IAM Permissions
IAM Overview
If you need to assign different permissions to employees in your enterprise to access your LakeFormation resources, IAM is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you secure access to your Huawei Cloud resources.
With IAM, you can create IAM users for your employees, and assign permissions to these users to control their access to specific resource types. For example, if you want them to use LakeFormation but must not delete the databases or perform any high-risk operations, you can create IAM users and grant them only the permissions to query LakeFormation instances but not to delete them.
If your Huawei Cloud account does not need individual IAM users for permission management, you may skip this section.
IAM is a free service. You only pay for the resources in your account. For more information about IAM, see What Is IAM?.
IAM Permissions
New IAM users do not have any permissions assigned by default. You need to first add them to one or more groups and attach policies or roles to these groups. The users then inherit permissions from the groups and can perform specified operations on cloud services based on the permissions they have been assigned.
LakeFormation permissions are assigned to users in the global project, and users do not need to switch regions when accessing OBS.
You can grant permissions by using roles and policies.
- Roles: A coarse-grained authorization mechanism provided by IAM to define permissions based on job responsibilities. Only a limited number of service-level roles are available for authorization. When using roles to grant permissions, you also need to assign the roles that the permissions depend on. Roles are not ideal for fine-grained authorization and least privilege access.
- Policies: A fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This type of authorization is more flexible and is ideal for secure access control. For example, you can grant users only permission to manage cloud servers of a certain type.
IAM System Policies
Table 1 lists the default system policies of LakeFormation.
|
Role/Policy Name |
Description |
Type |
Dependency |
|---|---|---|---|
|
LakeFormation FullAccess |
Administrator permissions for LakeFormation. Users granted these permissions can use all LakeFormation functions. |
System policy |
|
|
LakeFormation ReadOnlyAccess |
Read-only permissions for LakeFormation. Users granted these permissions can query LakeFormation data. |
System policy |
|
|
LakeFormation CommonOperations |
Basic permissions for LakeFormation, including viewing, authorizing, and canceling the LakeFormation service agreement and basic permissions for dependent services such as OBS and TMS. |
System policy |
|
Table 2 lists the common operations supported by each system policy or role of LakeFormation. Select the permissions as needed.
|
Operation |
LakeFormation FullAccess |
LakeFormation CommonOperations |
LakeFormation ReadOnlyAccess |
|---|---|---|---|
|
Querying a LakeFormation instance |
√ |
√ |
√ |
|
Creating a LakeFormation instance |
√ |
x |
x |
|
Modifying a LakeFormation instance |
√ |
√ |
x |
|
Deleting a LakeFormation instance |
√ |
x |
x |
|
Restoring a LakeFormation instance |
√ |
x |
x |
|
Listing all tags of a tenant |
√ |
√ |
√ |
|
Updating tags of a LakeFormation instance |
√ |
√ |
x |
|
Creating a metadata migration/discovery task |
√ |
√ |
x |
|
Creating a metadata migration/discovery task |
√ |
√ |
x |
|
Deleting a metadata migration or discovery task |
√ |
√ |
x |
|
Querying a metadata migration or discovery task |
√ |
√ |
√ |
|
Querying metadata migration/discovery task logs |
√ |
√ |
√ |
|
Running or stopping a metadata migration or discovery task |
√ |
√ |
x |
|
Agreeing to the user agreement |
√ |
√ |
√ |
|
Querying the user agreement |
√ |
√ |
√ |
|
Querying the user agreement |
√ |
√ |
√ |
|
Authorizing LakeFormation to create an agency |
√ |
x |
x |
|
