Module Awso_lakeformation_syncSource

A structure that allows an admin to grant user permissions on certain conditions. For example, granting a role access to all columns that do not have the LF-tag 'PII' in tables that have the LF-tag 'Prod'.

A structure containing an LF-tag key-value pair.

A wildcard object representing every table under a database.

A wildcard object, consisting of an optional list of excluded column names or indexes.

Configuration for enabling trusted identity propagation with Redshift Connect.

A structure for the catalog object.

A structure for a data cells filter resource.

A structure for a data location object where permissions are granted or revoked.

A structure for the database object.

A structure containing a LF-Tag expression (keys and values).

A structure containing an LF-tag key and values for a resource.

A structure containing a list of LF-tag conditions or saved LF-Tag expressions that apply to a resource's LF-tag policy.

A structure for the table object. A table is a metadata definition that represents your data. You can Grant and Revoke table privileges to a principal.

A structure for a table with columns object. This object is only used when granting a SELECT permission. This object must take a value for at least one of ColumnsNames, ColumnsIndexes, or ColumnsWildcard.

A union structure representing different Redshift integration scopes.

A structure containing the name of a column resource and the LF-tags attached to it.

The Lake Formation principal. Supported principals are IAM users or IAM roles.

A structure that you pass to indicate you want all rows in a filter.

Specifies the details of a governed table.

A Lake Formation condition, which applies to permissions and opt-ins that contain an expression.

A structure for the resource.

A new object to add to the governed table.

An object to delete from the governed table.

Contains details about an error.

Permissions granted to a principal.

A structure containing the additional details to be returned in the AdditionalDetails attribute of PrincipalResourcePermissions. If a catalog resource is shared through Resource Access Manager (RAM), then there will exist a corresponding RAM resource share ARN.

A PartiQL predicate.

A permission to a resource granted by batch operation to the principal.

Defines an object to add to or delete from a governed table.

A union structure representing different service integration types.

A structure describing a table resource with LF-tags.

A structure describing a database resource with LF-tags.

A structure containing an error related to a TagResource or UnTagResource operation.

A structure that contains information about a transaction.

A structure describing the configuration and details of a storage optimizer.

A structure containing information about an Lake Formation resource.

This structure describes the filtering of columns in a table based on a filter condition.

The permissions granted or revoked on a resource.

A single principal-resource pair that has Lake Formation permissins enforced.

A structure consists LF-Tag expression name and catalog ID.

A structure that describes certain columns on certain rows.

Defines the valid range of work unit IDs for querying the execution service.

A structure containing a list of partition values and table objects.

An object that defines an Amazon S3 object to be deleted if a transaction cancels, provided that VirtualPut was called before writing the object.

A list of failures when performing a batch grant or batch revoke operation.

Access to a resource was denied.

A specified entity does not exist.

An internal service error occurred.

The input provided was not valid.

Two processes are trying to modify a resource simultaneously.

The operation timed out.

Contains details about an error related to a resource which is not ready for a transaction.

Contains details about an error related to a transaction that was cancelled.

Contains details about an error related to a transaction commit that was in progress.

Contains details about an error where the specified transaction has already been committed and cannot be used for UpdateTableObjects.

Configuration for enabling external data filtering for third-party applications to access data managed by Lake Formation .

A resource numerical limit was exceeded.

Contains details about an error where the query request was throttled.

A structure containing information about the query plan.

An encryption operation failed.

A resource to be created or added already exists.

A structure representing a list of Lake Formation principals designated as data lake administrators and lists of principal permission entries for default create database and default create table permissions.

Contains details about an error where the query request expired.

Contains details about an error related to work units not being ready.

The engine does not support filtering data based on the enforced permissions. For example, if you call the GetTemporaryGlueTableCredentials operation with SupportedPermissionType equal to ColumnPermission, but cell-level permissions exist on the table, this exception is thrown.

A structure used to include auditing information on the privileged API.

