---
title: Getting Started with Datadog
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Infrastructure > Datadog Resource Catalog
---

# aws_lakeformation_permissions{% #aws_lakeformation_permissions %}

## `account_id`{% #account_id %}

**Type**: `STRING`

## `principal_resource_permissions`{% #principal_resource_permissions %}

**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `PrincipalResourcePermissions`**Description**: A list of principals and their permissions on the resource for the specified principal and resource types.

- `additional_details`**Type**: `STRUCT`**Provider name**: `AdditionalDetails`**Description**: This attribute can be used to return any additional details of `PrincipalResourcePermissions`. Currently returns only as a RAM resource share ARN.
  - `resource_share`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `ResourceShare`**Description**: A resource share ARN for a catalog resource shared through RAM.
- `condition`**Type**: `STRUCT`**Provider name**: `Condition`**Description**: A Lake Formation condition, which applies to permissions and opt-ins that contain an expression.
  - `expression`**Type**: `STRING`**Provider name**: `Expression`**Description**: An expression written based on the Cedar Policy Language used to match the principal attributes.
- `last_updated`**Type**: `TIMESTAMP`**Provider name**: `LastUpdated`**Description**: The date and time when the resource was last updated.
- `last_updated_by`**Type**: `STRING`**Provider name**: `LastUpdatedBy`**Description**: The user who updated the record.
- `permissions`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `Permissions`**Description**: The permissions to be granted or revoked on the resource.
- `permissions_with_grant_option`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `PermissionsWithGrantOption`**Description**: Indicates whether to grant the ability to grant permissions (as a subset of permissions granted).
- `principal`**Type**: `STRUCT`**Provider name**: `Principal`**Description**: The Data Lake principal to be granted or revoked permissions.
  - `data_lake_principal_identifier`**Type**: `STRING`**Provider name**: `DataLakePrincipalIdentifier`**Description**: An identifier for the Lake Formation principal.
- `resource`**Type**: `STRUCT`**Provider name**: `Resource`**Description**: The resource where permissions are to be granted or revoked.
  - `catalog`**Type**: `STRUCT`**Provider name**: `Catalog`**Description**: The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.
    - `id`**Type**: `STRING`**Provider name**: `Id`**Description**: An identifier for the catalog resource.
  - `data_cells_filter`**Type**: `STRUCT`**Provider name**: `DataCellsFilter`**Description**: A data cell filter.
    - `database_name`**Type**: `STRING`**Provider name**: `DatabaseName`**Description**: A database in the Glue Data Catalog.
    - `name`**Type**: `STRING`**Provider name**: `Name`**Description**: The name of the data cells filter.
    - `table_catalog_id`**Type**: `STRING`**Provider name**: `TableCatalogId`**Description**: The ID of the catalog to which the table belongs.
    - `table_name`**Type**: `STRING`**Provider name**: `TableName`**Description**: The name of the table.
  - `data_location`**Type**: `STRUCT`**Provider name**: `DataLocation`**Description**: The location of an Amazon S3 path where permissions are granted or revoked.
    - `catalog_id`**Type**: `STRING`**Provider name**: `CatalogId`**Description**: The identifier for the Data Catalog where the location is registered with Lake Formation. By default, it is the account ID of the caller.
    - `resource_arn`**Type**: `STRING`**Provider name**: `ResourceArn`**Description**: The Amazon Resource Name (ARN) that uniquely identifies the data location resource.
  - `database`**Type**: `STRUCT`**Provider name**: `Database`**Description**: The database for the resource. Unique to the Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database permissions to a principal.
    - `catalog_id`**Type**: `STRING`**Provider name**: `CatalogId`**Description**: The identifier for the Data Catalog. By default, it is the account ID of the caller.
    - `name`**Type**: `STRING`**Provider name**: `Name`**Description**: The name of the database resource. Unique to the Data Catalog.
  - `lf_tag`**Type**: `STRUCT`**Provider name**: `LFTag`**Description**: The LF-tag key and values attached to a resource.
    - `catalog_id`**Type**: `STRING`**Provider name**: `CatalogId`**Description**: The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.
