Interactive sessions with IAM - Amazon Glue
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Interactive sessions with IAM

These sections describe security considerations for Amazon Glue interactive sessions.

IAM principals used with interactive sessions

You use two IAM principals used with Amazon Glue interactive sessions.

  • Client principal: The client principal (either a user or a role) authorizes API operations for interactive sessions from an Amazon Glue client that's configured with the principal's identity-based credentials. For example, this could be an IAM user whose credentials are used for the Amazon Command Line Interface, or an Amazon Glue client used by the interactive sessions Jupyter kernel. This could also be an IAM role principal that you typically use to access the Amazon Glue console.

  • Runtime role: The runtime role is an IAM role that the client principal passes to interactive sessions API operations. Amazon Glue uses this role to run statements in your session. For example, this role could be the one used for running Amazon Glue ETL jobs.

    For more information, see Setting up a runtime role.

Setting up a client principal

You must attach an identity policy to the client principal to allow it to call the Interactive Sessions API. This role must have iam:PassRole access to the execution role that you would pass to the Interactive Sessions API, such as CreateSession. For example, you can attach the AWSGlueConsoleFullAccess managed policy to an IAM user which allows all IAM users in your accounter with the same or similar policy attached to it to access all the sessions created in your account (such as runtime statement or cancel statement).

If you would like to protect your session and make it private only to the IAM user who created the session then you can use Amazon Glue Interactive Session's Tag Based Authorization Control called TagOnCreate. For more information, see Make your session private with TagOnCreate on how an owner tag-based scoped down managed policy can make your session private with TagOnCreate. For more information on identity based policies, see Using identity based policies .

Setting up a runtime role

You must pass an IAM role to the CreateSession API operation in order to allow Amazon Glue to assume and run statements in interactive sessions. The role should have the same IAM permissions as those required to run a typical Amazon Glue job. For example, you can create a service role using the AWSGlueServiceRole policy that allows Amazon Glue to call Amazon services on your behalf. If you use the Amazon Glue console, it will automatically create a service role on your behalf or use an existing one. You can also create your own IAM role and attach your own IAM policy to allow similar permissions.

If you would like to protect your session and make it private only to the IAM user who created the session then you can use Amazon Glue Interactive Session's Tag Based Authorization Control called TagOnCreate. For more information, see Make your session private with TagOnCreate on how an owner tag-based scoped down managed policy can make your session private with TagOnCreate. For more information on identity based policies, see Using identity based policies . If you are creating the execution role by yourself from the IAM console and you want to make your service private with TagOnCreate feature then follow the steps below.

  1. Create an IAM role with role type set to Glue.

  2. Attach this Amazon Glue managed policy: AwsGlueSessionUserRestrictedServiceRole

  3. Prefix the role name with the policy name AwsGlueSessionUserRestrictedServiceRole. For example, you can create a role with name AwsGlueSessionUserRestrictedServiceRole-myrole and attach Amazon Glue managed policy AwsGlueSessionUserRestrictedServiceRole.

  4. Attach a trust policy like following to allow Amazon Glue to assume the role:

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "glue.amazonaws.com" ] }, "Action": [ "sts:AssumeRole" ] } }

For an interactive sessions Jupyter kernel, you can specify the iam_role key in your Amazon Command Line Interface profile. For more information, see Configuring sessions with ~/.aws/config . If you're interacting with interactive sessions using an Amazon Glue notebook, then you can pass the execution role in the %iam_role magic in the first cell that you run.

Make your session private with TagOnCreate

Amazon Glue interactive sessions supports tagging and Tag Based Authorization (TBAC) for interactive sessions as a named resource. In addition to TBAC using TagResource and UntagResource APIs, Amazon Glue interactive sessions supports the TagOnCreate feature to 'tag' a session with a given tag only during session creation with CreateSession operation. This also means those tags will be removed on DeleteSession, aka UntagOnDelete.