A structure used as a protocol between query engines and Lake Formation or Glue. Contains both a Lake Formation generated authorization identifier and information from the request's authorization context. For more information about how to utilize QuerySessionContext, see Lake Formation workflow for application integration API operations in the developer guide.

Contains a list of values defining partitions.

Multiple resources exist with the same Amazon S3 location

A temporary set of credentials for an Lake Formation user. These credentials are scoped down to only access the raw data sources that the user has access to. The temporary security credentials consist of an access key and a session token. The access key consists of an access key ID and a secret key. When the credentials are created, they are associated with an IAM access control policy that limits what the user can do when using the credentials.

Statistics related to the processing of a query statement.

Statistics related to the processing of a query statement.

Contains details about an error related to statistics not being ready.

Updates the configuration of the storage optimizers for a table.

Updates the configuration of the storage optimizers for a table.

Updates the manifest of Amazon S3 objects that make up the specified governed table.

Updates the manifest of Amazon S3 objects that make up the specified governed table.

Updates the data access role used for vending access to the given (registered) resource in Lake Formation.

Updates the data access role used for vending access to the given (registered) resource in Lake Formation.

Updates the IAM Identity Center connection parameters.

Updates the IAM Identity Center connection parameters.

Updates the list of possible values for the specified LF-tag key. If the LF-tag does not exist, the operation throws an EntityNotFoundException. The values in the delete key values will be deleted from list of possible values. If any value in the delete key values is attached to a resource, then API errors out with a 400 Exception - "Update not allowed". Untag the attribute before deleting the LF-tag key's value.

Updates the list of possible values for the specified LF-tag key. If the LF-tag does not exist, the operation throws an EntityNotFoundException. The values in the delete key values will be deleted from list of possible values. If any value in the delete key values is attached to a resource, then API errors out with a 400 Exception - "Update not allowed". Untag the attribute before deleting the LF-tag key's value.

Updates the name of the LF-Tag expression to the new description and expression body provided. Updating a LF-Tag expression immediately changes the permission boundaries of all existing LFTagPolicy permission grants that reference the given LF-Tag expression.

Updates the name of the LF-Tag expression to the new description and expression body provided. Updating a LF-Tag expression immediately changes the permission boundaries of all existing LFTagPolicy permission grants that reference the given LF-Tag expression.

Updates a data cell filter.

Updates a data cell filter.

Starts a new transaction and returns its transaction ID. Transaction IDs are opaque objects that you can use to identify a transaction.

Starts a new transaction and returns its transaction ID. Transaction IDs are opaque objects that you can use to identify a transaction.

A structure for the output.

Submits a request to process a query statement. This operation generates work units that can be retrieved with the GetWorkUnits operation as soon as the query state is WORKUNITS_AVAILABLE or FINISHED.

This operation allows a search on TABLE resources by LFTags. This will be used by admins who want to grant user permissions on certain LF-tags. Before making a grant, the admin can use SearchTablesByLFTags to find all resources where the given LFTags are valid to verify whether the returned resources can be shared.

This operation allows a search on TABLE resources by LFTags. This will be used by admins who want to grant user permissions on certain LF-tags. Before making a grant, the admin can use SearchTablesByLFTags to find all resources where the given LFTags are valid to verify whether the returned resources can be shared.

This operation allows a search on DATABASE resources by TagCondition. This operation is used by admins who want to grant user permissions on certain TagConditions. Before making a grant, the admin can use SearchDatabasesByTags to find all resources where the given TagConditions are valid to verify whether the returned resources can be shared.

This operation allows a search on DATABASE resources by TagCondition. This operation is used by admins who want to grant user permissions on certain TagConditions. Before making a grant, the admin can use SearchDatabasesByTags to find all resources where the given TagConditions are valid to verify whether the returned resources can be shared.

Revokes permissions to the principal to access metadata in the Data Catalog and data organized in underlying data storage such as Amazon S3.

Revokes permissions to the principal to access metadata in the Data Catalog and data organized in underlying data storage such as Amazon S3.

Removes an LF-tag from the resource. Only database, table, or tableWithColumns resource are allowed. To tag columns, use the column inclusion list in tableWithColumns to specify column input.

