Use resource-based policies for Amazon EMR access to Amazon Glue Data Catalog - Amazon EMR
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Use resource-based policies for Amazon EMR access to Amazon Glue Data Catalog

If you use Amazon Glue in conjunction with Hive, Spark, or Presto in Amazon EMR, Amazon Glue supports resource-based policies to control access to Data Catalog resources. These resources include databases, tables, connections, and user-defined functions. For more information, see Amazon Glue Resource Policies in the Amazon Glue Developer Guide.

When using resource-based policies to limit access to Amazon Glue from within Amazon EMR, the principal that you specify in the permissions policy must be the role ARN associated with the EC2 instance profile that is specified when a cluster is created. For example, for a resource-based policy attached to a catalog, you can specify the role ARN for the default service role for cluster EC2 instances, EMR_EC2_DefaultRole as the Principal, using the format shown in the following example:

arn:aws:iam::acct-id:role/EMR_EC2_DefaultRole

The acct-id can be different from the Amazon Glue account ID. This enables access from EMR clusters in different accounts. You can specify multiple principals, each from a different account.