Querying the agency created by LakeFormation |
√ |
√ |
√ |
|
Deleting an agency created by LakeFormation |
√ |
x |
x |
|
Authorizing a resource |
√ |
x |
x |
|
Querying authorized resources |
√ |
√ |
√ |
|
Canceling resource authorization |
√ |
x |
x |
|
Querying OBS buckets |
√ |
√ |
√ |
|
Querying OBS bucket objects |
√ |
√ |
√ |
|
Creating a client for service access |
√ |
√ |
x |
|
Querying the client for service access |
√ |
√ |
√ |
|
Deleting the client for service access |
√ |
√ |
x |
|
Subscribing to metadata events |
√ |
√ |
x |
|
Unsubscribing from metadata events |
√ |
√ |
x |
|
Querying metadata events |
√ |
√ |
√ |
|
Querying catalog metadata |
√ |
√ |
√ |
|
Creating catalog metadata |
√ |
√ |
x |
|
Modifying catalog metadata |
√ |
√ |
x |
|
Deleting catalog metadata |
√ |
√ |
x |
|
Querying database metadata |
√ |
√ |
√ |
|
Creating database metadata |
√ |
√ |
x |
|
Modifying database metadata |
√ |
√ |
x |
|
Deleting database metadata |
√ |
√ |
x |
|
Querying table metadata |
√ |
√ |
√ |
|
Creating table metadata |
√ |
√ |
x |
|
Modifying table metadata |
√ |
√ |
x |
|
Deleting table metadata |
√ |
√ |
x |
|
Querying partition metadata |
√ |
√ |
√ |
|
Creating partition metadata |
√ |
√ |
x |
|
Modifying partition metadata |
√ |
√ |
x |
|
Deleting partition metadata |
√ |
√ |
x |
|
Querying column statistics |
√ |
√ |
√ |
|
Creating column statistics |
√ |
√ |
x |
|
Modifying column statistics |
√ |
√ |
x |
|
Deleting column statistics |
√ |
√ |
x |
|
Querying function metadata |
√ |
√ |
√ |
|
Querying function metadata |
√ |
√ |
x |
|
Modifying function metadata |
√ |
√ |
x |
|
Deleting function metadata |
√ |
√ |
x |
|
Querying model metadata |
√ |
√ |
√ |
|
Creating model metadata |
√ |
√ |
x |
|
Modifying model metadata |
√ |
√ |
x |
|
Deleting model metadata |
√ |
√ |
x |
|
Querying model file metadata |
√ |
√ |
√ |
|
Creating model file metadata |
√ |
√ |
x |
|
Modifying model file metadata |
√ |
√ |
x |
|
Deleting model file metadata |
√ |
√ |
x |
|
Querying dataset metadata |
√ |
√ |
√ |
|
Creating dataset metadata |
√ |
√ |
x |
|
Modifying dataset metadata |
√ |
√ |
x |
|
Deleting dataset metadata |
√ |
√ |
x |
|
Querying the number of metadata records |
√ |
√ |
√ |
|
Querying an authorization entity |
√ |
√ |
√ |
|
Creating a role |
√ |
√ |
x |
|
Deleting a role |
√ |
√ |
x |
|
Modifying a role |
√ |
√ |
x |
|
Querying a role |
√ |
√ |
√ |
|
Adding a user or user group to a role |
√ |
√ |
x |
|
Removing a user or user group from a role |
√ |
√ |
x |
|
Updating the users or user groups in a role |
√ |
√ |
x |
|
Granting the metadata permission to the authorization entity |
√ |
√ |
x |
|
Canceling the metadata permission authorization to the authorization entity |
√ |
√ |
x |
|
Querying authorization information |
√ |
√ |
√ |
|
Obtaining the STS token for accessing data |
√ |
√ |
x |
LakeFormation system policies include the following:
- LakeFormation FullAccess
{ "Version": "1.1", "Statement": [ { "Action": [ "lakeformation:*:*", "vpc:*:get", "vpc:*:list", "tms:predefineTags:list", "obs:bucket:ListAllMyBuckets", "obs:bucket:ListBucket", "obs:bucket:HeadBucket", "obs:object:GetObject" ], "Effect": "Allow" } ] } - LakeFormation CommonOperations
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "lakeformation:*:describe*", "lakeformation:*:list*", "lakeformation:policy:export", "lakeformation:access:create", "lakeformation:access:delete", "lakeformation:accessAgency:describe", "lakeformation:accessService:describe", "lakeformation:accessService:grant", "lakeformation:accessTenant:grant", "lakeformation:agreement:cancel", "lakeformation:agreement:describe", "lakeformation:agreement:grant", "lakeformation:catalog:alter", "lakeformation:catalog:create", "lakeformation:catalog:drop", "lakeformation:database:alter", "lakeformation:database:create", "lakeformation:database:drop", "lakeformation:dataset:alter", "lakeformation:dataset:alterFile", "lakeformation