Creating a User and Assigning Permissions
This chapter describes how to use What Is IAM? to implement fine-grained permissions control for your LakeFormation instances. With IAM, you can:
- Create IAM users for employees based on your enterprise's organizational structure. Each IAM user will have their own security credentials for accessing the resources.
- Assign users only the permissions required to perform a given task based on their job responsibilities.
- Entrust an account or a cloud service to perform professional and efficient O&M on your resources.
If your cloud account does not need individual IAM users, skip this section.
This section describes the procedure for granting permissions. See Figure 1 for details.
Prerequisites
Before assigning permissions to a user group, learn about LakeFormation permissions in LakeFormation Permissions and select them as needed.
If you need to assign permissions to other services, check all the policies supported by IAM in System-defined Permissions.
Procedure
- Creating a User Group and Assigning Permissions
Create a user group on the IAM console, and assign LakeFormation permissions to the group.
- Create an IAM user.
Create a user on the IAM console and add the user to the group created in 1.
- Log in and verify permissions.
Log in to the console as the user you created, and verify that the user has the assigned permissions.
You can perform the following operation to verify a permission:
Click the service list and choose LakeFormation. On the Overview page, click Buy Instance in the upper right corner. If the instance creation page is displayed, the lakeformation:role:create permission has already taken effect.
LakeFormation Permissions
By default, new IAM users lack permissions assigned. Add a user to one or more groups, and attach permissions policies or roles to these groups. Users inherit permissions from the groups to which they are added and can perform specified operations on cloud services.
You can grant permissions to a role or by creating a policy.
- Roles: A coarse-grained IAM authorization strategy to assign permissions based on user responsibilities. Only a limited number of service-level roles are available. Some roles depend other roles to take effect. When you assign such roles to users, remember to assign the roles they depend on. Roles are not an ideal choice for fine-grained authorization and secure access control.
- Read-only permission authorization using IAM: To assign the read-only permission of LakeFormation in an IAM project to a sub-user, create a user group for this user as a tenant administrator and add the LakeFormation ReadOnlyAccess system-defined policy to this user group.
- Enterprise project authorization: To assign all permission of LakeFormation in an enterprise project to a sub-user, create a user group for this user as a tenant administrator and add the LakeFormation CommonAccess permission to the user group and make this permission apply globally. Then, grant this permission to this enterprise project.
- Policies: A type of fine-grained authorization that defines permissions required to perform operations on specific cloud resources under certain conditions. This type of authorization is more flexible and ideal for secure access control. Most fine-grained policies split permissions by API. For details about how to customize IAM policies for LakeFormation, see Creating a Custom Policy.
|
Role/Policy Name |
Description |
Type |
Dependency |
|---|---|---|---|
|
LakeFormation FullAccess |
Administrator permissions for LakeFormation. Users granted these permissions can use all LakeFormation functions. |
System policy |
N/A |
|
LakeFormation ReadOnlyAccess |
Read-only permissions for LakeFormation. Users granted these permissions can query LakeFormation data. |
System policy |
N/A |
|
LakeFormation CommonAccess |
Basic permissions for LakeFormation, including viewing, authorizing, and canceling the LakeFormation service agreement and basic permissions for dependent services such as OBS and TMS. |
System policy |
N/A |
|
Operation Type |
Item |
Description |
|---|---|---|
|
Read-only |
lakeformation:instance:describe |
Permission to query LakeFormation instances. |
|
lakeformation:catalog:describe |
Permission to query the data catalogs of LakeFormation metadata. |
|
|
lakeformation:database:describe |
Permission to query the databases of LakeFormation metadata. |
|
|
lakeformation:table:describe |
Permission to query the data tables of LakeFormation metadata. |
|
|
lakeformation:function:describe |
Permission to query the functions of LakeFormation metadata. |
|
|
lakeformation:policy:describe |
Permission to query LakeFormation permission policies. |
|
|
lakeformation:policy:export |
Permission to query LakeFormation permission policies in batches. |
|
|
lakeformation:agency:describe |
Permission to query LakeFormation agencies. |
|
|
lakeformation:credential:describe |
Permission to obtain the authentication information for accessing LakeFormation. |
|
|
lakeformation:group:describe |
Permission to obtain the relationship between a LakeFormation user group and its associated roles. |
|
|
lakeformation:user:describe |
Permission to obtain the relationship between a LakeFormation user and its associated roles. |
|
|
lakeformation:role:describe |
Permission to query LakeFormation roles. |
|
|
lakeformation:configuration:describe |
Permission to query user configurations. |
|
|
lakeformation:access:describe |
Permission to query the client access permission. |
|
|
lakeformation:job:describe |
Permission to query LakeFormation tasks. |
|
|
Write |
lakeformation:instance:create |
Permission to create LakeFormation instances. |
|
lakeformation:role:create |
Permission to create LakeFormation roles. |
|
|
lakeformation:policy:create |
Permission to create LakeFormation permission policies. |
|
|
lakeformation:function:create |
Permission to create the functions of LakeFormation metadata. |
|
|
lakeformation:catalog:create |
Permission to create the data catalogs of LakeFormation metadata. |
|
|
lakeformation:database:create |
Permission to create the databases of LakeFormation metadata. |
|
|
lakeformation:table:create |
Permission to create the tables of LakeFormation metadata. |
|
|
lakeformation:access:create |
Permission to create the client access permission. |
|
|
lakeformation:agency:create |
Permission to create LakeFormation agencies. |
|
|
lakeformation:job:create |
Permission to create LakeFormation tasks. |
|
|
lakeformation:instance:alter |
Permission to modify LakeFormation instances. |
|
|
lakeformation:catalog:alter |
Permission to modify the data catalogs of LakeFormation metadata. |
|
|
lakeformation:database:alter |
Permission to modify the databases of LakeFormation metadata. |
|
|
lakeformation:table:alter |
Permission to modify the tables of LakeFormation metadata. |
|
|
lakeformation:function:alter |
Permission to modify the functions of LakeFormation metadata. |
|
|
lakeformation:role:alter |
Permission to modify the relationship between a LakeFormation role and its associated user groups. |
|
|
lakeformation:group:alter |
Permission to modify the relationship between a LakeFormation user group and its associated roles. |
|
|
lakeformation:user:alter |
Permission to modify the relationship between a LakeFormation user and its associated roles. |
|
|
lakeformation:job:alter |
Permission to modify LakeFormation tasks. |
|
|
lakeformation:instance:drop |
Permission to delete LakeFormation instances. |
|
|
lakeformation:role:drop |
Permission to delete LakeFormation roles. |
|
|
lakeformation:policy:drop |
Permission to delete LakeFormation permission policies. |
|
|
lakeformation:function:drop |
Permission to delete the functions of LakeFormation metadata. |
|
|
lakeformation:catalog:drop |
Permission to delete the data catalogs of LakeFormation metadata. |
|
|
lakeformation:database:drop |
Permission to delete the databases of LakeFormation metadata. |
|
|
lakeformation:table:drop |
Permission to delete the tables of LakeFormation metadata. |
|
|
lakeformation:access:delete |
Permission to delete the client access permission. |
|
|
lakeformation:agency:drop |
Permission to delete LakeFormation agencies. |
|
|
lakeformation:job:drop |
Permission to delete LakeFormation tasks. |
|
|
lakeformation:transaction:operate |
Permission to operate LakeFormation transactions. |
|
|
lakeformation:instance:access |
Permission to query a LakeFormation instance or apply for the access to it. |
|
|
lakeformation:job:exec |
Permission to execute LakeFormation tasks. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
