Review IAM permissions needed for the Amazon Glue Studio user - Amazon Glue
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Review IAM permissions needed for the Amazon Glue Studio user

To use Amazon Glue Studio, the user must have access to various Amazon resources. The user must be able to view and select Amazon S3 buckets, IAM policies and roles, and Amazon Glue Data Catalog objects.

Amazon Glue service permissions

Amazon Glue Studio uses the actions and resources of the Amazon Glue service. Your user needs permissions on these actions and resources to effectively use Amazon Glue Studio. You can grant the Amazon Glue Studio user the AWSGlueConsoleFullAccess managed policy, or create a custom policy with a smaller set of permissions.

Important

Per security best practices, it is recommended to restrict access by tightening policies to further restrict access to Amazon S3 bucket and Amazon CloudWatch log groups. For an example Amazon S3 policy, see Writing IAM Policies: How to Grant Access to an Amazon S3 Bucket.

Creating Custom IAM Policies for Amazon Glue Studio

You can create a custom policy with a smaller set of permissions for Amazon Glue Studio. The policy can grant permissions for a subset of objects or actions. Use the following information when creating a custom policy.

To use the Amazon Glue Studio APIs, include glue:UseGlueStudio in the action policy in your IAM permissions. Using glue:UseGlueStudio will allow you to access all Amazon Glue Studio actions even as more actions are added to the API over time.

Directed acyclic graph (DAG) Actions

  • CreateDag

  • UpdateDag

  • GetDag

  • DeleteDag

Job Actions

  • SaveJob

  • GetJob

  • CreateJob

  • DeleteJob

  • GetJobs

  • UpdateJob

Job run Actions

  • StartJobRun

  • GetJobRuns

  • BatchStopJobRun

  • GetJobRun

  • QueryJobRuns

  • QueryJobs

  • QueryJobRunsAggregated

Schema Actions

  • GetSchema

  • GetInferredSchema

Database Actions

  • GetDatabases

Plan Actions

  • GetPlan

Table Actions

  • SearchTables

  • GetTables

  • GetTable

Connection Actions

  • CreateConnection

  • DeleteConnection

  • UpdateConnection

  • GetConnections

  • GetConnection

Mapping Actions

  • GetMapping

S3 Proxy Actions

  • ListBuckets

  • ListObjectsV2

  • GetBucketLocation

Security Configuration Actions

  • GetSecurityConfigurations

Script Actions

  • CreateScript (different from API of same name in Amazon Glue)

Accessing Amazon Glue Studio APIs

To access Amazon Glue Studio, add glue:UseGlueStudio in the actions policy list in the IAM permissions.

In the example below, glue:UseGlueStudio is included in the action policy, but the Amazon Glue Studio APIs are not individually identified. That is because when you include glue:UseGlueStudio, you are automatically granted access to the internal APIs without having to specify the individual Amazon Glue Studio APIs in the IAM permissions.

In the example, the additional listed action policies (for example, glue:SearchTables) are not Amazon Glue Studio APIs, so they will need to be included in the IAM permissions as required. You may also want to include Amazon S3 Proxy actions to specify the level of Amazon S3 access to grant. The example policy below provides access to open Amazon Glue Studio, create a visual job, and save/run it if the IAM role selected has sufficient access.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "glue:UseGlueStudio", "iam:ListRoles", "iam:ListUsers", "iam:ListGroups", "iam:ListRolePolicies", "iam:GetRole", "iam:GetRolePolicy", "glue:SearchTables", "glue:GetConnections", "glue:GetJobs", "glue:GetTables", "glue:BatchStopJobRun", "glue:GetSecurityConfigurations", "glue:DeleteJob", "glue:GetDatabases", "glue:CreateConnection", "glue:GetSchema", "glue:GetTable", "glue:GetMapping", "glue:CreateJob", "glue:DeleteConnection", "glue:CreateScript", "glue:UpdateConnection", "glue:GetConnection", "glue:StartJobRun", "glue:GetJobRun", "glue:UpdateJob", "glue:GetPlan", "glue:GetJobRuns", "glue:GetTags", "glue:GetJob", "glue:QueryJobRuns", "glue:QueryJobs", "glue:QueryJobRunsAggregated" ], "Resource": "*" }, { "Action": [ "iam:PassRole" ], "Effect": "Allow", "Resource": "arn:aws:iam::*:role/AWSGlueServiceRole*", "Condition": { "StringLike": { "iam:PassedToService": [ "glue.amazonaws.com" ] } } } ] }

Notebook and data preview permissions

Data previews and notebooks allow you to see a sample of your data at any stage of your job (reading, transforming, writing), without having to run the job. You specify an Amazon Identity and Access Management (IAM) role for Amazon Glue Studio to use when accessing the data. IAM roles are intended to be assumable and do not have standard long-term credentials such as a password or access keys associated with it. Instead, when Amazon Glue Studio assumes the role, IAM provides it with temporary security credentials.

To ensure data previews and notebook commands work correctly, use a role that has a name that starts with the string AWSGlueServiceRole. If you choose to use a different name for your role, then you must add the iam:passrole permission and configure a policy for the role in IAM. For more information, see Create an IAM policy for roles not named "AWSGlueServiceRole*".

Warning

If a role grants the iam:passrole permission for a notebook, and you implement role chaining, a user could unintentionally gain access to the notebook. There is currently no auditing implemented which would allow you to monitor which users have been granted access to the notebook.

If you would like to deny an IAM identity the ability to create data preview sessions, consult the following example Deny an identity the ability to create data preview sessions.

Amazon CloudWatch permissions

You can monitor your Amazon Glue Studio jobs using Amazon CloudWatch, which collects and processes raw data from Amazon Glue into readable, near-real-time metrics. By default, Amazon Glue metrics data is sent to CloudWatch automatically. For more information, see What Is Amazon CloudWatch? in the Amazon CloudWatch User Guide, and Amazon Glue Metrics in the Amazon Glue Developer Guide.

To access CloudWatch dashboards, the user accessing Amazon Glue Studio needs one of the following:

  • The AdministratorAccess policy

  • The CloudWatchFullAccess policy

  • A custom policy that includes one or more of these specific permissions:

    • cloudwatch:GetDashboard and cloudwatch:ListDashboards to view dashboards

    • cloudwatch:PutDashboard to create or modify dashboards

    • cloudwatch:DeleteDashboards to delete dashboards

For more information for changing permissions for an IAM user using policies, see Changing Permissions for an IAM User in the IAM User Guide.