Permissions for personas and roles for Amazon Glue blueprints - Amazon Glue
Blueprint personasPermissions for blueprint personasPermissions for blueprint roles
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Permissions for personas and roles for Amazon Glue blueprints

The following are the typical personas and suggested Amazon Identity and Access Management (IAM) permissions policies for personas and roles for Amazon Glue blueprints.

Blueprint personas

The following are the personas typically involved in the lifecycle of Amazon Glue blueprints.

Persona Description
Amazon Glue developer Develops, tests, and publishes blueprints.
Amazon Glue administrator Registers, maintains, and grants permissions on blueprints.
Data analyst Runs blueprints to create workflows.

For more information, see Overview of blueprints in Amazon Glue.

Permissions for blueprint personas

The following are the suggested permissions for each blueprint persona.

Amazon Glue developer permissions for blueprints

The Amazon Glue developer must have write permissions on the Amazon S3 bucket that is used to publish the blueprint. Often, the developer registers the blueprint after uploading it. In that case, the developer needs the permissions listed in Amazon Glue administrator permissions for blueprints. Additionally, if the developer wishes to test the blueprint after its registered, he or she also needs the permissions listed in Data analyst permissions for blueprints.

Amazon Glue administrator permissions for blueprints

The following policy grants permissions to register, view, and maintain Amazon Glue blueprints.

Important

In the following policy, replace <s3-bucket-name> and <prefix> with the Amazon S3 path to uploaded blueprint ZIP archives to register.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "glue:CreateBlueprint",
                "glue:UpdateBlueprint",
                "glue:DeleteBlueprint",                
                "glue:GetBlueprint",
                "glue:ListBlueprints",
                "glue:BatchGetBlueprints"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": "arn:aws-cn:s3:::<s3-bucket-name>/<prefix>/*"
        }
    ]
}

Data analyst permissions for blueprints

The following policy grants permissions to run blueprints and to view the resulting workflow and workflow components. It also grants PassRole on the role that Amazon Glue assumes to create the workflow and workflow components.

The policy grants permissions on any resource. If you want to configure fine-grained access to individual blueprints, use the following format for blueprint ARNs:

arn:aws-cn:glue:<region>:<account-id>:blueprint/<blueprint-name>
Important

In the following policy, replace <account-id> with a valid Amazon account and replace <role-name> with the name of the role used to run a blueprint. See Permissions for blueprint roles for the permissions that this role requires.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "glue:ListBlueprints",
                "glue:GetBlueprint",
                "glue:StartBlueprintRun",
                "glue:GetBlueprintRun",
                "glue:GetBlueprintRuns",
                "glue:GetCrawler",
                "glue:ListTriggers",
                "glue:ListJobs",
                "glue:BatchGetCrawlers",
                "glue:GetTrigger",
                "glue:BatchGetWorkflows",
                "glue:BatchGetTriggers",
                "glue:BatchGetJobs",
                "glue:BatchGetBlueprints",
                "glue:GetWorkflowRun",
                "glue:GetWorkflowRuns",
                "glue:ListCrawlers",
                "glue:ListWorkflows",
                "glue:GetJob",
                "glue:GetWorkflow",
                "glue:StartWorkflowRun"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "arn:aws-cn:iam::<account-id>:role/<role-name>"
        }
    ]
}

Permissions for blueprint roles

The following are the suggested permissions for the IAM role used to create a workflow from a blueprint. The role has to have a trust relationship with glue.amazonaws.com.

Important

In the following policy, replace <account-id> with a valid Amazon account, and replace <role-name> with the name of the role.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "glue:CreateJob",
                "glue:GetCrawler",
                "glue:GetTrigger",
                "glue:DeleteCrawler",
                "glue:CreateTrigger",
                "glue:DeleteTrigger",
                "glue:DeleteJob",
                "glue:CreateWorkflow",
                "glue:DeleteWorkflow",
                "glue:GetJob",
                "glue:GetWorkflow",
                "glue:CreateCrawler"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "arn:aws-cn:iam::<account-id>:role/<role-name>"
        }
    ]
}
Note

If the jobs and crawlers in the workflow assume a role other than this role, this policy must include the iam:PassRole permission on that other role instead of on the blueprint role.