Managing access to resources - Amazon Glue
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Managing access to resources

A permissions policy describes who has access to what. The following section explains the available options for creating permissions policies.

Note

This section discusses using IAM in the context of Amazon Glue. It doesn't provide detailed information about the IAM service. For complete IAM documentation, see What Is IAM? in the IAM User Guide. For information about IAM policy syntax and descriptions, see IAM JSON Policy Reference in the IAM User Guide.

Policies that are attached to an IAM identity are referred to as identity-based policies (IAM policies). Policies that are attached to a resource are referred to as resource-based policies.

Overview of identity-based policies (IAM policies)

You can attach policies to IAM identities. For example, you can do the following:

  • Attach a permissions policy to a user or a group in your account – To grant a user permissions to create an Amazon Glue resource, such as a table, you can attach a permissions policy to a user or group that the user belongs to.

  • Attach a permissions policy to a role (grant cross-account permissions) – You can attach an identity-based permissions policy to an IAM role to grant cross-account permissions. For example, the administrator in account A can create a role to grant cross-account permissions to another Amazon account (for example, account B) or an Amazon service as follows:

    1. Account A administrator creates an IAM role and attaches a permissions policy to the role that grants permissions on resources in account A.

    2. Account A administrator attaches a trust policy to the role identifying account B as the principal who can assume the role.

    3. Account B administrator can then delegate permissions to assume the role to any users in account B. Doing this allows users in account B to create or access resources in account A. The principal in the trust policy can also be an Amazon service principal if you want to grant an Amazon service permissions to assume the role.

    For more information about using IAM to delegate permissions, see Access Management in the IAM User Guide.

The following is an example identity-based policy that grants permissions for one Amazon Glue action (GetTables). The wildcard character (*) in the Resource value means that you are granting permission to this action to obtain names and details of all the tables in a database in the Data Catalog. If the user also has access to other catalogs through a resource policy, it is given access to these resources too.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "GetTables", "Effect": "Allow", "Action": [ "glue:GetTables" ], "Resource": "*" } ] }

For more information about using identity-based policies with Amazon Glue, see Identity-based policies (IAM policies) for access control. For more information about users, groups, roles, and permissions, see Identities (Users, Groups, and Roles) in the IAM User Guide.

Overview of resource-based policies

Other services, such as Amazon S3, also support resource-based permissions policies. For example, you can attach a policy to an S3 bucket to manage access permissions to that bucket.

For more information and examples, see Amazon Glue resource policies for access control.

Specifying policy elements: Actions, effects, and principals

For each Amazon Glue resource, the service defines a set of API operations. To grant permissions for these API operations, Amazon Glue defines a set of actions that you can specify in a policy. Some API operations can require permissions for more than one action in order to perform the API operation. For more information about resources and API operations, see Amazon Glue resources and operations and Amazon Glue Amazon Glue API.

The following are the most basic policy elements:

  • Resource – You use an Amazon Resource Name (ARN) to identify the resource that the policy applies to. For more information, see Amazon Glue resources and operations.

  • Action – You use action keywords to identify resource operations that you want to allow or deny. For example, you can use create to allow users to create a table.

  • Effect – You specify the effect, either allow or deny, when the user requests the specific action. If you don't explicitly grant access to (allow) a resource, access is implicitly denied. You can also explicitly deny access to a resource, which you might do to make sure that a user cannot access it, even if a different policy grants access.

  • Principal – In identity-based policies (IAM policies), the user that the policy is attached to is the implicit principal. For resource-based policies, you specify the user, account, service, or other entity that you want to receive permissions (applies to resource-based policies only). Amazon Glue doesn't support resource-based policies.

To learn more about IAM policy syntax and descriptions, see IAM JSON Policy Reference in the IAM User Guide.

For a table showing all of the Amazon Glue API operations and the resources that they apply to, see Amazon Glue API permissions: Actions and resources reference.

Specifying conditions in a policy

When you grant permissions, you can use the access policy language to specify the conditions when a policy should take effect. For example, you might want a policy to be applied only after a specific date. For more information about specifying conditions in a policy language, see Condition in the IAM User Guide.

To express conditions, you use predefined condition keys. There are Amazon-wide condition keys and Amazon Glue–specific keys that you can use as appropriate. For a complete list of Amazon-wide keys, see Available Keys for Conditions in the IAM User Guide.