Removes an LF-tag from the resource. Only database, table, or tableWithColumns resource are allowed. To tag columns, use the column inclusion list in tableWithColumns to specify column input.

Registers the resource as managed by the Data Catalog. To add or update data, Lake Formation needs read/write access to the chosen data location. Choose a role that you know has permission to do this, or choose the AWSServiceRoleForLakeFormationDataAccess service-linked role. When you register the first Amazon S3 path, the service-linked role and a new inline policy are created on your behalf. Lake Formation adds the first path to the inline policy and attaches it to the service-linked role. When you register subsequent paths, Lake Formation adds the path to the existing policy. The following request registers a new location and gives Lake Formation permission to use the service-linked role to access that location. ResourceArn = arn:aws:s3:::my-bucket/ UseServiceLinkedRole = true If UseServiceLinkedRole is not set to true, you must provide or set the RoleArn: arn:aws:iam::12345:role/my-data-access-role

Registers the resource as managed by the Data Catalog. To add or update data, Lake Formation needs read/write access to the chosen data location. Choose a role that you know has permission to do this, or choose the AWSServiceRoleForLakeFormationDataAccess service-linked role. When you register the first Amazon S3 path, the service-linked role and a new inline policy are created on your behalf. Lake Formation adds the first path to the inline policy and attaches it to the service-linked role. When you register subsequent paths, Lake Formation adds the path to the existing policy. The following request registers a new location and gives Lake Formation permission to use the service-linked role to access that location. ResourceArn = arn:aws:s3:::my-bucket/ UseServiceLinkedRole = true If UseServiceLinkedRole is not set to true, you must provide or set the RoleArn: arn:aws:iam::12345:role/my-data-access-role

Sets the list of data lake administrators who have admin privileges on all resources managed by Lake Formation. For more information on admin privileges, see Granting Lake Formation Permissions. This API replaces the current list of data lake admins with the new list being passed. To add an admin, fetch the current list and add the new admin to that list and pass that list in this API.

Sets the list of data lake administrators who have admin privileges on all resources managed by Lake Formation. For more information on admin privileges, see Granting Lake Formation Permissions. This API replaces the current list of data lake admins with the new list being passed. To add an admin, fetch the current list and add the new admin to that list and pass that list in this API.

Returns metadata about transactions and their status. To prevent the response from growing indefinitely, only uncommitted transactions and those available for time-travel queries are returned. This operation can help you identify uncommitted transactions or to get information about transactions.

Returns metadata about transactions and their status. To prevent the response from growing indefinitely, only uncommitted transactions and those available for time-travel queries are returned. This operation can help you identify uncommitted transactions or to get information about transactions.

Returns the configuration of all storage optimizers associated with a specified table.

Returns the configuration of all storage optimizers associated with a specified table.

Lists the resources registered to be managed by the Data Catalog.

Lists the resources registered to be managed by the Data Catalog.

Returns a list of the principal permissions on the resource, filtered by the permissions of the caller. For example, if you are granted an ALTER permission, you are able to see only the principal permissions for ALTER. This operation returns only those permissions that have been explicitly granted. If both Principal and Resource parameters are provided, the response returns effective permissions rather than the explicitly granted permissions. For information about permissions, see Security and Access Control to Metadata and Data.

Returns a list of the principal permissions on the resource, filtered by the permissions of the caller. For example, if you are granted an ALTER permission, you are able to see only the principal permissions for ALTER. This operation returns only those permissions that have been explicitly granted. If both Principal and Resource parameters are provided, the response returns effective permissions rather than the explicitly granted permissions. For information about permissions, see Security and Access Control to Metadata and Data.

Retrieve the current list of resources and principals that are opt in to enforce Lake Formation permissions.

Retrieve the current list of resources and principals that are opt in to enforce Lake Formation permissions.

Lists LF-tags that the requester has permission to view.

Lists LF-tags that the requester has permission to view.

