# Managing LF-Tag value permissions
You can grant the `Drop`, `Alter` permissions on LF-Tags to principals to manage LF-Tag value expressions. You can also grant `Describe`, `Associate`, and `Grant with LF-Tag expressions` permissions on LF-Tags to principals to view the LF-Tags and assign them to Data Catalog resources (databases, tables, and columns). When LF-Tags are assigned to Data Catalog resources, you can use the Lake Formation tag-based access control (LF-TBAC) method to secure those resources. For more information, see [Lake Formation tag-based access control](tag-based-access-control.md).
You can grant these permissions with the grant option so that other principals can grant them. The `Grant with LF-Tag expressions`, `Describe`, and `Associate` permissions are explained in [Add LF-Tag creators](TBAC-adding-tag-creator.md#add-lf-tag-creator).
You can grant the `Describe` and `Associate` permissions on a LF-Tag to an external AWS account. A data lake administrator in that account can then grant those permissions to other principals in the account. Principals to whom the data lake administrator in the external account grants the `Associate` permission can then assign LF-Tags to Data Catalog resources that you shared with their account.
When granting to an external account, you must include the grant option.
You can grant permissions on LF-Tags by using the Lake Formation console, the API, or the AWS Command Line Interface (AWS CLI).
**Topics**
+ [Listing LF-Tag permissions using the console](TBAC-listing-tag-perms-console.md)
+ [Granting LF-Tag permissions using the console](TBAC-granting-tags-console.md)
+ [Managing LF-Tag permissions using the AWS CLI](TBAC-granting-revoking-tags-cli.md)
For more information see [Managing LF-Tags for metadata access control](managing-tags.md) and [Lake Formation tag-based access control](tag-based-access-control.md).
# Listing LF-Tag permissions using the console
You can use the Lake Formation console to view the permissions granted on LF-Tags. You must be a LF-Tag creator, a data lake administrator, or have the `Describe` or `Associate` permission on a LF-Tag to see it.
**To list LF-Tag permissions (console)**
1. Open the Lake Formation console at [https://console.aws.amazon.com/lakeformation/](https://console.aws.amazon.com/lakeformation/).
Sign in as the LF-Tag creator, a data lake administrator, or as a user to whom the `Drop`, `Alter`, `Associate`, or `Describe` permissions on LF-Tags have been granted.
1. In the navigation pane, under **Permissions**, choose **LF-Tags and permissions**, and choose **LF-Tag permissions** section.
The **LF-Tag permissions** section shows a table that contains principal, tag keys, values, and permissions.
![\[The page includes a table of permissions with the following columns: Principal, Principal type, Keys, Values, Permissions, and Grantable. There are five rows. To the left of each row is a radio button. Above the table are a search field and these buttons: Refresh, View, Revoke, and Grant. Because no row is initially selected, the View and Revoke buttons are disabled. The values in the first row are: Principal=arn:aws:iam::111122223333:user/datalake_admin, Principal type=IAM user, Keys=environment, Values=All values, Permissions=DESCRIBE, Grantable=DESCRIBE.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/list-tag-permissions-page.png)
# Granting LF-Tag permissions using the console
The following steps explain how to grant permissions on LF-Tags by using the **Grant LF-Tag permissions** page on the Lake Formation console. The page is divided into these sections:
+ **Permission types** – The type of permission to grant.
+ **Principals** – The IAM users or roles, or SAML users or roles to grant permissions to.
+ **LF-Tag key-value pair permissions** permissions – The LF-Tag key-value pairs to grant permissions on.
+ **LF-Tag permissions** – The LF-Tags to grant permissions on.
+ **LF-Tag expression permissions** permissions – The LF-Tags to grant permissions on.
+ **Permissions** – The permissions to grant.
## Open the **Grant LF-Tag permissions** page
1. Open the Lake Formation console at [https://console.aws.amazon.com/lakeformation/](https://console.aws.amazon.com/lakeformation/).
