Open hkuchi opened 3 years ago
boto3 or AWS Lakeformation API does not have the functionality to grant permissions to all tables. The closes is batch_grant_permissions or batch_revoke_permissions. However, these API take a maximum of 20 entries.
The nice part of lakecli is that it can be part of script - bash or python and you can automate granting permissions to a larger set. Happy to discuss if you want to try writing such a script.
Hi Rajat, Thank you for your response.
Per boto3 documentation, batch_grant_permissions it can take a list of up to 20 entries. However, granting permissions to ALL TABLES within a Database can be performed by using "TableWildcard" option.
TableWildcard (dict) --
A wildcard object representing every table under a database.
Alternatively, this works via the CLI as well:
aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=<ARN_OF_THE_IAM_PRINCIPAL>
--permissions "SELECT" --resource '{"Table": {"DatabaseName": "<DBNAME>", "TableWildCard": {} } }'
The above command grants SELECT access to ALL TABLES within the
Wonder if this feature could be added to lakecli, that would make it way easier to work with databases containing large number of tables. Apart from this limitation, found lakecli to be useful to view/ query permissions in a SQL-like dialect and to grant individual permissions!
Thanks.
Thanks for pointing this out. This is a valid feature request and it should be possible to support. I'll add it to the queue. Happy to also accept contributions :)
Hey @vrajat any idea when this enhancement request is being planned? Happy to pair with you on this.
Hi, I havent had a chance to work on this feature. Most of my time is spent on tokern/data-lineage. However, I am happy to collaborate, work together to design and accept any contributions. This will also motivate me to support other feature requests like #17 by integrating tokern/dbcat to pull more info from AWS glue.
Will you be able contribute code for this feature?
Issue Summary
While lakecli is a great tool to view and manage permissions for your lakeformation resources, i think it is missing the ALL_TABLES grant option. For instance, if there are say 500 tables within a database, is it possible to GRANT select on ALL TABLES in database to a principal instead of granting each table at a time?