cloudformation for lakemation AWS::LakeFormation::PrincipalPermissions LFTags

Question

here  want to use the lake formation permission 
for one perticular user thats shoud showthe tags
AWS::LakeFormation::PrincipalPermissions resource and its support for LFTags 
in single code i want to see databases and user and lf tags
for example

i want this logic need to be done
Resources:
  LFtagPermissionsdb:
    Type: "AWS::LakeFormation::PrincipalPermissions"
    Properties:
      Principal:
        DataLakePrincipalIdentifier: "arn:aws:iam::056152928187:user/ssss"
      Permissions:
        - "ALL"
      PermissionsWithGrantOption: 
        - "ALL" 
      Resource:
       Database:
          CatalogId: '056152928187'
          Name: 'chaitanya' 
       LFTag:
         CatalogId: "084215530558"
         TagKey: "classification-category"
         TagValues:
           - "restricted"

Answer

I see that you are trying to do multiple LF permission grant using Cloudformation.

On creating 'AWS::LakeFormation::PrincipalPermissions'[1] resource in cloudformation it grants permissions to a principal on a specified resource. It does not take multiple resources as input. You will have to create new CF resource of type 'AWS::LakeFormation::PrincipalPermissions' for each permission grant.

Moreover the permission set for each resource type is different. LFTags have DESCRIBE and ASSOCIATE whereas Database has ALL, ALTER, CREATE_TABLE, DESCRIBE and DROP. Lets say even if they have same subset of permission, the API does not allow granting permission on multiple resources.

AWS::LakeFormation::PrincipalPermissions is equivalent to running GrantPermissions[2] API.

[1] https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lakeformation-principalpermissions.html
[2] https://docs.aws.amazon.com/cli/latest/reference/lakeformation/grant-permissions.html

cloudformation for lakemation AWS::LakeFormation::PrincipalPermissions LFTags

Relevant content