v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Steampipe logo 
Hub
Plugins
turbot/aws
Overview
512Tables
Versions
PowerpipeMods
GitHub
steampipe plugin install aws

Table: aws_lakeformation_tag - Query AWS Lake Formation Tags Using SQL

The aws_lakeformation_tag table allows you to query AWS Lake Formation LF-tags, providing details about the tag keys, possible tag values, and associated AWS accounts. This table helps data governance teams and security administrators monitor and manage LF-tag-based access control effectively.

Table Usage Guide

The aws_lakeformation_tag table provides insights into LF-tags applied to AWS Lake Formation resources. LF-tags (Lake Formation tags) enable attribute-based access control (ABAC), allowing administrators to grant permissions dynamically based on tag keys and values instead of manually assigning policies to users or roles. This table helps track registered LF-tags, their associated AWS account, region, and partition, and provides a list of possible values an attribute can take.

Examples

List all AWS Lake Formation LF-tags

Retrieve a list of all LF-tags registered in AWS Lake Formation, including their key names and possible values.

select
  catalog_id tag_key,
  tag_values
from
  aws_lakeformation_tag;
select
  catalog_id tag_key,
  tag_values
from
  aws_lakeformation_tag;

Find LF-tags in a specific AWS Region

Identify LF-tags that are registered in a particular AWS region.

select
  tag_key,
  tag_values,
  region
from
  aws_lakeformation_tag
where
  region = 'us-east-1';
select
  tag_key,
  tag_values,
  region
from
  aws_lakeformation_tag
where
  region = 'us-east-1';

Get LF-tags associated with for a specific catalog

Find all LF-tags that belong to a given catalog.

select
  tag_key,
  tag_values,
  account_id
from
  aws_lakeformation_tag
where
  account_id = '123456789012';
select
  tag_key,
  tag_values,
  account_id
from
  aws_lakeformation_tag
where
  catalog_id = '123456789012';

List LF-tags with multiple possible values

Retrieve LF-tags that have multiple values assigned.

select
  tag_key,
  tag_values
from
  aws_lakeformation_tag
where
  jsonb_array_length(tag_values) > 1;
select
  tag_key,
  tag_values
from
  aws_lakeformation_tag
where
  jsonb_array_length(tag_values) > 1;

Schema for aws_lakeformation_tag

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
account_idtext=, !=, ~~, ~~*, !~~, !~~*The AWS Account ID in which the resource is located.
catalog_idtext=The identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store.
partitiontextThe AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov).
regiontextThe AWS Region in which the resource is located.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
tag_keytext=The key-name for the LF-tag.
tag_valuesjsonbA list of possible values an attribute can take.
titletextTitle of the resource.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws

You can pass the configuration to the command with the --config argument:

steampipe_export_aws --config '<your_config>' aws_lakeformation_tag