aws-austin-lee
commented
2 years ago CreateTableDefaultPermissions is now supported. Please see documentation here: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-glue-database-databaseinput.html#cfn-glue-database-databaseinput-createtabledefaultpermissions.
1. AWS::LakeFormation::Permissions-Resource missing Catalog
2. Scope of request
Implement and document the Catalog property of AWS::LakeFormation::Permissions-Resource
3. Expected behavior
CloudFormation should allow Lake Formation Admins to grant users access to edit the catalog, including Creating and Updating a Database.
In Create, it should add Database creators like the AWS Contole.
in Update, it should behave like the other attributes of AWS::LakeFormation::Permissions-Resource
In Delete, it should remove the added Database creators
4. Suggest specific test cases
Test adding a new Database creator, then it should be listed under the Database creator Principals. If removing the Permission, it should also remove the added principal (unless we can provide an equivalent implementation otherwise).
5. Helpful Links to speed up research and evaluation
Boto3 Alternative:
https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/lakeformation.html#LakeFormation.Client.grant_permissions
6. Category
Analytics (Athena, EMR, Glue,...)
7. Any additional context (optional)
Currently with CloudFormation there is no way to modify the CreateTableDefaultPermissions under the AWS::Glue::Database-DatabaseInput Parameter. One workaround I tried to implement was using a Custom Resource, but since the underlying execution role is not registered as Database creator I could not use this approach to accomplish this goal. And since we do not have an option to grant Database creator permissions using CloudFormation, I also could not programmatically change the permissions for that execution role. Having this feature would help overcome such limitation.