Sign in as the LF-Tag creator, a data lake administrator, or as a user LF-Tag permissions or LF-Tag key-value pair permissions on LF-Tags have been granted with the `Grant` option.
1. In the navigation pane, choose **LF-Tags and permissions**, choose **LF-Tag permissions** section.
1. Choose **Grant permissions**.
## Specify the permissions type
In the **Permissions type** section, choose a permissions type.
LF-Tag permissions
Choose the **LF-Tag permissions** to allow principals to update LF-Tag values or delete LF-Tags.
LF-Tag key-value pair permissions
Choose the **LF-Tag key-value pair permissions** to allow principals to assign LF-Tags to Data Catalog resources, view LF-Tags and values, and grant LF-Tags based permissions on Data Catalog resources to principals.
The options available in the following sections depend on the **Permissions type**.
LF-Tag expression permissions
Choose the **LF-Tag expression permissions** to allow principals to update expressions or delete expressions.
## Specify the principals
**Note**
You can't grant LF-Tag permissions (`Alter` and `Drop`) to external accounts or principals in another account.
In the **Principals** section, choose a principal type and specify principals to grant permissions to.
![\[The principals section contains three tiles that are named in the following text. Each tile contains an option button and text. The IAM users and roles tile is selected, and an IAM users and roles dropdown list is below the tiles.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/grant-tags-principals-section.png)
**IAM users and roles**
Choose one or more users or roles from the **IAM users and roles** list.
**SAML users and groups**
For **SAML and Quick users and groups**, enter one or more Amazon Resource Names (ARNs) for users or groups federated through SAML, or ARNs for Quick users or groups. Press **Enter** after each ARN.
For information about how to construct the ARNs, see [Lake Formation grant and revoke AWS CLI commands](lf-permissions-reference.md#perm-command-format).
Lake Formation integration with Quick is supported for Quick Enterprise Edition only.
**External accounts**
For **AWS account**, enter one or more valid AWS account IDs. Press **Enter** after each ID.
An organization ID consists of "o-" followed by 10 to 32 lower-case letters or digits.
An organizational unit ID starts with "ou-" followed by 4 to 32 lowercase letters or digits (the ID of the root that contains the OU). This string is followed by a second "-" dash and 8 to 32 additional lowercase letters or digits.
For IAM principal, enter the ARN for the IAM user or role.
## Specify the LF-Tags
To grant permissions on LF-Tags, in the **LF-Tag permissions** section, specify the LF-Tags to grant permissions on.
![\[The LF-Tags section shows two rows of fields, where each row, going from left to right, has a Key field, a Value field, and a Remove button. The Value field is a drop-down list. Beneath the two rows of fields is an Add LF-Tag button. The first row shows "module" in the Key field, and beneath the Values field are two small tiles that contain Orders and Sales, respectively, indicating that the use has chosen Orders and Sales as the values for the key module. Each tile has an X that you can click (like a close box) to delete the tile. The second row if fields is empty.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/grant-tags-tags-section-2.png)
+ Choose one or more LF-Tag using the drop-down.
## Specify the LF-Tag key-value pairs
1. To grant permissions on LF-Tag key-value pairs, (you need to first choose choose **LF-Tag key-value pair permissions** as the **Permission type**) choose **Add LF-Tag key-value pair** to reveal the first row of fields for specifying LF-Tag key and values.
![\[Interface for adding LF-Tag key-value pairs and setting associated permissions.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/tag-key-value-pair.png)
1. Position the cursor in the **Key** field, optionally start typing to narrow down the selection list, and select a LF-Tag key.
1. In the **Values** list, select one or more values, and then press **Tab** or click or tap outside the field to save the selected values.
**Note**
If one of the rows in the **Values** list has focus, pressing **Enter** selects or clears the check box.
The selected values appear as tiles below the **Values** list. Choose the ✖ to remove a value. Choose **Remove** to remove the entire LF-Tag.
