Documentation error for "lakeformation batch-grant-permissions" for LF-Tag permissions

[BradBender]

Confirm by changing [ ] to [x] below to ensure that it's a bug:

• [x] I've gone though the User Guide and the API reference
• [x] I've searched for previous similar issues and didn't find any solution

Describe the bug CLI docs incorrectly describe JSON syntax for LF-Tag permissions. As seen here: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lakeformation/batch-grant-permissions.html

We are trying to grant a Role permissions to DESCRIBE and ASSOCIATE an LF-Tag in LakeFormation.

Based on the official docs, one would expect the following JSON to work:

BROKEN.JSON: { "Entries": [ { "Id": "DoesntWork", "Principal": { "DataLakePrincipalIdentifier": "" }, "Resource": { "LFTag": { "TagKey": "ExampleTBAC", "TagValues": ["ExampleValue1","ExampleValue2"] } }, "Permissions": ["DESCRIBE_TAG","ASSOCIATE_TAG"] } ] }

In practice, the syntax is actually:

WORKING.JSON { "Entries": [ { "Id": "DoesntWork", "Principal": { "DataLakePrincipalIdentifier": "" }, "Resource": { "LFTag": { "TagKey": "ExampleTBAC", "TagValues": ["ExampleValue1","ExampleValue2"] } }, "Permissions": ["DESCRIBE","ASSOCIATE"] <==== NOTE the missing "_TAG" } ] }

SDK version number 2.2.39

Platform/OS/Hardware/Device What are you running the cli on? Windows 10

To Reproduce (observed behavior) Run the following command: aws lakeformation batch-grant-permissions --cli-input-json file://broken.json

Run the following command: aws lakeformation batch-grant-permissions --cli-input-json file://working.json

Expected behavior CLI documentation should describe correct values for the JSON inputs:

Ie. "Permissions": ["ALL"|"SELECT"|"ALTER"|"DROP"|"DELETE"|"INSERT"|"DESCRIBE"|"CREATE_DATABASE"|"CREATE_TABLE"|"DATA_LOCATION_ACCESS"|"CREATE_TAG"|"ALTER_TAG"|"DELETE_TAG"|"DESCRIBE"|"ASSOCIATE", ...], "PermissionsWithGrantOption": ["ALL"|"SELECT"|"ALTER"|"DROP"|"DELETE"|"INSERT"|"DESCRIBE"|"CREATE_DATABASE"|"CREATE_TABLE"|"DATA_LOCATION_ACCESS"|"CREATE_TAG"|"ALTER_TAG"|"DELETE_TAG"|"DESCRIBE"|"ASSOCIATE", ...] }

Logs/output N/A.

Additional context This is purely a documentation bug.

[stobrien89]

Hi @BradBender,

Thanks for raising this! This is a duplicate of https://github.com/boto/botocore/issues/2406. I haven't heard back from the Lakeformation team yet, so I'll make sure to escalate this.

[github-actions[bot]]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.