Managing access permissions for Amazon Glue resources - Amazon Glue
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Managing access permissions for Amazon Glue resources

You can have valid credentials to authenticate your requests, but unless you have the appropriate permissions, you can't create or access an Amazon Glue resource such as a table in the Amazon Glue Data Catalog.

Every Amazon resource is owned by an Amazon account, and permissions to create or access a resource are governed by permissions policies. An account administrator can attach permissions policies to IAM identities (that is, users, groups, and roles). Some services (such as Amazon Glue and Amazon S3) also support attaching permissions policies to the resources themselves.


An account administrator (or administrator user) is a user who has administrative privileges. For more information, see IAM Best Practices in the IAM User Guide.

When granting permissions, you decide who is getting the permissions, the resources they get permissions for, and the specific actions that you want to allow on those resources.


You can grant access to your data by using Amazon Glue methods or by using Amazon Lake Formation grants. The Amazon Glue methods use Amazon Identity and Access Management (IAM) policies to achieve fine-grained access control. Lake Formation uses a simpler GRANT/REVOKE permissions model similar to the GRANT/REVOKE commands in a relational database system.

This section describes using the Amazon Glue methods. For information about using Lake Formation grants, see Granting Lake Formation Permissions in the Amazon Lake Formation Developer Guide.