Grant Lake Formation read permission to all tables in a Glue database through CloudFormation

5.5k views Asked by At

I am working on defining a reader role in a data lake that uses Lake Formation for access control. I would like to grant this role Select permission to all the tables in relevant databases, so that it automatically picks up new tables that are created. In the documentation of CloudFormation I can see that this is currently marked as not supported, TableWildcard looks like a solution that I would like to use.

I am currently looking at either hardcoding the table names that this role should have access to or writing a boto3 script that would pick up all the tables in the database and adding the permissions to them through Lake Formation. This could be running with Lambda on a regular schedule, which would automate this process, but of course it will not be the prettiest approach.

3

There are 3 answers

2
Krzysztof Słowiński On BEST ANSWER

Contrary to the current documentation, it is possible to use "TableWildcard": {} construct as shown in the example below to grant permissions to the role to all the tables in a given database.

"ExamplePermission": {
  "Type": "AWS::LakeFormation::Permissions",
  "Properties": {
    "DataLakePrincipal": {
      "DataLakePrincipalIdentifier": {
        "Fn::GetAtt": [
          "ExampleRole",
          "Arn"
        ]
      }
    },
    "Resource": {
      "TableResource": {
        "DatabaseName": "example_database",
        "TableWildcard": {}
      }
    },
    "Permissions": [
      "SELECT"
    ],
    "PermissionsWithGrantOption": []
  }
}

For anyone using CDK, here is a Python flavour of the table resource property:

import aws_cdk.aws_lakeformation as lakeformation

table_property = lakeformation.CfnPermissions.TableResourceProperty(
    database_name="example_database",
    table_wildcard={}
)
3
Robert Kossendey On

If you want to have all the tables in your relevant databases, why don't you use the DataBaseResource? This is what I am using and it works like a charm.

0
DVM On

An easier way is to use lf-tags.

Assign all databases, the same lf-tag (tables in the database will inherit the lf-tags). Grant permissions to the users for the lf-tag.