This release added "condition" to LakeFormation OptIn APIs, also added WithPrivilegedAccess flag to RegisterResource and DescribeResource.

Author: aws-sdk-dotnet-automation

generator/ServiceModels/lakeformation/lakeformation-2017-03-31.api.json

@@ -191,7 +191,8 @@
         {"shape":"OperationTimeoutException"},
         {"shape":"EntityNotFoundException"},
         {"shape":"AccessDeniedException"},
-        {"shape":"ConcurrentModificationException"}
+        {"shape":"ConcurrentModificationException"},
+        {"shape":"ResourceNumberLimitExceededException"}
       ]
     },
     "DeleteDataCellsFilter":{
@@ -1126,6 +1127,7 @@
         "Principal":{"shape":"DataLakePrincipal"},
         "Resource":{"shape":"Resource"},
         "Permissions":{"shape":"PermissionList"},
+        "Condition":{"shape":"Condition"},
         "PermissionsWithGrantOption":{"shape":"PermissionList"}
       }
     },
@@ -1147,6 +1149,7 @@
         "Failures":{"shape":"BatchPermissionsFailureList"}
       }
     },
+    "Boolean":{"type":"boolean"},
     "BooleanNullable":{"type":"boolean"},
     "CancelTransactionRequest":{
       "type":"structure",
@@ -1315,7 +1318,8 @@
       ],
       "members":{
         "Principal":{"shape":"DataLakePrincipal"},
-        "Resource":{"shape":"Resource"}
+        "Resource":{"shape":"Resource"},
+        "Condition":{"shape":"Condition"}
       }
     },
     "CreateLakeFormationOptInResponse":{
@@ -1490,7 +1494,8 @@
       ],
       "members":{
         "Principal":{"shape":"DataLakePrincipal"},
-        "Resource":{"shape":"Resource"}
+        "Resource":{"shape":"Resource"},
+        "Condition":{"shape":"Condition"}
       }
     },
     "DeleteLakeFormationOptInResponse":{
@@ -1991,6 +1996,7 @@
         "Principal":{"shape":"DataLakePrincipal"},
         "Resource":{"shape":"Resource"},
         "Permissions":{"shape":"PermissionList"},
+        "Condition":{"shape":"Condition"},
         "PermissionsWithGrantOption":{"shape":"PermissionList"}
       }
     },
@@ -2530,7 +2536,8 @@
         "UseServiceLinkedRole":{"shape":"NullableBoolean"},
         "RoleArn":{"shape":"IAMRoleArn"},
         "WithFederation":{"shape":"NullableBoolean"},
-        "HybridAccessEnabled":{"shape":"NullableBoolean"}
+        "HybridAccessEnabled":{"shape":"NullableBoolean"},
+        "WithPrivilegedAccess":{"shape":"Boolean"}
       }
     },
     "RegisterResourceResponse":{
@@ -2578,7 +2585,8 @@
         "RoleArn":{"shape":"IAMRoleArn"},
         "LastModified":{"shape":"LastModifiedTimestamp"},
         "WithFederation":{"shape":"NullableBoolean"},
-        "HybridAccessEnabled":{"shape":"NullableBoolean"}
+        "HybridAccessEnabled":{"shape":"NullableBoolean"},
+        "WithPrivilegedAccess":{"shape":"NullableBoolean"}
       }
     },
     "ResourceInfoList":{
@@ -2635,6 +2643,7 @@
         "Principal":{"shape":"DataLakePrincipal"},
         "Resource":{"shape":"Resource"},
         "Permissions":{"shape":"PermissionList"},
+        "Condition":{"shape":"Condition"},
         "PermissionsWithGrantOption":{"shape":"PermissionList"}
       }
     },

