Step 2: Create an IAM role for Amazon Glue
You need to grant your IAM role permissions that Amazon Glue can assume when calling other services on your behalf. This includes access to Amazon S3 for any sources, targets, scripts, and temporary directories that you use with Amazon Glue. Permission is needed by crawlers, jobs, and development endpoints.
You provide those permissions by using Amazon Identity and Access Management (IAM). Add a policy to the IAM role that you pass to Amazon Glue.
To create an IAM role for Amazon Glue
Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/
. -
In the left navigation pane, choose Roles.
-
Choose Create role.
-
Choose Amazon service as the trusted entity type. Then, for service or use case, find and choose Amazon Glue. Choose Next.
-
On the Add permissions page, choose the policies that contain the required permissions; for example, the Amazon managed policy
AWSGlueServiceRole
for general Amazon Glue permissions and the Amazon managed policy AmazonS3FullAccess for access to Amazon S3 resources. Then choose Next.Note
Ensure that one of the policies in this role grants permissions to your Amazon S3 sources and targets. You might want to provide your own policy for access to specific Amazon S3 resources. Data sources require
s3:ListBucket
ands3:GetObject
permissions. Data targets requires3:ListBucket
,s3:PutObject
, ands3:DeleteObject
permissions. For more information about creating an Amazon S3 policy for your resources, see Specifying Resources in a Policy. For an example Amazon S3 policy, see Writing IAM Policies: How to Grant Access to an Amazon S3 Bucket. If you plan to access Amazon S3 sources and targets that are encrypted with SSE-KMS, attach a policy that allows Amazon Glue crawlers, jobs, and development endpoints to decrypt the data. For more information, see Protecting Data Using Server-Side Encryption with Amazon KMS-Managed Keys (SSE-KMS).
The following is an example.
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "kms:Decrypt" ], "Resource":[ "arn:aws-cn:kms:*:
account-id-without-hyphens
:key/key-id
" ] } ] } -
Name your role and add a description (optional), then review the trust policy and permissions. For Role name, enter a name for your role; for example,
AWSGlueServiceRoleDefault
. Create the role with the name prefixed with the stringAWSGlueServiceRole
to allow the role to be passed from console users to the service. Amazon Glue provided policies expect IAM service roles to begin withAWSGlueServiceRole
. Otherwise, you must add a policy to allow your users theiam:PassRole
permission for IAM roles to match your naming convention. Choose Create Role.Note
When you create a notebook with a role, that role is then passed to interactive sessions so that the same role can be used in both places. As such, the
iam:PassRole
permission needs to be part of the role's policy.Create a new policy for your role using the following example. Replace the account number with your own and the role name.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::090000000210:role/<role_name>" } ] }
-
Add tags to your role (optional). Tags are key-value pairs that you can add to Amazon resources to help identify, organize, or search for resources. Then, choose Create role.