Returns the LF-Tag expressions in caller’s account filtered based on caller's permissions. Data Lake and read only admins implicitly can see all tag expressions in their account, else caller needs DESCRIBE permissions on tag expression.

Returns the LF-Tag expressions in caller’s account filtered based on caller's permissions. Data Lake and read only admins implicitly can see all tag expressions in their account, else caller needs DESCRIBE permissions on tag expression.

Lists all the data cell filters on a table.

Lists all the data cell filters on a table.

Grants permissions to the principal to access metadata in the Data Catalog and data organized in underlying data storage such as Amazon S3. For information about permissions, see Security and Access Control to Metadata and Data.

Grants permissions to the principal to access metadata in the Data Catalog and data organized in underlying data storage such as Amazon S3. For information about permissions, see Security and Access Control to Metadata and Data.

A structure for the output.

Retrieves the work units generated by the StartQueryPlanning operation.

A structure for the output.

Returns the work units resulting from the query. Work units can be executed in any order and in parallel.

Allows a caller in a secure environment to assume a role with permission to access Amazon S3. In order to vend such credentials, Lake Formation assumes the role associated with a registered location, for example an Amazon S3 bucket, with a scope down policy which restricts the access to a single prefix. To call this API, the role that the service assumes must have lakeformation:GetDataAccess permission on the resource.

Allows a caller in a secure environment to assume a role with permission to access Amazon S3. In order to vend such credentials, Lake Formation assumes the role associated with a registered location, for example an Amazon S3 bucket, with a scope down policy which restricts the access to a single prefix. To call this API, the role that the service assumes must have lakeformation:GetDataAccess permission on the resource.

This API is identical to GetTemporaryTableCredentials except that this is used when the target Data Catalog resource is of type Partition. Lake Formation restricts the permission of the vended credentials with the same scope down policy which restricts access to a single Amazon S3 prefix.

This API is identical to GetTemporaryTableCredentials except that this is used when the target Data Catalog resource is of type Partition. Lake Formation restricts the permission of the vended credentials with the same scope down policy which restricts access to a single Amazon S3 prefix.

Allows a user or application in a secure environment to access data in a specific Amazon S3 location registered with Lake Formation by providing temporary scoped credentials that are limited to the requested data location and the caller's authorized access level. GetDataAccess is logged in CloudTrail whenever a principal requests temporary data location credentials to access data in a data lake location that is registered with Lake Formation. The API operation returns an error in the following scenarios: The data location is not registered with Lake Formation. No Glue table is associated with the data location. The caller doesn't have required permissions on the associated table. The caller must have SELECT or SUPER permissions on the associated table, and credential vending for full table access must be enabled in the data lake settings. For more information, see Application integration for full table access. The data location is in a different Amazon Web Services Region. Lake Formation doesn't support cross-Region access when vending credentials for a data location. Lake Formation only supports Amazon S3 paths registered within the same Region as the API call.

Allows a user or application in a secure environment to access data in a specific Amazon S3 location registered with Lake Formation by providing temporary scoped credentials that are limited to the requested data location and the caller's authorized access level. GetDataAccess is logged in CloudTrail whenever a principal requests temporary data location credentials to access data in a data lake location that is registered with Lake Formation. The API operation returns an error in the following scenarios: The data location is not registered with Lake Formation. No Glue table is associated with the data location. The caller doesn't have required permissions on the associated table. The caller must have SELECT or SUPER permissions on the associated table, and credential vending for full table access must be enabled in the data lake settings. For more information, see Application integration for full table access. The data location is in a different Amazon Web Services Region. Lake Formation doesn't support cross-Region access when vending credentials for a data location. Lake Formation only supports Amazon S3 paths registered within the same Region as the API call.

Returns the set of Amazon S3 objects that make up the specified governed table. A transaction ID or timestamp can be specified for time-travel queries.

Returns the set of Amazon S3 objects that make up the specified governed table. A transaction ID or timestamp can be specified for time-travel queries.

Returns the LF-tags applied to a resource.

Returns the LF-tags applied to a resource.

Retrieves statistics on the planning and execution of a query.