:dataset:alterFileGroup", "lakeformation:dataset:create", "lakeformation:dataset:createFile", "lakeformation:dataset:createFileGroup", "lakeformation:dataset:drop", "lakeformation:dataset:dropFile", "lakeformation:dataset:dropFileGroup", "lakeformation:function:alter", "lakeformation:function:create", "lakeformation:function:drop", "lakeformation:group:alter", "lakeformation:instance:access", "lakeformation:instance:alter", "lakeformation:instanceJob:alter", "lakeformation:instanceJob:create", "lakeformation:instanceJob:drop", "lakeformation:instanceJob:exec", "lakeformation:job:alter", "lakeformation:job:create", "lakeformation:job:drop", "lakeformation:job:exec", "lakeformation:model:alter", "lakeformation:model:alterFile", "lakeformation:model:create", "lakeformation:model:createFile", "lakeformation:model:drop", "lakeformation:model:dropFile", "lakeformation:policy:create", "lakeformation:policy:drop", "lakeformation:role:alter", "lakeformation:role:create", "lakeformation:role:drop", "lakeformation:table:alter", "lakeformation:table:create", "lakeformation:table:drop", "lakeformation:transaction:operate", "lakeformation:user:alter", "vpc:*:get", "vpc:*:list", "tms:predefineTags:list", "obs:bucket:ListAllMyBuckets", "obs:bucket:ListBucket", "obs:bucket:HeadBucket", "obs:object:GetObject" ] } ] } - LakeFormation ReadOnlyAccess
{ "Version": "1.1", "Statement": [ { "Action": [ "lakeformation:*:describe*", "lakeformation:*:list*", "lakeformation:policy:export", "lakeformation:agreement:cancel", "lakeformation:agreement:describe", "lakeformation:agreement:grant", "vpc:*:get", "vpc:*:list", "tms:predefineTags:list", "obs:bucket:ListAllMyBuckets", "obs:bucket:ListBucket", "obs:bucket:HeadBucket", "obs:object:GetObject" ], "Effect": "Allow" } ] }
IAM permissions of LakeFormation
Table 3 lists all IAM permissions of LakeFormation.
|
Operation Type |
Policy |
Description |
|---|---|---|
|
Read-only |
lakeformation:access:describe |
Querying the access client |
|
lakeformation:agency:describe |
Querying an agency |
|
|
lakeformation:catalog:describe |
Querying catalog metadata |
|
|
lakeformation:configuration:describe |
Querying configurations |
|
|
lakeformation:credential:describe |
Obtaining authentication information |
|
|
lakeformation:database:describe |
Querying database metadata |
|
|
lakeformation:file:describe |
Querying files |
|
|
lakeformation:function:describe |
Query function metadata. |
|
|
lakeformation:group:describe |
Obtaining the relationship between a user group and associated roles |
|
|
lakeformation:instance:describe |
Querying an instance |
|
|
lakeformation:instance:listAuthorizedLocation |
Querying the OBS paths authorized to LakeFormation |
|
|
lakeformation:instanceJob:describe |
Querying an instance-level task |
|
|
lakeformation:job:describe |
Querying a task |
|
|
lakeformation:metadataEvent:describe |
Querying a metadata event |
|
|
lakeformation:obs:describe |
Querying the list of OBS buckets |
|
|
lakeformation:part:describe |
Querying a partition |
|
|
lakeformation:policy:describe |
Obtaining a permission policy |
|
|
lakeformation:policy:export |
Obtaining permission policies in batches |
|
|
lakeformation:role:describe |
Querying a role |
|
|
lakeformation:table:describe |
Querying table metadata |
|
|
lakeformation:tableFile:describe |
Querying a file |
|
|
lakeformation:tableFileGroup:describe |
Querying metadata of a table file group |
|
|
lakeformation:tag:describe |
Querying tags of a resource |
|
|
lakeformation:user:describe |
Obtaining relationship between user and associated roles |
|
|
Write |
lakeformation:access:create |
Creating a client for service access |
|
lakeformation:access:delete |
Creating the client for service access |
|
|
lakeformation:agency:create |
Creating an agency |
|
|
lakeformation:agency:drop |
Deleting an agency |
|
|
lakeformation:catalog:alter |
Modifying catalog metadata |
|
|