generator/ServiceModels/lakeformation/lakeformation-2017-03-31.docs.json

@@ -48,7 +48,7 @@
     "ListTableStorageOptimizers": "<p>Returns the configuration of all storage optimizers associated with a specified table.</p>",
     "ListTransactions": "<p>Returns metadata about transactions and their status. To prevent the response from growing indefinitely, only uncommitted transactions and those available for time-travel queries are returned.</p> <p>This operation can help you identify uncommitted transactions or to get information about transactions.</p>",
     "PutDataLakeSettings": "<p>Sets the list of data lake administrators who have admin privileges on all resources managed by Lake Formation. For more information on admin privileges, see <a href=\"https://docs.aws.amazon.com/lake-formation/latest/dg/lake-formation-permissions.html\">Granting Lake Formation Permissions</a>.</p> <p>This API replaces the current list of data lake admins with the new list being passed. To add an admin, fetch the current list and add the new admin to that list and pass that list in this API.</p>",
-    "RegisterResource": "<p>Registers the resource as managed by the Data Catalog.</p> <p>To add or update data, Lake Formation needs read/write access to the chosen Amazon S3 path. Choose a role that you know has permission to do this, or choose the AWSServiceRoleForLakeFormationDataAccess service-linked role. When you register the first Amazon S3 path, the service-linked role and a new inline policy are created on your behalf. Lake Formation adds the first path to the inline policy and attaches it to the service-linked role. When you register subsequent paths, Lake Formation adds the path to the existing policy.</p> <p>The following request registers a new location and gives Lake Formation permission to use the service-linked role to access that location.</p> <p> <code>ResourceArn = arn:aws:s3:::my-bucket/ UseServiceLinkedRole = true</code> </p> <p>If <code>UseServiceLinkedRole</code> is not set to true, you must provide or set the <code>RoleArn</code>:</p> <p> <code>arn:aws:iam::12345:role/my-data-access-role</code> </p>",
+    "RegisterResource": "<p>Registers the resource as managed by the Data Catalog.</p> <p>To add or update data, Lake Formation needs read/write access to the chosen data location. Choose a role that you know has permission to do this, or choose the AWSServiceRoleForLakeFormationDataAccess service-linked role. When you register the first Amazon S3 path, the service-linked role and a new inline policy are created on your behalf. Lake Formation adds the first path to the inline policy and attaches it to the service-linked role. When you register subsequent paths, Lake Formation adds the path to the existing policy.</p> <p>The following request registers a new location and gives Lake Formation permission to use the service-linked role to access that location.</p> <p> <code>ResourceArn = arn:aws:s3:::my-bucket/ UseServiceLinkedRole = true</code> </p> <p>If <code>UseServiceLinkedRole</code> is not set to true, you must provide or set the <code>RoleArn</code>:</p> <p> <code>arn:aws:iam::12345:role/my-data-access-role</code> </p>",
     "RemoveLFTagsFromResource": "<p>Removes an LF-tag from the resource. Only database, table, or tableWithColumns resource are allowed. To tag columns, use the column inclusion list in <code>tableWithColumns</code> to specify column input.</p>",
     "RevokePermissions": "<p>Revokes permissions to the principal to access metadata in the Data Catalog and data organized in underlying data storage such as Amazon S3.</p>",
     "SearchDatabasesByLFTags": "<p>This operation allows a search on <code>DATABASE</code> resources by <code>TagCondition</code>. This operation is used by admins who want to grant user permissions on certain <code>TagConditions</code>. Before making a grant, the admin can use <code>SearchDatabasesByTags</code> to find all resources where the given <code>TagConditions</code> are valid to verify whether the returned resources can be shared.</p>",
@@ -199,6 +199,12 @@
       "refs": {
       }
     },
+    "Boolean": {
+      "base": null,
+      "refs": {
+        "RegisterResourceRequest$WithPrivilegedAccess": "<p>Grants the calling principal the permissions to perform all supported Lake Formation operations on the registered data location. </p>"
+      }
+    },
     "BooleanNullable": {
       "base": null,
       "refs": {
@@ -330,8 +336,13 @@
     "Condition": {
       "base": "<p>A Lake Formation condition, which applies to permissions and opt-ins that contain an expression.</p>",
       "refs": {
+        "BatchPermissionsRequestEntry$Condition": null,
+        "CreateLakeFormationOptInRequest$Condition": null,
+        "DeleteLakeFormationOptInRequest$Condition": null,
+        "GrantPermissionsRequest$Condition": null,
         "LakeFormationOptInsInfo$Condition": "<p>A Lake Formation condition, which applies to permissions and opt-ins that contain an expression.</p>",
-        "PrincipalResourcePermissions$Condition": "<p>A Lake Formation condition, which applies to permissions and opt-ins that contain an expression.</p>"
+        "PrincipalResourcePermissions$Condition": "<p>A Lake Formation condition, which applies to permissions and opt-ins that contain an expression.</p>",
+        "RevokePermissionsRequest$Condition": null
       }
     },
     "ContextKey": {
@@ -1243,6 +1254,7 @@
         "RegisterResourceRequest$HybridAccessEnabled": "<p> Specifies whether the data access of tables pointing to the location can be managed by both Lake Formation permissions as well as Amazon S3 bucket policies. </p>",
         "ResourceInfo$WithFederation": "<p>Whether or not the resource is a federated resource.</p>",
         "ResourceInfo$HybridAccessEnabled": "<p> Indicates whether the data access of tables pointing to the location can be managed by both Lake Formation permissions as well as Amazon S3 bucket policies. </p>",
+        "ResourceInfo$WithPrivilegedAccess": "<p>Grants the calling principal the permissions to perform all supported Lake Formation operations on the registered data location. </p>",
         "UpdateResourceRequest$WithFederation": "<p>Whether or not the resource is a federated resource.</p>",
         "UpdateResourceRequest$HybridAccessEnabled": "<p> Specifies whether the data access of tables pointing to the location can be managed by both Lake Formation permissions as well as Amazon S3 bucket policies. </p>"
       }

