Use resource-based policies for Amazon EMR access to Amazon Glue Data Catalog

If you use Amazon Glue in conjunction with Hive, Spark, or Presto in Amazon EMR, Amazon Glue supports resource-based policies to control access to Data Catalog resources. These resources include databases, tables, connections, and user-defined functions. For more information, see Amazon Glue Resource Policies in the Amazon Glue Developer Guide.

When using resource-based policies to limit access to Amazon Glue from within Amazon EMR, the principal that you specify in the permissions policy must be the role ARN associated with the EC2 instance profile that is specified when a cluster is created. For example, for a resource-based policy attached to a catalog, you can specify the role ARN for the default service role for cluster EC2 instances, EMR_EC2_DefaultRole as the Principal, using the format shown in the following example:


arn:aws:iam::acct-id:role/EMR_EC2_DefaultRole

The acct-id can be different from the Amazon Glue account ID. This enables access from EMR clusters in different accounts. You can specify multiple principals, each from a different account.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Configure IAM roles for EMRFS

Use IAM roles with applications that call Amazon services directly