Permissions required to use the Amazon Glue console - Amazon Glue
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Permissions required to use the Amazon Glue console

For a user to work with the Amazon Glue console, that user must have a minimum set of permissions that allows them to work with the Amazon Glue resources for their Amazon account. In addition to these Amazon Glue permissions, the console requires permissions from the following services:

  • Amazon CloudWatch Logs permissions to display logs.

  • Amazon Identity and Access Management (IAM) permissions to list and pass roles.

  • Amazon CloudFormation permissions to work with stacks.

  • Amazon Elastic Compute Cloud (Amazon EC2) permissions to list VPCs, subnets, security groups, instances, and other objects.

  • Amazon Simple Storage Service (Amazon S3) permissions to list buckets and objects, and to retrieve and save scripts.

  • Amazon Redshift permissions to work with clusters.

  • Amazon Relational Database Service (Amazon RDS) permissions to list instances.

For more information about the permissions that users require to view and work with the Amazon Glue console, see Step 3: Attach a policy to IAM users that access Amazon Glue.

If you create an IAM policy that is more restrictive than the minimum required permissions, the console won't function as intended for users with that IAM policy. To ensure that those users can still use the Amazon Glue console, also attach the AWSGlueConsoleFullAccess managed policy to the user, as described in Amazon managed (predefined) policies for Amazon Glue.

You don't need to allow minimum console permissions for users that are making calls only to the Amazon CLI or the Amazon Glue API.