1. To add another LF-Tag, choose **Add LF-Tag** again, and repeat the previous two steps.
## Specify the LF-Tag expressions
1. To grant permissions on LF-Tag expressions, (you need to first choose choose **LF-Tag expression permissions** as the **Permission type**).
![\[Permission type selection interface with LF-Tag expression permissions highlighted.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/tag-expression.png)
1. Choose a LF-Tag expression.
1. The selected expressions appear as tiles below the **LF-Tag expressions** list. Choose the ✖ to remove an expression.
1. To add another LF-Tag expression, choose another expression.
## Specify the permissions
This section shows either the **LF-Tag permissions** or the **LF-Tag value permissions** based on the **Permission type** you chose in the previous step.
Depending on the **Permission type** you chose to grant, select the **LF-Tag permissions** or **LF-Tag key-value pair permissions**, and grantable permissions.
1. Under **LF-Tag permissions**, select the permissions to grant.
Granting **Drop** and **Alter** implicitly grants **Describe**.
You need to grant **Alter** and **Drop** permissions on all tag values.
1. Under **LT-Tag key-value value permissions**, select the permissions to grant.
Granting **Associate** implicitly grants **Describe**. Choose **Grant with LF-Tag expression** to allow the grant recipient to grant or revoke access permissions on Data Catalog resources using LF-TBAC method.
1. Under **LF-Tag expression permissions**, select the permissions to grant.
Granting **Drop** and **Alter** implicitly grants **Describe**.
Granting **Super** permission, grants all available permissions.
1. (Optional) Under **Grantable permissions**, select the permissions that the grant recipient can grant to other principals in their AWS account.
1. Choose **Grant**.
# Managing LF-Tag permissions using the AWS CLI
You can grant, revoke, and list permissions on LF-Tags by using the AWS Command Line Interface (AWS CLI).
**To list LF-Tag permissions (AWS CLI)**
+ Enter a `list-permissions` command. You must be the LF-Tag creator, a data lake administrator, or have the `Drop`, `Alter`, `Describe`, `Associate`, `Grant with LF-Tag permissions` permission on a LF-Tag to see it.
The following command requests all LF-Tags that you have permissions on.
```
aws lakeformation list-permissions --resource-type LF_TAG
```
The following is sample output for a data lake administrator, who sees all LF-Tags granted to all principals. Non-administrative users see only LF-Tags granted to them. LF-Tag permissions granted from an external account appear on a separate results page. To see them, repeat the command and supply the `--next-token` argument with the token returned from the previous command run.
```
{
"PrincipalResourcePermissions": [
{
"Principal": {
"DataLakePrincipalIdentifier": "arn:aws:iam::111122223333:user/datalake_admin"
},
"Resource": {
"LFTag": {
"CatalogId": "111122223333",
"TagKey": "environment",
"TagValues": [
"*"
]
}
},
"Permissions": [
"ASSOCIATE"
],
"PermissionsWithGrantOption": [
"ASSOCIATE"
]
},
{
"Principal": {
"DataLakePrincipalIdentifier": "arn:aws:iam::111122223333:user/datalake_user1"
},
"Resource": {
"LFTag": {
"CatalogId": "111122223333",
"TagKey": "module",
"TagValues": [
"Orders",
"Sales"
]
}
},
"Permissions": [
"DESCRIBE"
],
"PermissionsWithGrantOption": []
},
...
],
"NextToken": "eyJzaG91bGRRdWVy...Wlzc2lvbnMiOnRydWV9"
}
```
You can list all grants for a specific LF-Tag key. The following command returns all permissions granted on the LF-Tag `module`.
```
aws lakeformation list-permissions --resource-type LF_TAG --resource '{ "LFTag": {"CatalogId":"111122223333","TagKey":"module","TagValues":["*"]}}'
```
You can also list LF-Tag values granted to a specific principal for a specific LF-Tag. When supplying the `--principal` argument, you must supply the `--resource` argument. Therefore, the command can only effectively request the values granted to a specific principal for a specific LF-Tag key. The following command shows how to do this for the principal `datalake_user1` and the LF-Tag key `module`.
