Serialized Batch Grants by Account – Lake Formation Connector¶
Serialize batch AWS API calls for cross-account principals to avoid concurrent update conflicts and reduce throttling when applying permissions at scale.
Behavior¶
When enabled, the connector:
- Groups permission changes into batch operations (requires Batch Permissions Update to be enabled).
- Serializes batch execution by account for cross-account principals.
- Reduces the likelihood of concurrent update conflicts and throttling responses.
Prerequisite¶
Before enabling serialization by account, you must first enable Batch Permissions Update:
Configuration Parameter¶
CONNECTOR_LAKEFORMATION_BATCH_GRANT_SERIALIZE_BY_ACCOUNT_ENABLE¶
- Description: Enables serialized processing of batch grant/revoke operations by account for cross-account principals.
- Type: Boolean
- Default:
false - Purpose: When enabled, the connector serializes batch permission updates per account to minimize
ConcurrentModificationExceptionand API throttling in multi-account scenarios.
Setup¶
- SSH into the instance where Privacera Manager is installed.
- Open the Lake Formation connector configuration file for editing: Replace
Bash <instance-name>with your connector instance name (for example,instance1). - Add the following property:
YAML -
Apply the changes:
Step 1 - Setup which generates the helm charts. This step usually takes few minutes.
Step 2 - Apply the Privacera Manager helm charts. Step 3 - (Optional) Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on. This step is not required if you are updating only connector properties.
- Prev topic: Advanced Configuration