generator/ServiceModels/lakeformation/lakeformation-2017-03-31.normal.json

@@ -201,7 +201,8 @@
         {"shape":"OperationTimeoutException"},
         {"shape":"EntityNotFoundException"},
         {"shape":"AccessDeniedException"},
-        {"shape":"ConcurrentModificationException"}
+        {"shape":"ConcurrentModificationException"},
+        {"shape":"ResourceNumberLimitExceededException"}
       ],
       "documentation":"<p>Enforce Lake Formation permissions for the given databases, tables, and principals.</p>"
     },
@@ -814,7 +815,7 @@
         {"shape":"ResourceNumberLimitExceededException"},
         {"shape":"AccessDeniedException"}
       ],
-      "documentation":"<p>Registers the resource as managed by the Data Catalog.</p> <p>To add or update data, Lake Formation needs read/write access to the chosen Amazon S3 path. Choose a role that you know has permission to do this, or choose the AWSServiceRoleForLakeFormationDataAccess service-linked role. When you register the first Amazon S3 path, the service-linked role and a new inline policy are created on your behalf. Lake Formation adds the first path to the inline policy and attaches it to the service-linked role. When you register subsequent paths, Lake Formation adds the path to the existing policy.</p> <p>The following request registers a new location and gives Lake Formation permission to use the service-linked role to access that location.</p> <p> <code>ResourceArn = arn:aws:s3:::my-bucket/ UseServiceLinkedRole = true</code> </p> <p>If <code>UseServiceLinkedRole</code> is not set to true, you must provide or set the <code>RoleArn</code>:</p> <p> <code>arn:aws:iam::12345:role/my-data-access-role</code> </p>"
+      "documentation":"<p>Registers the resource as managed by the Data Catalog.</p> <p>To add or update data, Lake Formation needs read/write access to the chosen data location. Choose a role that you know has permission to do this, or choose the AWSServiceRoleForLakeFormationDataAccess service-linked role. When you register the first Amazon S3 path, the service-linked role and a new inline policy are created on your behalf. Lake Formation adds the first path to the inline policy and attaches it to the service-linked role. When you register subsequent paths, Lake Formation adds the path to the existing policy.</p> <p>The following request registers a new location and gives Lake Formation permission to use the service-linked role to access that location.</p> <p> <code>ResourceArn = arn:aws:s3:::my-bucket/ UseServiceLinkedRole = true</code> </p> <p>If <code>UseServiceLinkedRole</code> is not set to true, you must provide or set the <code>RoleArn</code>:</p> <p> <code>arn:aws:iam::12345:role/my-data-access-role</code> </p>"
     },
     "RemoveLFTagsFromResource":{
       "name":"RemoveLFTagsFromResource",
@@ -1276,6 +1277,7 @@
           "shape":"PermissionList",
           "documentation":"<p>The permissions to be granted.</p>"
         },
+        "Condition":{"shape":"Condition"},
         "PermissionsWithGrantOption":{
           "shape":"PermissionList",
           "documentation":"<p>Indicates if the option to pass permissions is granted.</p>"
@@ -1310,6 +1312,7 @@
         }
       }
     },
+    "Boolean":{"type":"boolean"},
     "BooleanNullable":{"type":"boolean"},
     "CancelTransactionRequest":{
       "type":"structure",
@@ -1549,7 +1552,8 @@
       ],
       "members":{
         "Principal":{"shape":"DataLakePrincipal"},
-        "Resource":{"shape":"Resource"}
+        "Resource":{"shape":"Resource"},
+        "Condition":{"shape":"Condition"}
