Resource-based policy examples for Amazon Glue - Amazon Glue
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Resource-based policy examples for Amazon Glue

This section contains example resource-based policies, including policies that grant cross-account access.

The examples use the Amazon Command Line Interface (Amazon CLI) to interact with Amazon Glue service API operations. You can perform the same operations on the Amazon Glue console or using one of the Amazon SDKs.

Important

By changing an Amazon Glue resource policy, you might accidentally revoke permissions for existing Amazon Glue users in your account and cause unexpected disruptions. Try these examples only in development or test accounts, and ensure that they don't break any existing workflows before you make the changes.

Considerations for using resource-based policies with Amazon Glue

Note

Both IAM policies and an Amazon Glue resource policy take a few seconds to propagate. After you attach a new policy, you might notice that the old policy is still in effect until the new policy has propagated through the system.

You use a policy document written in JSON format to create or modify a resource policy. The policy syntax is the same as for an identity-based IAM policy (see IAM JSON policy reference), with the following exceptions:

  • A "Principal" or "NotPrincipal" block is required for each policy statement.

  • The "Principal" or "NotPrincipal" must identify valid existing principals. Wildcard patterns (like arn:aws-cn:iam::account-id:user/*) are not allowed.

  • The "Resource" block in the policy requires all resource ARNs to match the following regular expression syntax (where the first %s is the region, and the second %s is the account-id):

    *arn:aws-cn:glue:%s:%s:(\*|[a-zA-Z\*]+\/?.*)

    For example, both arn:aws:glue:us-west-2:account-id:* and arn:aws:glue:us-west-2:account-id:database/default are allowed, but * is not allowed.

  • Unlike identity-based policies, an Amazon Glue resource policy must only contain Amazon Resource Names (ARNs) of resources that belong to the catalog that the policy is attached to. Such ARNs always start with arn:aws-cn:glue:.

  • A policy cannot cause the identity that creates it to be locked out of further policy creation or modification.

  • A resource-policy JSON document cannot exceed 10 KB in size.

Use a resource policy to control access in the same account

In this example, an admin user in Account A creates a resource policy that grants IAM user Alice in Account A full access to the catalog. Alice has no IAM policy attached.

To do this, the admin user runs the following Amazon CLI command.

# Run as admin of Account A $ aws glue put-resource-policy --profile administrator-name --region us-west-2 --policy-in-json '{ "Version": "2012-10-17", "Statement": [ { "Principal": { "AWS": [ "arn:aws-cn:iam::account-A-id:user/Alice" ] }, "Effect": "Allow", "Action": [ "glue:*" ], "Resource": [ "arn:aws:glue:us-west-2:account-A-id:*" ] } ] }'

Instead of entering the JSON policy document as a part of your Amazon CLI command, you can save a policy document in a file and reference the file path in the Amazon CLI command, prefixed by file://. The following is an example of how you might do that.

$ echo '{ "Version": "2012-10-17", "Statement": [ { "Principal": { "AWS": [ "arn:aws-cn:iam::account-A-id:user/Alice" ] }, "Effect": "Allow", "Action": [ "glue:*" ], "Resource": [ "arn:aws:glue:us-west-2:account-A-id:*" ] } ] }' > /temp/policy.json $ aws glue put-resource-policy --profile admin1 \ --region us-west-2 --policy-in-json file:///temp/policy.json

After this resource policy has propagated, Alice can access all Amazon Glue resources in Account A, as follows.

# Run as user Alice $ aws glue create-database --profile alice --region us-west-2 --database-input '{ "Name": "new_database", "Description": "A new database created by Alice", "LocationUri": "s3://my-bucket" }' $ aws glue get-table --profile alice --region us-west-2 --database-name "default" --table-name "tbl1"}

In response to Alice's get-table call, the Amazon Glue service returns the following.

{ "Table": { "Name": "tbl1", "PartitionKeys": [], "StorageDescriptor": { ...... }, ...... } }