Step 2: Create an IAM role for Amazon Glue - Amazon Glue
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Step 2: Create an IAM role for Amazon Glue

You need to grant your IAM role permissions that Amazon Glue can assume when calling other services on your behalf. This includes access to Amazon S3 for any sources, targets, scripts, and temporary directories that you use with Amazon Glue. Permission is needed by crawlers, jobs, and development endpoints.

You provide those permissions by using Amazon Identity and Access Management (IAM). Add a policy to the IAM role that you pass to Amazon Glue.

To create an IAM role for Amazon Glue

  1. Sign in to the Amazon Web Services Management Console and open the IAM console at

  2. In the left navigation pane, choose Roles.

  3. Choose Create role.

  4. For role type, choose Amazon Service, find and choose Glue, and choose Next: Permissions.

  5. On the Attach permissions policy page, choose the policies that contain the required permissions; for example, the Amazon managed policy AWSGlueServiceRole for general Amazon Glue permissions and the Amazon managed policy AmazonS3FullAccess for access to Amazon S3 resources. Then choose Next: Review.


    Ensure that one of the policies in this role grants permissions to your Amazon S3 sources and targets. You might want to provide your own policy for access to specific Amazon S3 resources. Data sources require s3:ListBucket and s3:GetObject permissions. Data targets require s3:ListBucket, s3:PutObject, and s3:DeleteObject permissions. For more information about creating an Amazon S3 policy for your resources, see Specifying Resources in a Policy. For an example Amazon S3 policy, see Writing IAM Policies: How to Grant Access to an Amazon S3 Bucket.

    If you plan to access Amazon S3 sources and targets that are encrypted with SSE-KMS, attach a policy that allows Amazon Glue crawlers, jobs, and development endpoints to decrypt the data. For more information, see Protecting Data Using Server-Side Encryption with Amazon KMS-Managed Keys (SSE-KMS).

    The following is an example.

    { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "kms:Decrypt" ], "Resource":[ "arn:aws-cn:kms:*:account-id-without-hyphens:key/key-id" ] } ] }
  6. For Role name, enter a name for your role; for example, AWSGlueServiceRoleDefault. Create the role with the name prefixed with the string AWSGlueServiceRole to allow the role to be passed from console users to the service. Amazon Glue provided policies expect IAM service roles to begin with AWSGlueServiceRole. Otherwise, you must add a policy to allow your users the iam:PassRole permission for IAM roles to match your naming convention. Choose Create Role.