```
aws lakeformation list-permissions --principal DataLakePrincipalIdentifier=arn:aws:iam::111122223333:user/datalake_user1 --resource-type LF_TAG --resource '{ "LFTag": {"CatalogId":"111122223333","TagKey":"module","TagValues":["*"]}}'
```
The following is sample output.
```
{
"PrincipalResourcePermissions": [
{
"Principal": {
"DataLakePrincipalIdentifier": "arn:aws:iam::111122223333:user/datalake_user1"
},
"Resource": {
"LFTag": {
"CatalogId": "111122223333",
"TagKey": "module",
"TagValues": [
"Orders",
"Sales"
]
}
},
"Permissions": [
"ASSOCIATE"
],
"PermissionsWithGrantOption": []
}
]
}
```
**To grant permissions on LF-Tags (AWS CLI)**
1. Enter a command similar to the following. This example grants to user `datalake_user1` the `Associate` permission on the LF-Tag with the key `module`. It grants permissions to view and assign all values for that key, as indicated by the asterisk (\$1).
```
aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=arn:aws:iam::111122223333:user/datalake_user1 --permissions "ASSOCIATE" --resource '{ "LFTag": {"CatalogId":"111122223333","TagKey":"module","TagValues":["*"]}}'
```
Granting the `Associate` permission implicitly grants the `Describe` permission.
The next example grants `Associate` to the external AWS account 1234-5678-9012 on the LF-Tag with the key `module`, with the grant option. It grants permissions to view and assign only the values `sales` and `orders`.
```
aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=123456789012 --permissions "ASSOCIATE" --permissions-with-grant-option "ASSOCIATE" --resource '{ "LFTag": {"CatalogId":"111122223333","TagKey":"module","TagValues":["sales", "orders"]}}'
```
1. Granting the `GrantWithLFTagExpression` permission implicitly grants the `Describe` permission.
The next example grants `GrantWithLFTagExpression` to a user on the LF-Tag with the key `module`, with the grant option. It grants permissions to view and grant permissions on Data Catalog resources using only the values `sales` and `orders`.
```
aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=111122223333 --permissions "GrantWithLFTagExpression" --permissions-with-grant-option "GrantWithLFTagExpression" --resource '{ "LFTag": {"CatalogId":"111122223333","TagKey":"module","TagValues":["sales", "orders"]}}'
```
1. The next example grants `Drop` permissions to a user on the LF-Tag with the key `module`, with the grant option. It grants permissions to delete the LF-Tag. To delete a LF-Tag, you need permissions on all values for that key.
```
aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=111122223333 --permissions "DROP" --permissions-with-grant-option "DROP" --resource '{ "LFTag": {"CatalogId":"111122223333","TagKey":"module","TagValues":["*"]}}'
```
1. The next example grants `Alter` permissions to the user on the LF-Tag with the key `module`, with the grant option. It grants permissions to delete the LF-Tag. To update a LF-Tag, you need permissions on all values for that key.
```
aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=111122223333 --permissions "ALTER" --permissions-with-grant-option "ALTER" --resource '{ "LFTag": {"CatalogId":"111122223333","TagKey":"module","TagValues":["*"]}}'
```
**To revoke permissions on LF-Tags (AWS CLI)**
+ Enter a command similar to the following. This example revokes the `Associate` permission on the LF-Tag with the key `module` from user `datalake_user1`.
```
aws lakeformation revoke-permissions --principal DataLakePrincipalIdentifier=arn:aws:iam::111122223333:user/datalake_user1 --permissions "ASSOCIATE" --resource '{ "LFTag": {"CatalogId":"111122223333","TagKey":"module","TagValues":["*"]}}'
```