Getting started with notebooks in Amazon Glue Studio
When you start a notebook through Amazon Glue Studio, all the configuration steps are done for you so that you can explore your data and start developing your job script after only a few seconds.
The following sections describe how to create a role and grant the appropriate permissions to use notebooks in Amazon Glue Studio for ETL jobs.
For more information on actions defined by Amazon Glue, see
Actions defined by Amazon Glue
Granting permissions for the IAM role
Setting up Amazon Glue Studio is a pre-requisite to using notebooks.
To use notebooks in Amazon Glue, your role requires the following:
-
A trust relationship with Amazon Glue for the
sts:AssumeRole
action and, if you want tagging thensts:TagSession
. -
An IAM policy containing all the permissions for notebooks, Amazon Glue, and interactive sessions.
-
An IAM policy for a pass role since the role needs to be able to pass itself from the notebook to interactive sessions.
For example, when you create a new role, you can add a standard Amazon managed policy like AWSGlueConsoleFullAccessRole
to the role, and then add a new policy for the notebook operations and another for the IAM PassRole policy.
Actions needed for a trust relationship with Amazon Glue
When starting a notebook session, you must add the sts:AssumeRole
to the trust relationship of the role that is
passed to the notebook. If your session includes tags, you must also pass the sts:TagSession
action. Without these
actions, the notebook session cannot start.
For example:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "glue.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
Policies containing IAM permissions for notebooks
The following sample policy describes the required Amazon IAM permissions for notebooks. If you are creating a new role, create a policy that contains the following:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "glue:StartNotebook", "glue:TerminateNotebook", "glue:GlueNotebookRefreshCredentials", "glue:DeregisterDataPreview", "glue:GetNotebookInstanceStatus", "glue:GlueNotebookAuthorize" ], "Resource": "*" } ] }
You can use the following IAM policies to allow access to specific resources:
-
AwsGlueSessionUserRestrictedNotebookServiceRole: Provides full access to all Amazon Glue resources except for sessions. Allows users to create and use only the notebook sessions that are associated with the user. This policy also includes other permissions needed by Amazon Glue to manage Amazon Glue resources in other Amazon services.
-
AwsGlueSessionUserRestrictedNotebookPolicy: Provides permissions that allows users to create and use only the notebook sessions that are associated with the user. This policy also includes permissions to explicitly allow users to pass a restricted Amazon Glue session role.
IAM policy to pass a role
When you create a notebook with a role, that role is then passed to interactive sessions so that the same
role can be used in both places. As such, the iam:PassRole
permission needs to be part of the role's policy.
Create a new policy for your role using the following example. Replace the account number with your own and the role name.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::
090000000210
:role/<role_name
>" } ] }