       }
     },
     "CreateLakeFormationOptInResponse":{
@@ -1838,7 +1842,8 @@
       ],
       "members":{
         "Principal":{"shape":"DataLakePrincipal"},
-        "Resource":{"shape":"Resource"}
+        "Resource":{"shape":"Resource"},
+        "Condition":{"shape":"Condition"}
       }
     },
     "DeleteLakeFormationOptInResponse":{
@@ -2708,6 +2713,7 @@
           "shape":"PermissionList",
           "documentation":"<p>The permissions granted to the principal on the resource. Lake Formation defines privileges to grant and revoke access to metadata in the Data Catalog and data organized in underlying data storage such as Amazon S3. Lake Formation requires that each principal be authorized to perform a specific task on Lake Formation resources. </p>"
         },
+        "Condition":{"shape":"Condition"},
         "PermissionsWithGrantOption":{
           "shape":"PermissionList",
           "documentation":"<p>Indicates a list of the granted permissions that the principal may pass to other users. These permissions may only be a subset of the permissions granted in the <code>Privileges</code>.</p>"
@@ -3599,6 +3605,10 @@
         "HybridAccessEnabled":{
           "shape":"NullableBoolean",
           "documentation":"<p> Specifies whether the data access of tables pointing to the location can be managed by both Lake Formation permissions as well as Amazon S3 bucket policies. </p>"
+        },
+        "WithPrivilegedAccess":{
+          "shape":"Boolean",
+          "documentation":"<p>Grants the calling principal the permissions to perform all supported Lake Formation operations on the registered data location. </p>"
         }
       }
     },
@@ -3702,6 +3712,10 @@
         "HybridAccessEnabled":{
           "shape":"NullableBoolean",
           "documentation":"<p> Indicates whether the data access of tables pointing to the location can be managed by both Lake Formation permissions as well as Amazon S3 bucket policies. </p>"
+        },
+        "WithPrivilegedAccess":{
+          "shape":"NullableBoolean",
+          "documentation":"<p>Grants the calling principal the permissions to perform all supported Lake Formation operations on the registered data location. </p>"
         }
       },
       "documentation":"<p>A structure containing information about an Lake Formation resource.</p>"
@@ -3780,6 +3794,7 @@
           "shape":"PermissionList",
           "documentation":"<p>The permissions revoked to the principal on the resource. For information about permissions, see <a href=\"https://docs.aws.amazon.com/lake-formation/latest/dg/security-data-access.html\">Security and Access Control to Metadata and Data</a>.</p>"
         },
+        "Condition":{"shape":"Condition"},
         "PermissionsWithGrantOption":{
           "shape":"PermissionList",
           "documentation":"<p>Indicates a list of permissions for which to revoke the grant option allowing the principal to pass permissions to other principals.</p>"

sdk/src/Services/LakeFormation/Generated/Model/BatchPermissionsRequestEntry.cs

@@ -34,12 +34,28 @@ namespace Amazon.LakeFormation.Model
     /// </summary>
     public partial class BatchPermissionsRequestEntry
     {
+        private Condition _condition;
         private string _id;
         private List<string> _permissions = AWSConfigs.InitializeCollections ? new List<string>() : null;
         private List<string> _permissionsWithGrantOption = AWSConfigs.InitializeCollections ? new List<string>() : null;
         private DataLakePrincipal _principal;
         private Resource _resource;
 