lakeformation:catalog:create |
Creating catalog metadata |
|
|
lakeformation:catalog:drop |
Deleting catalog metadata |
|
|
lakeformation:database:alter |
Modifying database metadata |
|
|
lakeformation:database:create |
Creating database metadata |
|
|
lakeformation:database:drop |
Deleting database metadata |
|
|
lakeformation:dataset:create |
Creating dataset metadata |
|
|
lakeformation:file:create |
Creating a file |
|
|
lakeformation:file:drop |
Deleting a file |
|
|
lakeformation:file:alter |
Modifying a file |
|
|
lakeformation:function:alter |
Modifying function metadata |
|
|
lakeformation:function:create |
Creating function metadata |
|
|
lakeformation:function:drop |
Deleting function metadata |
|
|
lakeformation:group:alter |
Modifying the relationship between a user group and associated roles |
|
|
lakeformation:instance:access |
Applying for service access |
|
|
lakeformation:instance:alter |
Modifying an instance |
|
|
lakeformation:instance:create |
Creating an instance |
|
|
lakeformation:instance:drop |
Deleting an instance |
|
|
lakeformation:instanceJob:alter |
Modifying a task |
|
|
lakeformation:instanceJob:create |
Creating a task |
|
|
lakeformation:instanceJob:drop |
Deleting a task |
|
|
lakeformation:instanceJob:exec |
Executing an instance-level task |
|
|
lakeformation:instance:createSubscriber |
Creating a metadata event subscriber |
|
|
lakeformation:instance:deleteSubscriber |
Deleting a metadata event subscriber |
|
|
lakeformation:job:alter |
Modifying a task |
|
|
lakeformation:job:create |
Creating a task |
|
|
lakeformation:job:drop |
Deleting a task |
|
|
lakeformation:job:exec |
Executing a task |
|
|
lakeformation:model:create |
Creating model metadata |
|
|
lakeformation:metadata:restore |
Restoring metadata |
|
|
lakeformation:part:alter |
Modifying a partition |
|
|
lakeformation:part:drop |
Deleting a partition |
|
|
lakeformation:part:create |
Creating a partition |
|
|
lakeformation:policy:create |
Creating a permission policy |
|
|
lakeformation:policy:delegate |
Delegating a permission policy to another authorization entity |
|
|
lakeformation:policy:drop |
Deleting a permission policy |
|
|
lakeformation:role:alter |
Modifying the relationship between a role and associated user group |
|
|
lakeformation:role:create |
Creating a role |
|
|
lakeformation:role:drop |
Deleting a role |
|
|
lakeformation:table:alter |
Modifying table metadata |
|
|
lakeformation:table:create |
Creating table metadata |
|
|
lakeformation:table:drop |
Deleting table metadata |
|
|
lakeformation:tableFile:alter |
Modifying a table file |
|
|
lakeformation:tableFile:create |
Creating a table file |
|
|
lakeformation:tableFile:drop |
Deleting a table file |
|
|
lakeformation:tableFileGroup:alter |
Modifying the metadata of the table file group |
|
|
lakeformation:tableFileGroup:create |
Creating the metadata of the table file group |
|
|
lakeformation:tableFileGroup:drop |
Deleting the metadata of a table file group |
|
|
lakeformation:transaction:operate |
Operating transactions |
|
|
lakeformation:user:alter |
Modifying the relationship between a user and associated roles |
|
|
Permission management |
lakeformation:accessService:grant |
Authorizing an access service |
|
lakeformation:accessTenant:grant |
Authorizing an access tenant |
|
|
lakeformation:accessAgency:describe |
Querying agency information |
|
|
lakeformation:accessService:describe |
Viewing an access service |
|
|
lakeformation:agreement:describe |
Querying a service agreement authorization |
|
|
lakeformation:agreement:cancel |
Canceling a service agreement authorization |
|
|
lakeformation:agreement:grant |
Granting a service agreement authorization |
|
|
lakeformation:instance:authorizeLocation |
Authorize an OBS path to LakeFormation |
|
|
lakeformation:instance:cancelAuthorizeLocation |
Canceling the authorization of an OBS path |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
