Review IAM permissions needed for the Amazon Glue Studio user
To use Amazon Glue Studio, the user must have access to various Amazon resources. The user must be able to view and select Amazon S3 buckets, IAM policies and roles, and Amazon Glue Data Catalog objects.
Amazon Glue service permissions
Amazon Glue Studio uses the actions and resources of the Amazon Glue service. Your user needs
permissions on these actions and resources to effectively use Amazon Glue Studio. You can grant
the Amazon Glue Studio user the AWSGlueConsoleFullAccess
managed policy, or create
a custom policy with a smaller set of permissions.
Important
Per security best practices, it is recommended to restrict access by
tightening policies to further restrict access to Amazon S3 bucket and
Amazon CloudWatch log groups. For an example Amazon S3 policy,
see Writing IAM Policies: How to Grant Access to an Amazon S3
Bucket
Creating Custom IAM Policies for Amazon Glue Studio
You can create a custom policy with a smaller set of permissions for Amazon Glue Studio. The policy can grant permissions for a subset of objects or actions. Use the following information when creating a custom policy.
To use the Amazon Glue Studio APIs, include glue:UseGlueStudio
in the action policy
in your IAM permissions. Using glue:UseGlueStudio
will allow you to access
all Amazon Glue Studio actions even as more actions are added to the API over time.
For more information on actions defined by Amazon Glue, see
Actions defined by Amazon Glue
Data preparation authoring Actions
-
SendRecipeAction
-
GetRecipeAction
Directed acyclic graph (DAG) Actions
-
CreateDag
-
UpdateDag
-
GetDag
-
DeleteDag
Job Actions
-
SaveJob
-
GetJob
-
CreateJob
-
DeleteJob
-
GetJobs
-
UpdateJob
Job run Actions
-
StartJobRun
-
GetJobRuns
-
BatchStopJobRun
-
GetJobRun
-
QueryJobRuns
-
QueryJobs
-
QueryJobRunsAggregated
Schema Actions
-
GetSchema
-
GetInferredSchema
Database Actions
-
GetDatabases
Plan Actions
-
GetPlan
Table Actions
-
SearchTables
-
GetTables
-
GetTable
Connection Actions
-
CreateConnection
-
DeleteConnection
UpdateConnection
-
GetConnections
-
GetConnection
Mapping Actions
-
GetMapping
S3 Proxy Actions
-
ListBuckets
-
ListObjectsV2
-
GetBucketLocation
Security Configuration Actions
-
GetSecurityConfigurations
Script Actions
-
CreateScript (different from API of same name in Amazon Glue)
Accessing Amazon Glue Studio APIs
To access Amazon Glue Studio, add glue:UseGlueStudio
in the actions policy list in the IAM permissions.
In the example below, glue:UseGlueStudio
is included in the action policy,
but the Amazon Glue Studio APIs are not individually identified. That is because when you include glue:UseGlueStudio
,
you are automatically granted access to the internal APIs without having to specify the individual Amazon Glue Studio
APIs in the IAM permissions.
In the example, the additional listed action policies (for example, glue:SearchTables
) are not
Amazon Glue Studio APIs, so they will need to be included in the IAM permissions as required. You may also want to
include Amazon S3 Proxy actions to specify the level of Amazon S3 access to grant. The example policy below provides access to open
Amazon Glue Studio, create a visual job, and save/run it if the IAM role selected has sufficient access.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "glue:UseGlueStudio", "iam:ListRoles", "iam:ListUsers", "iam:ListGroups", "iam:ListRolePolicies", "iam:GetRole", "iam:GetRolePolicy", "glue:SearchTables", "glue:GetConnections", "glue:GetJobs", "glue:GetTables", "glue:BatchStopJobRun", "glue:GetSecurityConfigurations", "glue:DeleteJob", "glue:GetDatabases", "glue:CreateConnection", "glue:GetSchema", "glue:GetTable", "glue:GetMapping", "glue:CreateJob", "glue:DeleteConnection", "glue:CreateScript", "glue:UpdateConnection", "glue:GetConnection", "glue:StartJobRun", "glue:GetJobRun", "glue:UpdateJob", "glue:GetPlan", "glue:GetJobRuns", "glue:GetTags", "glue:GetJob", "glue:QueryJobRuns", "glue:QueryJobs", "glue:QueryJobRunsAggregated", "glue:SendRecipeAction", "glue:GetRecipeAction" ], "Resource": "*" }, { "Action": [ "iam:PassRole" ], "Effect": "Allow", "Resource": "arn:aws:iam::*:role/AWSGlueServiceRole*", "Condition": { "StringLike": { "iam:PassedToService": [ "glue.amazonaws.com" ] } } } ] }
Notebook and data preview permissions
Data previews and notebooks allow you to see a sample of your data at any stage of your job (reading, transforming, writing), without having to run the job. You specify an Amazon Identity and Access Management (IAM) role for Amazon Glue Studio to use when accessing the data. IAM roles are intended to be assumable and do not have standard long-term credentials such as a password or access keys associated with it. Instead, when Amazon Glue Studio assumes the role, IAM provides it with temporary security credentials.
To ensure data previews and notebook commands work correctly, use a role that has
a name that starts with the string AWSGlueServiceRole
. If you choose to
use a different name for your role, then you must add the iam:passrole
permission and configure a policy for the role in IAM. For more information, see Create an IAM policy for roles not named
"AWSGlueServiceRole*".
Warning
If a role grants the iam:passrole
permission for a notebook, and
you implement role chaining, a user could unintentionally gain access to the
notebook. There is currently no auditing implemented which would allow you to
monitor which users have been granted access to the notebook.
If you would like to deny an IAM identity the ability to create data preview sessions, consult the following example Deny an identity the ability to create data preview sessions.
Amazon CloudWatch permissions
You can monitor your Amazon Glue Studio jobs using Amazon CloudWatch, which collects and processes raw data from Amazon Glue into readable, near-real-time metrics. By default, Amazon Glue metrics data is sent to CloudWatch automatically. For more information, see What Is Amazon CloudWatch? in the Amazon CloudWatch User Guide, and Amazon Glue Metrics in the Amazon Glue Developer Guide.
To access CloudWatch dashboards, the user accessing Amazon Glue Studio needs one of the following:
-
The
AdministratorAccess
policy -
The
CloudWatchFullAccess
policy -
A custom policy that includes one or more of these specific permissions:
-
cloudwatch:GetDashboard
andcloudwatch:ListDashboards
to view dashboards -
cloudwatch:PutDashboard
to create or modify dashboards -
cloudwatch:DeleteDashboards
to delete dashboards
-
For more information for changing permissions for an IAM user using policies, see Changing Permissions for an IAM User in the IAM User Guide.