# Set up IAM permissions for Amazon Glue Studio
You can create the roles and assign policies to users and job roles by using the Amazon administrator user.
You can use the **AWSGlueConsoleFullAccess** Amazon managed policy to provide the necessary permissions for using the Amazon Glue Studio console.
To create your own policy, follow the steps documented in [Create an IAM Policy for the Amazon Glue Service](https://docs.amazonaws.cn/glue/latest/dg/create-service-policy.html) in the *Amazon Glue Developer Guide*. Include the IAM permissions described previously in [Review IAM permissions needed for the Amazon Glue Studio user](getting-started-min-privs.md).
**Topics**
+ [Attach policies to the Amazon Glue Studio user](#attach-iam-policy)
+ [Create an IAM policy for roles not named "AWSGlueServiceRole\*"](#create-iam-policy)
## Attach policies to the Amazon Glue Studio user
Any Amazon user that signs in to the Amazon Glue Studio console must have permissions to access specific resources. You provide those permissions by using assigning IAM policies to the user.
**To attach the **AWSGlueConsoleFullAccess** managed policy to a user**
1. Sign in to the Amazon Web Services Management Console and open the IAM console at [https://console.amazonaws.cn/iam/](https://console.amazonaws.cn/iam/).
1. In the navigation pane, choose **Policies**.
1. In the list of policies, select the check box next to the **AWSGlueConsoleFullAccess**. You can use the **Filter** menu and the search box to filter the list of policies.
1. Choose **Policy actions**, and then choose **Attach**.
1. Choose the user to attach the policy to. You can use the **Filter** menu and the search box to filter the list of principal entities. After choosing the user to attach the policy to, choose **Attach policy**.
1. Repeat the previous steps to attach additional policies to the user, as needed.
## Create an IAM policy for roles not named "AWSGlueServiceRole\*"
**To configure an IAM policy for roles used by Amazon Glue Studio**
1. Sign in to the Amazon Web Services Management Console and open the IAM console at [https://console.amazonaws.cn/iam/](https://console.amazonaws.cn/iam/).
1. Add a new IAM policy. You can add to an existing policy or create a new IAM inline policy. To create an IAM policy:
1. Choose **Policies**, and then choose **Create Policy**. If a **Get Started** button appears, choose it, and then choose **Create Policy**.
1. Next to **Create Your Own Policy**, choose **Select**.
1. For **Policy Name**, type any value that is easy for you to refer to later. Optionally, type descriptive text in **Description**.
1. For **Policy Document**, type a policy statement with the following format, and then choose **Create Policy**:
1. Copy and paste the following blocks into the policy under the "Statement" array, replacing {{my-interactive-session-role-prefix}} with the prefix for all common roles to associate with permissions for Amazon Glue.
```
{
"Action": [
"iam:PassRole"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::*:role/{{my-interactive-session-role-prefix}}*",
"Condition": {
"StringLike": {
"iam:PassedToService": [
"glue.amazonaws.com "
]
}
}
}
```
Here is the full example with the Version and Statement arrays included in the policy
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"iam:PassRole"
],
"Effect": "Allow",
"Resource": "arn:aws-cn:iam::*:role/{{my-interactive-session-role-prefix}}*",
"Condition": {
"StringLike": {
"iam:PassedToService": [
"glue.amazonaws.com "
]
}
}
}
]
}
```
------
1. To enable the policy for a user, choose **Users**.
1. Choose the user to whom you want to attach the policy.