TagOnCreate offers a powerful security mechanism to make your session private to the creator of the session. For example, you can attach an IAM policy with "owner" RequestTag and value of ${aws:userId} to a client principal (such as an IAM user) in order to allow creating a session only if an "owner" tag with matching value of the callers userId is provided as userId tag in CreateSession request. This policy allows Amazon Glue interactive sessions to create a session resource and tag the session with the userId tag only during session creation time. In addition to it you can scope down the access (like running statements) to your session only to the creator (aka owner tag with value ${aws:userId}) of the session by attaching an IAM policy with "owner" ResourceTag to the execution role you passed in during CreateSession.

In order to make it easier for you to use TagOnCreate feature to make a session private to the session creator, Amazon Glue provides specialized managed policies and service roles. For example, you can attach the AWSGlueSessionUserRestrictedPolicy to each of the IAM users in your account to restrict them creating a session only with a owner tag with a value matching their own ${aws:userId}. For more information, see Using identity based policies . This policy scopes down the access to a session only to the creator aka the ${aws:userId} of the IAM user who created the session with owner tag baring their own ${aws:userId}. If you have created the execution role yourself using IAM console by following the steps in Setting up a Runtime Role, then in addition to attaching AwsGlueSessionUserRestrictedPolicy managed policy also attach the following inline policy to each of the IAM users in your account to allow iam:PassRole for the execution role you created eariler.

{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::*:role/AwsGlueSessionUserRestrictedServiceRole*" ], "Condition": { "StringLike": { "iam:PassedToService": [ "glue.amazonaws.com" ] } } }] }

If you want to create a Amazon Glue Interactive Session using an IAM AssumeRole principal (that is, using credential vended by assuming an IAM role) and you want to make the session private to the creator, then instead of using the AWSGlueSessionUserRestrictedPolicy and AWSGlueSessionUserRestrictedServiceRole you need to use policies similar to the AWSGlueSessionUserRestrictedNotebookPolicy and AWSGlueSessionUserRestrictedNotebookServiceRole respectively. These policies allow Amazon Glue to use ${aws:PrincipalTag} to extract the owner tag value. This requires you to pass a userId tag with value ${aws:userId} as SessionTag in the assume role credential. See ID session tags . If you are using an Amazon EC2 instance with an instance profile vending the credential and you want to create a session or interact with the session from within the Amazon EC2 instance , then you would require to pass a userId tag with value ${aws:userId} as SessionTag in the assume role credential.

For example, If you are creating a session using an IAM AssumeRole principal credential and you want to make your service private with TagOnCreate feature then follow the steps below.

  1. Create a runtime role yourself from the IAM console. Please attach this Amazon Glue managed policy AwsGlueSessionUserRestrictedNotebookServiceRole and prefix the role name with the policy name AwsGlueSessionUserRestrictedNotebookServiceRole. For example, you can create a role with name AwsGlueSessionUserRestrictedNotebookServiceRole-myrole and attach Amazon Glue managed policy AwsGlueSessionUserRestrictedNotebookServiceRole.

  2. Attach a trust policy like below to allow Amazon Glue to assume the above role.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "glue.amazonaws.com" ] }, "Action": [ "sts:AssumeRole" ] } ] }
  3. Create another role named with a perfix AwsGlueSessionUserRestrictedNotebookPolicy and attach the Amazon Glue managed policy AwsGlueSessionUserRestrictedNotebookPolicy to make the session private. In addition to the managed policy please attach the following inline policy to allow iam:PassRole to the role you created in step 1.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::*:role/AwsGlueSessionUserRestrictedNotebookServiceRole*" ], "Condition": { "StringLike": { "iam:PassedToService": [ "glue.amazonaws.com" ] } } } ] }
  4. Attach a trust policy like following to the above IAM Amazon Glue to assume the role.

    { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": { "Service": [ "glue.amazonaws.com" ] }, "Action": [ "sts:AssumeRole", "sts:TagSession" ] }] }
    Note

    Optionally, you can use a single role (for example, notebook role) and attach both of the above managed policies AwsGlueSessionUserRestrictedNotebookServiceRole and AwsGlueSessionUserRestrictedNotebookPolicy. Also attach the additional inline policy to allow iam:passrole of your role to Amazon Glue. And finally attach the above trust policy to allow sts:AssumeRole and sts:TagSession.

AWSGlueSessionUserRestrictedPolicy

The AWSGlueSessionUserRestrictedPolicy provides access to create a Amazon Glue Interactive Session using the CreateSession API only if a tag key "owner" and value matching their Amazon user ID is provided. This identity policy is attached to the IAM user that invokes the CreateSession API. This policy also permits to interact with the Amazon Glue Interactive Session resources that were created with a "owner" tag and value matching their Amazon user id. This policy denies permission to change or remove "owner" tag from a Amazon Glue session resource after the session is created.

AWSGlueSessionUserRestrictedServiceRole

The AWSGlueSessionUserRestrictedServiceRole provides full access to all Amazon Glue resources except for sessions and allows users to create and use only the interactive sessions that are associated with the user. This policy also includes other permissions needed by Amazon Glue to manage Glue resources in other Amazon services. The policy also allows adding tags to Amazon Glue resources in other Amazon services.

AWSGlueSessionUserRestrictedNotebookPolicy

The AWSGlueSessionUserRestrictedNotebookPolicy provides access to create a Amazon Glue Interactive Session from a notebook only if a tag key "owner" and value matching the Amazon user id of the principal (IAM user or Role). For more information, see Where you can use policy variables . This policy is attached to the principal (IAM User or role) that creates Amazon Glue Interactive Session notebooks from Amazon Glue Studio. This policy also permits sufficient access to the Amazon Glue Studio notebook to interact with the Amazon Glue Studio Interactive Session resources that are created with the "owner" tag value matching the Amazon user ID of the principal. This policy denies permission to change or remove "owner" tag from a Amazon Glue session resource after the session is created.

AWSGlueSessionUserRestrictedNotebookServiceRole

The AWSGlueSessionUserRestrictedNotebookServiceRole provides sufficient access to the Amazon Glue Studio notebook to interact with the Amazon Glue Interactive Session resources that are created with the "owner" tag value matching the Amazon user ID of the principal (IAM user or role) of the notebook creator. For more information, see Where you can use policy variables . This service-role policy is attached to the role that is passed as magic to a notebook or passed as execution role to the CreateSession API. This policy also permits to create a Amazon Glue Interactive Session from a notebook only if a tag key "owner" and value matching the Amazon user ID of the principal. This policy denies permission to change or remove "owner" tag from an Amazon Glue session resource after the session is created. This policy also includes permissions for writing and reading from Amazon S3 buckets, writing CloudWatch logs, creating and deleting tags for Amazon EC2 resources used by Amazon Glue.

IAM policy considerations

Interactive sessions are IAM resources in Amazon Glue. Because they are IAM resources, access and interaction to a session is governed by IAM policies. Based on the IAM policies attached to a client principal or execution role configured by an admin, a client principal (user or role) will be able to create new sessions and interact with its own sessions and other sessions.

If an admin has attached an IAM policy such as AWSGlueConsoleFullAccess (https://docs.aws.amazon.com/glue/latest/dg/using-identity-based-policies.html) or AWSGlueServiceRole (https://docs.aws.amazon.com/glue/latest/dg/using-identity-based-policies.html) that allows access to all Amazon Glue resources in that account, a client principal will be able to collaborate with each other. For example, one IAM user will be able to interact with sessions that are created by other IAM users if policies allow this.

If you'd like to configure a policy tailored to your specific needs, see IAM documentation about configuring resources for a policy For example, in order to isolate sessions that belong to an IAM user, in order to isolate sessions that belong to an IAM user, you can use the TagOnCreate feature supported by Glue IS. See Make your session private with TagOnCreate .