Policies containing the API operations for creating and using connections - Amazon Glue
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Policies containing the API operations for creating and using connections

The following sample policy describes the required Amazon IAM permissions for creating and using connections. If you are creating a new role, create a policy that contains the following:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "glue:ListConnectionTypes", "glue:DescribeConnectionType", "glue:RefreshOAuth2Tokens" "glue:ListEntities", "glue:DescribeEntity" ], "Resource": "*" } ] }

If you don't want to use the above method, alternatively use the following managed IAM policies:

  • AWSGlueServiceRole – Grants access to resources that various Amazon Glue processes require to run on your behalf. These resources include Amazon Glue, Amazon S3, IAM, CloudWatch Logs, and Amazon EC2. If you follow the naming convention for resources specified in this policy, Amazon Glue processes have the required permissions. This policy is typically attached to roles specified when defining crawlers, jobs, and development endpoints.

  • AWSGlueConsoleFullAccess – Grants full access to Amazon Glue resources when an identity that the policy is attached to uses the Amazon Management Console. If you follow the naming convention for resources specified in this policy, users have full console capabilities. This policy is typically attached to users of the Amazon Glue console.

  • SecretsManagerReadWrite – Provides read/write access to Amazon Secrets Manager via the Amazon Management Console. Note: this excludes IAM actions, so combine with IAMFullAccess if rotation configuration is required.