I am working on defining a reader role in a data lake that uses Lake Formation for access control. I would like to grant this role Select permission to all the tables in relevant databases, so that it automatically picks up new tables that are created. In the documentation of CloudFormation I can see that this is currently marked as not supported, TableWildcard looks like a solution that I would like to use.
I am currently looking at either hardcoding the table names that this role should have access to or writing a boto3 script that would pick up all the tables in the database and adding the permissions to them through Lake Formation. This could be running with Lambda on a regular schedule, which would automate this process, but of course it will not be the prettiest approach.
Contrary to the current documentation, it is possible to use "TableWildcard": {} construct as shown in the example below to grant permissions to the role to all the tables in a given database.
"ExamplePermission": {
"Type": "AWS::LakeFormation::Permissions",
"Properties": {
"DataLakePrincipal": {
"DataLakePrincipalIdentifier": {
"Fn::GetAtt": [
"ExampleRole",
"Arn"
]
}
},
"Resource": {
"TableResource": {
"DatabaseName": "example_database",
"TableWildcard": {}
}
},
"Permissions": [
"SELECT"
],
"PermissionsWithGrantOption": []
}
}
For anyone using CDK, here is a Python flavour of the table resource property:
import aws_cdk.aws_lakeformation as lakeformation
table_property = lakeformation.CfnPermissions.TableResourceProperty(
database_name="example_database",
table_wildcard={}
)