Storing connection credentials in Amazon Secrets Manager - Amazon Glue
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Storing connection credentials in Amazon Secrets Manager

We recommend that you use Amazon Secrets Manager to supply connection credentials for your data store. Using Secrets Manager this way lets Amazon Glue access your secret at runtime for ETL jobs and crawler runs, and helps keep your credentials secure.

Prerequisites

To use Secrets Manager with Amazon Glue, you must grant your IAM role for Amazon Glue permission to retrieve secret values. The Amazon managed policy AWSGlueServiceRole doesn't include Amazon Secrets Manager permissions. For example IAM policies, see Example: Permission to retrieve secret values in the Amazon Secrets Manager User Guide.

Depending on your network setup, you might also need to create a VPC endpoint to establish a private connection between your VPC and Secrets Manager. For more information, see Using an Amazon Secrets Manager VPC endpoint.

To create a secret for Amazon Glue

  1. Follow the instructions in Create and manage secrets in the Amazon Secrets Manager User Guide. The following example JSON shows how to specify your credentials in the Plaintext tab when you create a secret for Amazon Glue. 

    {
  "username": "EXAMPLE-USERNAME",
  "password": "EXAMPLE-PASSWORD"
}

  2. Associate your secret with a connection using the Amazon Glue Studio interface. For detailed instructions, see Creating connections for connectors in the Amazon Glue Studio User Guide.