{
  "_comment": "Illustrative Lake Formation LF-Tag grant skeleton. Replace account IDs, tag values, and principal ARNs. Test in NonProd before production grants.",
  "producerAccountId": "111122223333",
  "consumerAccountId": "444455556666",
  "lfTags": [
    {
      "TagKey": "Environment",
      "TagValues": ["Production"]
    },
    {
      "TagKey": "Sensitivity",
      "TagValues": ["Internal"]
    },
    {
      "TagKey": "Domain",
      "TagValues": ["Finance"]
    }
  ],
  "grantToConsumer": {
    "Principal": {
      "DataLakePrincipalIdentifier": "444455556666"
    },
    "Resource": {
      "LFTagPolicy": {
        "CatalogId": "111122223333",
        "ResourceType": "TABLE",
        "Expression": [
          {
            "TagKey": "Environment",
            "TagValues": ["Production"]
          },
          {
            "TagKey": "Sensitivity",
            "TagValues": ["Internal"]
          }
        ]
      }
    },
    "Permissions": ["SELECT", "DESCRIBE"],
    "PermissionsWithGrantOption": false
  },
  "consumerResourceLink": {
    "_note": "Created in consumer account after RAM acceptance",
    "Name": "finance_curated_link",
    "TargetDatabase": "finance_curated",
    "TargetTable": "gl_balances"
  },
  "cliSmokeTest": {
    "_context": "AWS CLI 2.x, caller in consumer account with LF-analyst role",
    "commands": [
      "aws lakeformation list-permissions --catalog-id 111122223333",
      "aws athena start-query-execution --query-string 'SELECT count(*) FROM finance_curated_link.gl_balances LIMIT 1' --work-group primary"
    ]
  }
}