    - `tag_key`**Type**: `STRING`**Provider name**: `TagKey`**Description**: The key-name for the LF-tag.
    - `tag_values`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `TagValues`**Description**: A list of possible values an attribute can take.
  - `lf_tag_expression`**Type**: `STRUCT`**Provider name**: `LFTagExpression`**Description**: LF-Tag expression resource. A logical expression composed of one or more LF-Tag key:value pairs.
    - `catalog_id`**Type**: `STRING`**Provider name**: `CatalogId`**Description**: The identifier for the Data Catalog. By default, the account ID.
    - `name`**Type**: `STRING`**Provider name**: `Name`**Description**: The name of the LF-Tag expression to grant permissions on.
  - `lf_tag_policy`**Type**: `STRUCT`**Provider name**: `LFTagPolicy`**Description**: A list of LF-tag conditions or saved LF-Tag expressions that define a resource's LF-tag policy.
    - `catalog_id`**Type**: `STRING`**Provider name**: `CatalogId`**Description**: The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.
    - `expression`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `Expression`**Description**: A list of LF-tag conditions or a saved expression that apply to the resource's LF-tag policy.
      - `tag_key`**Type**: `STRING`**Provider name**: `TagKey`**Description**: The key-name for the LF-tag.
      - `tag_values`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `TagValues`**Description**: A list of possible values an attribute can take. The maximum number of values that can be defined for a LF-Tag is 1000. A single API call supports 50 values. You can use multiple API calls to add more values.
    - `expression_name`**Type**: `STRING`**Provider name**: `ExpressionName`**Description**: If provided, permissions are granted to the Data Catalog resources whose assigned LF-Tags match the expression body of the saved expression under the provided `ExpressionName`.
    - `resource_type`**Type**: `STRING`**Provider name**: `ResourceType`**Description**: The resource type for which the LF-tag policy applies.
  - `table`**Type**: `STRUCT`**Provider name**: `Table`**Description**: The table for the resource. A table is a metadata definition that represents your data. You can Grant and Revoke table privileges to a principal.
    - `catalog_id`**Type**: `STRING`**Provider name**: `CatalogId`**Description**: The identifier for the Data Catalog. By default, it is the account ID of the caller.
    - `database_name`**Type**: `STRING`**Provider name**: `DatabaseName`**Description**: The name of the database for the table. Unique to a Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database privileges to a principal.
    - `name`**Type**: `STRING`**Provider name**: `Name`**Description**: The name of the table.
    - `table_wildcard`**Type**: `STRUCT`**Provider name**: `TableWildcard`**Description**: A wildcard object representing every table under a database. At least one of `TableResource$Name` or `TableResource$TableWildcard` is required.
  - `table_with_columns`**Type**: `STRUCT`**Provider name**: `TableWithColumns`**Description**: The table with columns for the resource. A principal with permissions to this resource can select metadata from the columns of a table in the Data Catalog and the underlying data in Amazon S3.
    - `catalog_id`**Type**: `STRING`**Provider name**: `CatalogId`**Description**: The identifier for the Data Catalog. By default, it is the account ID of the caller.
    - `column_names`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `ColumnNames`**Description**: The list of column names for the table. At least one of `ColumnNames` or `ColumnWildcard` is required.
    - `column_wildcard`**Type**: `STRUCT`**Provider name**: `ColumnWildcard`**Description**: A wildcard specified by a `ColumnWildcard` object. At least one of `ColumnNames` or `ColumnWildcard` is required.
      - `excluded_column_names`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `ExcludedColumnNames`**Description**: Excludes column names. Any column with this name will be excluded.
    - `database_name`**Type**: `STRING`**Provider name**: `DatabaseName`**Description**: The name of the database for the table with columns resource. Unique to the Data Catalog. A database is a set of associated table definitions organized into a logical group. You can Grant and Revoke database privileges to a principal.
    - `name`**Type**: `STRING`**Provider name**: `Name`**Description**: The name of the table resource. A table is a metadata definition that represents your data. You can Grant and Revoke table privileges to a principal.

## `tags`{% #tags %}

**Type**: `UNORDERED_LIST_STRING`