lakeformation:role:alter |
Modify the relationship between a LakeFormation role and associated user group. |
write |
- |
- |
lakeformation:credential:describe |
Obtain LakeFormation authentication information. |
read |
- |
- |
lakeformation:configuration:describe |
Obtain user configurations. |
read |
- |
- |
lakeformation:user:alter |
Modify the relationship between the user and associated roles. - name: lakeformation:tableFile:alter |
write |
- |
- |
lakeformation:tableFile:alter |
Alter files |
write |
- |
- |
lakeformation:tableFile:describe |
Querying Files |
read |
- |
- |
lakeformation:tableFile:drop |
Deletes files |
write |
- |
- |
lakeformation:tableFile:create |
Create Files |
write |
- |
- |
lakeformation:tableFileGroup:create |
Create TableFileGroups |
write |
- |
- |
lakeformation:tableFileGroup:describe |
Permission to query TableFileGroups |
read |
- |
- |
lakeformation:tableFileGroup:alter |
Permission to modifying TableFileGroups |
write |
- |
- |
lakeformation:tableFileGroup:drop |
Permission to delete TableFileGroups |
write |
- |
- |
lakeformation:metadata:restore |
Permission to restore metadata |
write |
- |
- |
lakeformation:metadataEvent:describe |
Permission to query metadata events. |
read |
- |
- |
Each LakeFormation LakeCat API usually supports one or more actions. Table 4 lists the actions and dependencies supported by LakeFormation LakeCat APIs.
API |
Action |
Dependencies |
|---|---|---|
GET /v1/{project_id}/instances/{instance_id}/catalogs/{catalog_name}/functions |
lakeformation:function:describe |
- |
lakeformation:function:describe |
- |
|
lakeformation:function:describe |
- |
|
lakeformation:function:drop |
- |
|
lakeformation:function:alter |
- |
|
lakeformation:function:create |
- |
|
lakeformation:function:describe |
- |
|
lakeformation:catalog:describe |
- |
|
lakeformation:catalog:create |
- |
|
PUT /v1/{project_id}/instances/{instance_id}/catalogs/{catalog_name} |
lakeformation:catalog:alter |
- |
DELETE /v1/{project_id}/instances/{instance_id}/catalogs/{catalog_name} |
lakeformation:catalog:drop |
- |
GET /v1/{project_id}/instances/{instance_id}/catalogs/{catalog_name} |
lakeformation:catalog:describe |
- |
GET /v1/{project_id}/instances/{instance_id}/catalogs/{catalog_name}/databases |
lakeformation:database:describe |
- |
POST /v1/{project_id}/instances/{instance_id}/catalogs/{catalog_name}/databases |
lakeformation:database:create |
- |
GET /v1/{project_id}/instances/{instance_id}/catalogs/{catalog_name}/databases/{database_name} |
lakeformation:database:describe |
- |
PUT /v1/{project_id}/instances/{instance_id}/catalogs/{catalog_name}/databases/{database_name} |
lakeformation:database:alter |
- |
DELETE /v1/{project_id}/instances/{instance_id}/catalogs/{catalog_name}/databases/{database_name} |
lakeformation:database:drop |
- |
GET /v1/{project_id}/instances/{instance_id}/catalogs/{catalog_name}/databases/names |
lakeformation:database:describe |
- |
GET /v1/{project_id}/instances/{instance_id}/catalogs/{catalog_name}/databases/tables |
lakeformation:table:describe |
- |
lakeformation:table:describe |
- |
|
lakeformation:table:describe |
- |
|
lakeformation:table:create |
- |
|
lakeformation:table:describe |
- |
|
lakeformation:table:alter |
- |
|
lakeformation:table:drop |
- |
|
lakeformation:table:describe |
- |
|
lakeformation:table:describe |
- |
|
lakeformation:table:alter |
- |
|
lakeformation:table:alter |
- |
|
lakeformation:table:alter |
- |
|
lakeformation:table:describe |
- |
|
lakeformation:table:alter |
- |
|
lakeformation:table:alter |
- |
|
lakeformation:table:describe |
- |
|
lakeformation:table:describe |
- |
|
lakeformation:table:describe |
- |
|
lakeformation:table:describe |
- |
|
lakeformation:table:alter |
- |
|
lakeformation:table:alter |
- |
|
lakeformation:user:describe |
- |
|
POST /v1/{project_id}/instances/{instance_id}/policies/grant |
lakeformation:policy:create |
- |
GET /v1/{project_id}/instances/{instance_id}/policies/policy |
lakeformation:policy:export |
- |
POST /v1/{project_id}/instances/{instance_id}/policies/revoke |
lakeformation:policy:drop |
- |
lakeformation:policy:describe |
- |
|
lakeformation:policy:export |
- |
|
lakeformation:group:describe |
- |
|
- |
lakeformation:group:alter |
- |
- |
lakeformation:group:alter |
- |
- |
lakeformation:group:alter |
- |
- |
lakeformation:group:describe |
- |
lakeformation:instance:describe |
- |
|
lakeformation:role:create |
- |
|
lakeformation:role:describe |
- |
|
DELETE /v1/{project_id}/instances/{instance_id}/roles/{role_name} |
lakeformation:role:drop |
- |
GET /v1/{project_id}/instances/{instance_id}/roles/{role_name} |
lakeformation:role:describe |
- |
PUT /v1/{project_id}/instances/{instance_id}/roles/{role_name} |
lakeformation:role:alter |
- |
lakeformation:role:describe |
- |
|
GET /v1/{project_id}/instances/{instance_id}/roles/{role_name}/principals |
lakeformation:role:describe |
- |
POST /v1/{project_id}/instances/{instance_id}/roles/{role_name}/grant-principals |
lakeformation:role:alter |
- |
POST /v1/{project_id}/instances/{instance_id}/roles/{role_name}/revoke-principals |
lakeformation:role:alter |
- |
PUT /v1/{project_id}/instances/{instance_id}/roles/{role_name}/update-principals |
lakeformation:role:alter |
- |
lakeformation:credential:describe |
- |
|
lakeformation:configuration:describe |
- |
|
POST /v1/{project_id}/instances/{instance_id}/users/{user_name}/grant-roles |
lakeformation:user:alter |
- |
POST /v1/{project_id}/instances/{instance_id}/users/{user_name}/revoke-roles |
lakeformation:user:alter |
- |
PUT /v1/{project_id}/instances/{instance_id}/users/{user_name}/update-roles |
lakeformation:user:alter |
- |
GET /v1/{project_id}/instances/{instance_id}/users/{user_name}/roles |
lakeformation:user:describe |
- |
POST /v1/{project_id}/instances/{instance_id}/policies/check-permission |
lakeformation:policy:describe |
- |
- |
lakeformation:metadata:restore |
- |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