Retrieves statistics on the planning and execution of a query.

A structure for the output.

Returns the state of a query previously submitted. Clients are expected to poll GetQueryState to monitor the current state of the planning before retrieving the work units. A query state is only visible to the principal that made the initial call to StartQueryPlanning.

Returns an LF-tag definition.

Returns an LF-tag definition.

Returns the details about the LF-Tag expression. The caller must be a data lake admin or must have DESCRIBE permission on the LF-Tag expression resource.

Returns the details about the LF-Tag expression. The caller must be a data lake admin or must have DESCRIBE permission on the LF-Tag expression resource.

Returns the Lake Formation permissions for a specified table or database resource located at a path in Amazon S3. GetEffectivePermissionsForPath will not return databases and tables if the catalog is encrypted.

Returns the Lake Formation permissions for a specified table or database resource located at a path in Amazon S3. GetEffectivePermissionsForPath will not return databases and tables if the catalog is encrypted.

Retrieves the list of the data lake administrators of a Lake Formation-managed data lake.

Retrieves the list of the data lake administrators of a Lake Formation-managed data lake.

Returns the identity of the invoking principal.

Returns the identity of the invoking principal.

Returns a data cells filter.

Returns a data cells filter.

Indicates to the service that the specified transaction is still active and should not be treated as idle and aborted. Write transactions that remain idle for a long period are automatically aborted unless explicitly extended.

Indicates to the service that the specified transaction is still active and should not be treated as idle and aborted. Write transactions that remain idle for a long period are automatically aborted unless explicitly extended.

Returns the details of a single transaction.

Returns the details of a single transaction.

Retrieves the current data access role for the given resource registered in Lake Formation.

Retrieves the current data access role for the given resource registered in Lake Formation.

Retrieves the instance ARN and application ARN for the connection.

Retrieves the instance ARN and application ARN for the connection.

Deregisters the resource as managed by the Data Catalog. When you deregister a path, Lake Formation removes the path from the inline policy attached to your service-linked role.

Deregisters the resource as managed by the Data Catalog. When you deregister a path, Lake Formation removes the path from the inline policy attached to your service-linked role.

For a specific governed table, provides a list of Amazon S3 objects that will be written during the current transaction and that can be automatically deleted if the transaction is canceled. Without this call, no Amazon S3 objects are automatically deleted when a transaction cancels. The Glue ETL library function write_dynamic_frame.from_catalog() includes an option to automatically call DeleteObjectsOnCancel before writes. For more information, see Rolling Back Amazon S3 Writes.

For a specific governed table, provides a list of Amazon S3 objects that will be written during the current transaction and that can be automatically deleted if the transaction is canceled. Without this call, no Amazon S3 objects are automatically deleted when a transaction cancels. The Glue ETL library function write_dynamic_frame.from_catalog() includes an option to automatically call DeleteObjectsOnCancel before writes. For more information, see Rolling Back Amazon S3 Writes.

Remove the Lake Formation permissions enforcement of the given databases, tables, and principals.

Remove the Lake Formation permissions enforcement of the given databases, tables, and principals.

Deletes an IAM Identity Center connection with Lake Formation.

Deletes an IAM Identity Center connection with Lake Formation.

Deletes an LF-tag by its key name. The operation fails if the specified tag key doesn't exist. When you delete an LF-Tag: The associated LF-Tag policy becomes invalid. Resources that had this tag assigned will no longer have the tag policy applied to them.

Deletes an LF-tag by its key name. The operation fails if the specified tag key doesn't exist. When you delete an LF-Tag: The associated LF-Tag policy becomes invalid. Resources that had this tag assigned will no longer have the tag policy applied to them.

Deletes the LF-Tag expression. The caller must be a data lake admin or have DROP permissions on the LF-Tag expression. Deleting a LF-Tag expression will also delete all LFTagPolicy permissions referencing the LF-Tag expression.

Deletes the LF-Tag expression. The caller must be a data lake admin or have DROP permissions on the LF-Tag expression. Deleting a LF-Tag expression will also delete all LFTagPolicy permissions referencing the LF-Tag expression.

