Amazon QLDB

2021/05/26 - Amazon QLDB - 1 new 2 updated api methods

Changes  Support STANDARD permissions mode in CreateLedger and DescribeLedger. Add UpdateLedgerPermissionsMode to update permissions mode on existing ledgers.

UpdateLedgerPermissionsMode (new) Link ¶

Updates the permissions mode of a ledger.

See also: AWS API Documentation

Request Syntax

client.update_ledger_permissions_mode(
    Name='string',
    PermissionsMode='ALLOW_ALL'|'STANDARD'
)
type Name

string

param Name

[REQUIRED]

The name of the ledger.

type PermissionsMode

string

param PermissionsMode

[REQUIRED]

The permissions mode to assign to the ledger. This parameter can have one of the following values:

  • ALLOW_ALL : A legacy permissions mode that enables access control with API-level granularity for ledgers. This mode allows users who have SendCommand permissions for this ledger to run all PartiQL commands (hence, ALLOW_ALL ) on any tables in the specified ledger. This mode disregards any table-level or command-level IAM permissions policies that you create for the ledger.

  • STANDARD : (Recommended ) A permissions mode that enables access control with finer granularity for ledgers, tables, and PartiQL commands. By default, this mode denies all user requests to run any PartiQL commands on any tables in this ledger. To allow PartiQL commands to run, you must create IAM permissions policies for specific table resources and PartiQL actions, in addition to SendCommand API permissions for the ledger.

Note

We strongly recommend using the STANDARD permissions mode to maximize the security of your ledger data.

rtype

dict

returns

Response Syntax

{
    'Name': 'string',
    'Arn': 'string',
    'PermissionsMode': 'ALLOW_ALL'|'STANDARD'
}

Response Structure

  • (dict) --

    • Name (string) --

      The name of the ledger.

    • Arn (string) --

      The Amazon Resource Name (ARN) for the ledger.

    • PermissionsMode (string) --

      The current permissions mode of the ledger.

CreateLedger (updated) Link ¶
Changes (request, response)
Request
{'PermissionsMode': {'STANDARD'}}
Response
{'PermissionsMode': 'ALLOW_ALL | STANDARD'}

Creates a new ledger in your AWS account.

See also: AWS API Documentation

Request Syntax

client.create_ledger(
    Name='string',
    Tags={
        'string': 'string'
    },
    PermissionsMode='ALLOW_ALL'|'STANDARD',
    DeletionProtection=True|False
)
type Name

string

param Name

[REQUIRED]

The name of the ledger that you want to create. The name must be unique among all of your ledgers in the current AWS Region.

Naming constraints for ledger names are defined in Quotas in Amazon QLDB in the Amazon QLDB Developer Guide .

type Tags

dict

param Tags

The key-value pairs to add as tags to the ledger that you want to create. Tag keys are case sensitive. Tag values are case sensitive and can be null.

  • (string) --

    • (string) --

type PermissionsMode

string

param PermissionsMode

[REQUIRED]

The permissions mode to assign to the ledger that you want to create. This parameter can have one of the following values:

  • ALLOW_ALL : A legacy permissions mode that enables access control with API-level granularity for ledgers. This mode allows users who have SendCommand permissions for this ledger to run all PartiQL commands (hence, ALLOW_ALL ) on any tables in the specified ledger. This mode disregards any table-level or command-level IAM permissions policies that you create for the ledger.

  • STANDARD : (Recommended ) A permissions mode that enables access control with finer granularity for ledgers, tables, and PartiQL commands. By default, this mode denies all user requests to run any PartiQL commands on any tables in this ledger. To allow PartiQL commands to run, you must create IAM permissions policies for specific table resources and PartiQL actions, in addition to SendCommand API permissions for the ledger.

Note

We strongly recommend using the STANDARD permissions mode to maximize the security of your ledger data.

type DeletionProtection

boolean

param DeletionProtection

The flag that prevents a ledger from being deleted by any user. If not provided on ledger creation, this feature is enabled (true ) by default.

If deletion protection is enabled, you must first disable it before you can delete the ledger using the QLDB API or the AWS Command Line Interface (AWS CLI). You can disable it by calling the UpdateLedger operation to set the flag to false . The QLDB console disables deletion protection for you when you use it to delete a ledger.

rtype

dict

returns

Response Syntax

{
    'Name': 'string',
    'Arn': 'string',
    'State': 'CREATING'|'ACTIVE'|'DELETING'|'DELETED',
    'CreationDateTime': datetime(2015, 1, 1),
    'PermissionsMode': 'ALLOW_ALL'|'STANDARD',
    'DeletionProtection': True|False
}

Response Structure

  • (dict) --

    • Name (string) --

      The name of the ledger.

    • Arn (string) --

      The Amazon Resource Name (ARN) for the ledger.

    • State (string) --

      The current status of the ledger.

    • CreationDateTime (datetime) --

      The date and time, in epoch time format, when the ledger was created. (Epoch time format is the number of seconds elapsed since 12:00:00 AM January 1, 1970 UTC.)

    • PermissionsMode (string) --

      The permissions mode of the ledger that you created.

    • DeletionProtection (boolean) --

      The flag that prevents a ledger from being deleted by any user. If not provided on ledger creation, this feature is enabled (true ) by default.

      If deletion protection is enabled, you must first disable it before you can delete the ledger using the QLDB API or the AWS Command Line Interface (AWS CLI). You can disable it by calling the UpdateLedger operation to set the flag to false . The QLDB console disables deletion protection for you when you use it to delete a ledger.

DescribeLedger (updated) Link ¶
Changes (response)
{'PermissionsMode': 'ALLOW_ALL | STANDARD'}

Returns information about a ledger, including its state and when it was created.

See also: AWS API Documentation

Request Syntax

client.describe_ledger(
    Name='string'
)
type Name

string

param Name

[REQUIRED]

The name of the ledger that you want to describe.

rtype

dict

returns

Response Syntax

{
    'Name': 'string',
    'Arn': 'string',
    'State': 'CREATING'|'ACTIVE'|'DELETING'|'DELETED',
    'CreationDateTime': datetime(2015, 1, 1),
    'PermissionsMode': 'ALLOW_ALL'|'STANDARD',
    'DeletionProtection': True|False
}

Response Structure

  • (dict) --

    • Name (string) --

      The name of the ledger.

    • Arn (string) --

      The Amazon Resource Name (ARN) for the ledger.

    • State (string) --

      The current status of the ledger.

    • CreationDateTime (datetime) --

      The date and time, in epoch time format, when the ledger was created. (Epoch time format is the number of seconds elapsed since 12:00:00 AM January 1, 1970 UTC.)

    • PermissionsMode (string) --

      The permissions mode of the ledger.

    • DeletionProtection (boolean) --

      The flag that prevents a ledger from being deleted by any user. If not provided on ledger creation, this feature is enabled (true ) by default.

      If deletion protection is enabled, you must first disable it before you can delete the ledger using the QLDB API or the AWS Command Line Interface (AWS CLI). You can disable it by calling the UpdateLedger operation to set the flag to false . The QLDB console disables deletion protection for you when you use it to delete a ledger.