Interface PrincipalProps

AWS account ID for cross-account principal resolution. Used when the account cannot be determined from the role ARN.

Use cases: Cross-account grants; Multi-account Lake Formation permissions

AWS: AWS account ID for principal resolution

Validation: Optional; 12-digit AWS account ID

Federated group name for group-based Lake Formation permissions. Combined with federationProviderArn to construct the principal identity.

Use cases: Active Directory group access; Enterprise group-based governance; Team-level data permissions

AWS: Lake Formation federated group principal via IAM SAML provider

Validation: Optional; requires federationProviderArn when specified

Federated user name for individual Lake Formation permissions. Combined with federationProviderArn to construct the principal identity.

Use cases: Individual user data access; User-specific permissions; Federated user governance

AWS: Lake Formation federated user principal via IAM SAML provider

Validation: Optional; requires federationProviderArn when specified

IAM federation provider ARN for resolving federated group/user principals. Must reference an existing IAM SAML identity provider.

Use cases: SAML provider integration; Active Directory federation; External IdP connectivity

AWS: IAM SAML identity provider ARN (arn:aws:iam::account:saml-provider/name)

Validation: Optional; required when federatedGroup or federatedUser is specified

IAM role reference for role-based Lake Formation permissions. Can be specified by ARN, name, or SSM parameter reference.

Use cases: IAM role-based data access; Service role permissions; Cross-account role grants

AWS: IAM role for Lake Formation grant assignment

Validation: Optional; valid MdaaRoleRef; mutually exclusive with federated principal types