Deletes a data cell filter.

Deletes a data cell filter.

Enforce Lake Formation permissions for the given databases, tables, and principals.

Enforce Lake Formation permissions for the given databases, tables, and principals.

Creates an IAM Identity Center connection with Lake Formation to allow IAM Identity Center users and groups to access Data Catalog resources.

Creates an IAM Identity Center connection with Lake Formation to allow IAM Identity Center users and groups to access Data Catalog resources.

Creates an LF-tag with the specified name and values.

Creates an LF-tag with the specified name and values.

Creates a new LF-Tag expression with the provided name, description, catalog ID, and expression body. This call fails if a LF-Tag expression with the same name already exists in the caller’s account or if the underlying LF-Tags don't exist. To call this API operation, caller needs the following Lake Formation permissions: CREATE_LF_TAG_EXPRESSION on the root catalog resource. GRANT_WITH_LF_TAG_EXPRESSION on all underlying LF-Tag key:value pairs included in the expression.

Creates a new LF-Tag expression with the provided name, description, catalog ID, and expression body. This call fails if a LF-Tag expression with the same name already exists in the caller’s account or if the underlying LF-Tags don't exist. To call this API operation, caller needs the following Lake Formation permissions: CREATE_LF_TAG_EXPRESSION on the root catalog resource. GRANT_WITH_LF_TAG_EXPRESSION on all underlying LF-Tag key:value pairs included in the expression.

Creates a data cell filter to allow one to grant access to certain columns on certain rows.

Creates a data cell filter to allow one to grant access to certain columns on certain rows.

Attempts to commit the specified transaction. Returns an exception if the transaction was previously aborted. This API action is idempotent if called multiple times for the same transaction.

Attempts to commit the specified transaction. Returns an exception if the transaction was previously aborted. This API action is idempotent if called multiple times for the same transaction.

Attempts to cancel the specified transaction. Returns an exception if the transaction was previously committed.

Attempts to cancel the specified transaction. Returns an exception if the transaction was previously committed.

Batch operation to revoke permissions from the principal.

Batch operation to revoke permissions from the principal.

Batch operation to grant permissions to the principal.

Batch operation to grant permissions to the principal.

Allows a caller to assume an IAM role decorated as the SAML user specified in the SAML assertion included in the request. This decoration allows Lake Formation to enforce access policies against the SAML users and groups. This API operation requires SAML federation setup in the caller’s account as it can only be called with valid SAML assertions. Lake Formation does not scope down the permission of the assumed role. All permissions attached to the role via the SAML federation setup will be included in the role session. This decorated role is expected to access data in Amazon S3 by getting temporary access from Lake Formation which is authorized via the virtual API GetDataAccess. Therefore, all SAML roles that can be assumed via AssumeDecoratedRoleWithSAML must at a minimum include lakeformation:GetDataAccess in their role policies. A typical IAM policy attached to such a role would include the following actions: glue:*Database* glue:*Table* glue:*Partition* glue:*UserDefinedFunction* lakeformation:GetDataAccess

Allows a caller to assume an IAM role decorated as the SAML user specified in the SAML assertion included in the request. This decoration allows Lake Formation to enforce access policies against the SAML users and groups. This API operation requires SAML federation setup in the caller’s account as it can only be called with valid SAML assertions. Lake Formation does not scope down the permission of the assumed role. All permissions attached to the role via the SAML federation setup will be included in the role session. This decorated role is expected to access data in Amazon S3 by getting temporary access from Lake Formation which is authorized via the virtual API GetDataAccess. Therefore, all SAML roles that can be assumed via AssumeDecoratedRoleWithSAML must at a minimum include lakeformation:GetDataAccess in their role policies. A typical IAM policy attached to such a role would include the following actions: glue:*Database* glue:*Table* glue:*Partition* glue:*UserDefinedFunction* lakeformation:GetDataAccess

Attaches one or more LF-tags to an existing resource.

Attaches one or more LF-tags to an existing resource.