+        /// <summary>
+        /// Gets and sets the property Condition.
+        /// </summary>
+        public Condition Condition
+        {
+            get { return this._condition; }
+            set { this._condition = value; }
+        }
+
+        // Check to see if Condition property is set
+        internal bool IsSetCondition()
+        {
+            return this._condition != null;
+        }
+
         /// <summary>
         /// Gets and sets the property Id. 
         /// <para>

sdk/src/Services/LakeFormation/Generated/Model/CreateLakeFormationOptInRequest.cs

@@ -35,9 +35,25 @@ namespace Amazon.LakeFormation.Model
     /// </summary>
     public partial class CreateLakeFormationOptInRequest : AmazonLakeFormationRequest
     {
+        private Condition _condition;
         private DataLakePrincipal _principal;
         private Resource _resource;
 
+        /// <summary>
+        /// Gets and sets the property Condition.
+        /// </summary>
+        public Condition Condition
+        {
+            get { return this._condition; }
+            set { this._condition = value; }
+        }
+
+        // Check to see if Condition property is set
+        internal bool IsSetCondition()
+        {
+            return this._condition != null;
+        }
+
         /// <summary>
         /// Gets and sets the property Principal.
         /// </summary>

sdk/src/Services/LakeFormation/Generated/Model/DeleteLakeFormationOptInRequest.cs

@@ -36,9 +36,25 @@ namespace Amazon.LakeFormation.Model
     /// </summary>
     public partial class DeleteLakeFormationOptInRequest : AmazonLakeFormationRequest
     {
+        private Condition _condition;
         private DataLakePrincipal _principal;
         private Resource _resource;
 
+        /// <summary>
+        /// Gets and sets the property Condition.
+        /// </summary>
+        public Condition Condition
+        {
+            get { return this._condition; }
+            set { this._condition = value; }
+        }
+
+        // Check to see if Condition property is set
+        internal bool IsSetCondition()
+        {
+            return this._condition != null;
+        }
+
         /// <summary>
         /// Gets and sets the property Principal.
         /// </summary>

sdk/src/Services/LakeFormation/Generated/Model/GrantPermissionsRequest.cs

@@ -43,6 +43,7 @@ namespace Amazon.LakeFormation.Model
     public partial class GrantPermissionsRequest : AmazonLakeFormationRequest
     {
         private string _catalogId;
+        private Condition _condition;
         private List<string> _permissions = AWSConfigs.InitializeCollections ? new List<string>() : null;
         private List<string> _permissionsWithGrantOption = AWSConfigs.InitializeCollections ? new List<string>() : null;
         private DataLakePrincipal _principal;
@@ -69,6 +70,21 @@ internal bool IsSetCatalogId()
             return this._catalogId != null;
         }
 
+        /// <summary>
+        /// Gets and sets the property Condition.
+        /// </summary>
+        public Condition Condition
+        {
+            get { return this._condition; }
+            set { this._condition = value; }
+        }
+
+        // Check to see if Condition property is set
+        internal bool IsSetCondition()
+        {
+            return this._condition != null;
+        }
+
         /// <summary>
         /// Gets and sets the property Permissions. 
         /// <para>

sdk/src/Services/LakeFormation/Generated/Model/Internal/MarshallTransformations/BatchPermissionsRequestEntryMarshaller.cs

@@ -48,6 +48,17 @@ public void Marshall(BatchPermissionsRequestEntry requestObject, JsonMarshallerC
         {
             if(requestObject == null)
                 return;
+            if(requestObject.IsSetCondition())
+            {
+                context.Writer.WritePropertyName("Condition");
+                context.Writer.WriteObjectStart();
+
+                var marshaller = ConditionMarshaller.Instance;
+                marshaller.Marshall(requestObject.Condition, context);
+
+                context.Writer.WriteObjectEnd();
+            }
+
             if(requestObject.IsSetId())
             {
                 context.Writer.WritePropertyName("Id");