Specifying Amazon Glue resource ARNs
In Amazon Glue, you can control access to resources using an Amazon Identity and Access Management (IAM) policy. In a policy, you use an Amazon Resource Name (ARN) to identify the resource that the policy applies to. Not all resources in Amazon Glue support ARNs.
Topics
Data Catalog ARNs
Data Catalog resources have a hierarchical structure, with catalog
as the
root.
arn:aws-cn:glue:
region
:account-id
:catalog
Each Amazon account has a single Data Catalog in an Amazon Region with the 12-digit account ID as the catalog ID. Resources have unique ARNs associated with them, as shown in the following table.
Resource type | ARN format |
---|---|
Catalog |
For example: |
Database |
For example: |
Table |
For example: |
User-defined function |
For example: |
Connection |
For example: |
Interactive Session |
For example: |
To enable fine-grained access control, you can use these ARNs in your IAM policies and
resource policies to grant and deny access to specific resources. Wildcards are allowed in the
policies. For example, the following ARN matches all tables in database
default
.
arn:aws-cn:glue:us-east-1:123456789012:table/default/*
Important
All operations performed on a Data Catalog resource require permission on the resource and
all the ancestors of that resource. For example, to create a partition for a table requires
permission on the table, database, and catalog where the table is located. The following
example shows the permission required to create partitions on table
PrivateTable
in database PrivateDatabase
in the Data Catalog.
{ "Sid": "GrantCreatePartitions", "Effect": "Allow", "Action": [ "glue:BatchCreatePartitions" ], "Resource": [ "arn:aws-cn:glue:us-east-1:123456789012:table/PrivateDatabase/PrivateTable", "arn:aws-cn:glue:us-east-1:123456789012:database/PrivateDatabase", "arn:aws-cn:glue:us-east-1:123456789012:catalog" ] }
In addition to permission on the resource and all its ancestors, all delete operations
require permission on all children of that resource. For example, deleting a database
requires permission on all the tables and user-defined functions in the database, in
addition to the database and the catalog where the database is located. The following
example shows the permission required to delete database PrivateDatabase
in the
Data Catalog.
{ "Sid": "GrantDeleteDatabase", "Effect": "Allow", "Action": [ "glue:DeleteDatabase" ], "Resource": [ "arn:aws-cn:glue:us-east-1:123456789012:table/PrivateDatabase/*", "arn:aws-cn:glue:us-east-1:123456789012:userDefinedFunction/PrivateDatabase/*", "arn:aws-cn:glue:us-east-1:123456789012:database/PrivateDatabase", "arn:aws-cn:glue:us-east-1:123456789012:catalog" ] }
In summary, actions on Data Catalog resources follow these permission rules:
Actions on the catalog require permission on the catalog only.
Actions on a database require permission on the database and catalog.
Delete actions on a database require permission on the database and catalog plus all tables and user-defined functions in the database.
Actions on a table, partition, or table version require permission on the table, database, and catalog.
Actions on a user-defined function require permission on the user-defined function, database, and catalog.
Actions on a connection require permission on the connection and catalog.
ARNs for non-catalog objects in Amazon Glue
Some Amazon Glue resources allow resource-level permissions to control access using an ARN. You can use these ARNs in your IAM policies to enable fine-grained access control. The following table lists the resources that can contain resource ARNs.
Resource type | ARN format |
---|---|
Crawler |
For example: |
Job |
For example: |
Trigger |
For example: |
Development endpoint |
For example: |
Machine learning transform |
For example: |
Access control for Amazon Glue non-catalog singular API operations
Amazon Glue non-catalog singular API operations act on a single item
(development endpoint). Examples are GetDevEndpoint
,
CreateUpdateDevEndpoint
, and UpdateDevEndpoint
. For these
operations, a policy must put the API name in the "action"
block and the
resource ARN in the "resource"
block.
Suppose that you want to allow a user to call the GetDevEndpoint
operation.
The following policy grants the minimum necessary permissions to an endpoint named
myDevEndpoint-1
.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "MinimumPermissions", "Effect": "Allow", "Action": "glue:GetDevEndpoint", "Resource": "arn:aws-cn:glue:us-east-1:123456789012:devEndpoint/myDevEndpoint-1" } ] }
The following policy allows UpdateDevEndpoint
access to resources that match
myDevEndpoint-
with a wildcard (*).
{ "Version": "2012-10-17", "Statement": [ { "Sid": "PermissionWithWildcard", "Effect": "Allow", "Action": "glue:UpdateDevEndpoint", "Resource": "arn:aws-cn:glue:us-east-1:123456789012:devEndpoint/myDevEndpoint-*" } ] }
You can combine the two policies as in the following example. You might see
EntityNotFoundException
for any development endpoint whose name begins with
A
. However, an access denied error is returned when you try to access other
development endpoints.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CombinedPermissions", "Effect": "Allow", "Action": [ "glue:UpdateDevEndpoint", "glue:GetDevEndpoint" ], "Resource": "arn:aws-cn:glue:us-east-1:123456789012:devEndpoint/A*" } ] }
Access control for Amazon Glue non-catalog API operations that retrieve multiple items
Some Amazon Glue API operations retrieve multiple items (such as multiple development
endpoints); for example, GetDevEndpoints
. For this operation, you can specify
only a wildcard (*) resource, and not specific ARNs.
For example, to include GetDevEndpoints
in the policy, the resource must be
scoped to the wildcard (*). The singular operations (GetDevEndpoint
,
CreateDevEndpoint
, and DeleteDevendpoint
) are also scoped to all
(*) resources in the example.
{ "Sid": "PluralAPIIncluded", "Effect": "Allow", "Action": [ "glue:GetDevEndpoints", "glue:GetDevEndpoint", "glue:CreateDevEndpoint", "glue:UpdateDevEndpoint" ], "Resource": [ "*" ] }
Access control for Amazon Glue non-catalog BatchGet API operations
Some Amazon Glue API operations retrieve multiple items (such as multiple development
endpoints); for example, BatchGetDevEndpoints
. For this operation, you can specify
an ARN to limit the scope of resources that can be accessed.
For example, to allow access to a specific development endpoint, include
BatchGetDevEndpoints
in the policy with its resource ARN.
{ "Sid": "BatchGetAPIIncluded", "Effect": "Allow", "Action": [ "glue:BatchGetDevEndpoints" ], "Resource": [ "arn:aws-cn:glue:us-east-1:123456789012:devEndpoint/de1" ] }
With this policy, you can successfully access the development endpoint named
de1
. However, if you try to access the development endpoint named
de2
, an error is returned.
An error occurred (AccessDeniedException) when calling the BatchGetDevEndpoints operation: No access to any requested resource.
Important
For alternative approaches to setting up IAM policies, such as using List
and
BatchGet
API operations, see Identity-based policy examples
for Amazon Glue.