A Java implementation of the Lake Formation Access Grants Plugin for AWS S3 Access Grants integration with Lake Formation.
This plugin provides seamless integration between S3 operations and AWS Lake Formation access grants, enabling fine-grained access control for data stored in S3 through Lake Formation permissions.
- Access Grants Resolution: Automatically resolves Lake Formation temporary credentials for S3 operations
- Intelligent Caching: Implements multi-level caching for both successful credentials and access denied responses using Caffeine cache
- Fallback Support: Falls back to S3 Access Grants when Lake Formation access is denied
- Operation Mapping: Maps S3 operations to appropriate permissions (READ, WRITE, READWRITE) using S3AccessGrantsStaticOperationToPermissionMapper
- SdkPlugin Integration: Integrates with AWS SDK v2 using SdkPlugin interface for seamless client configuration
Main plugin class that implements SdkPlugin and handles:
- Integration with S3AccessGrantsPlugin internally
- Client configuration through
configureClient()method - Fallback mechanism configuration
Custom identity provider that handles:
- Lake Formation credential resolution
- Fallback to S3 Access Grants when access is denied
- Integration with caching system
- AccessGrantsCache: Caches temporary credentials with TTL-based expiration using Caffeine
- AccessDeniedCache: Caches access denied responses to avoid repeated failed requests using Caffeine
- CacheKey: Composite key for cache operations based on credentials, permissions, and S3 prefix
import software.amazon.lakeformation.plugin.accessgrants.plugin.LakeFormationAccessGrantsPlugin;
import software.amazon.awssdk.services.s3.S3Client;
// Initialize S3 client with plugin
// Note: The plugin is DISABLED by default - you must explicitly enable it
S3Client s3Client = S3Client.builder()
.region(Region.US_WEST_2)
.addPlugin(LakeFormationAccessGrantsPlugin.builder()
.enabled(true) // Required: plugin is disabled by default
.enableFallback(true)
.build())
.build();
// Use s3Client normally - plugin will automatically intercept and resolve credentials
s3Client.getObject(GetObjectRequest.builder()
.bucket("my-bucket")
.key("my-key")
.build());| Option | Default | Description |
|---|---|---|
enabled |
false |
Enable/disable the plugin. When disabled, the plugin skips all Lake Formation configuration and uses original credentials. |
enableFallback |
true |
When enabled, falls back to S3 Access Grants (then IAM) if Lake Formation access is denied. |
The plugin works by:
- Registration: The plugin registers as an
SdkPluginwith the S3Client during construction - Configuration: The
configureClient()method sets up the identity provider and integrates with S3AccessGrantsPlugin - Credential Resolution: The identity provider extracts operation type and S3 URI, then checks caches for existing credentials
- Lake Formation Integration: If not cached, calls Lake Formation
getTemporaryDataLocationCredentials - Credential Injection: Returns Lake Formation temporary credentials or falls back to S3 Access Grants
- Caching: Caches both successful credentials and access denied exceptions for future requests
The package includes comprehensive unit tests:
LakeFormationAccessGrantsPluginTest: Tests plugin functionality with mocked Lake Formation clientLakeFormationAccessGrantsIdentityProviderTest: Tests identity provider credential resolutionAccessGrantsCacheTest: Tests credential caching behaviorAccessDeniedCacheTest: Tests access denied exception cachingCacheKeyTest: Tests cache key equality and validation
Run tests with:
mvn testmvn clean compile
mvn test-compile- AWS SDK for Java v2 (S3, Lake Formation)
- S3 Access Grants Plugin for operation-to-permission mapping
- Caffeine cache for high-performance caching
- JUnit 5 and Mockito for testing
See CONTRIBUTING for more information.
This project is licensed under the Apache-2.0 License.