Setting up IAM permissions for Amazon Glue - Amazon Glue
Next steps
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Setting up IAM permissions for Amazon Glue

The instructions in this topic help you quickly set up Amazon Identity and Access Management (IAM) permissions for Amazon Glue. You will complete the following tasks:

  • Grant your IAM identities access to Amazon Glue resources.

  • Create a service role for running jobs, accessing data, and running Amazon Glue Data Quality tasks.

For detailed instructions that you can use to customize IAM permissions for Amazon Glue, see Configuring IAM permissions for Amazon Glue.

To set up IAM permissions for Amazon Glue in the Amazon Web Services Management Console

  1. Sign in to the Amazon Web Services Management Console and open the Amazon Glue console at https://console.amazonaws.cn/glue/.

  2. Choose Getting started.

  3. Under Prepare your account for Amazon Glue, choose Set up IAM permissions.

  4. Choose the IAM identities (roles or users) that you want to give Amazon Glue permissions to. Amazon Glue attaches the AWSGlueConsoleFullAccess managed policy to these identities. You can skip this step if you want to set these permissions manually or only want to set a default service role.

  5. Choose Next.

  6. Choose the level of Amazon S3 access that your roles and users need. The options that you choose in this step are applied to all of the identities that you selected.

    1. Under Choose S3 locations, choose the Amazon S3 locations that you want to grant access to.

    2. Next, select whether your identities should have Read only (recommended) or Read and write access to the locations that you previously selected. Amazon Glue adds permissions policies to your identities based on the combination of locations and read or write permissions you select.

      The following table displays the permissions that Amazon Glue attaches for Amazon S3 access.

      If you choose ... Amazon Glue attaches ...
      No change No permissions. Amazon Glue won't make any changes to your identity's permissions.
      Grant access to specific Amazon S3 locations (read only)

      An inline policy embedded in your selected IAM identities. For more information, see Inline policies in the IAM User Guide.

      Amazon Glue names the policy using the following convention: AWSGlueConsole<Role/User>InlinePolicy-read-specific-access-<UUID>. For example: AWSGlueConsoleRoleInlinePolicy-read-specific-access-123456780123.

      The following is an example of an inline policy that Amazon Glue attaches to grant read-only access to a specified Amazon S3 location.

      {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:Get*",
                "s3:List*"
            ],
            "Resource": [
                "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
            ]
        }
    ]
}
      Grant access to specific Amazon S3 locations (read and write) An inline policy embedded in your selected IAM identities. For more information, see Inline policies in the IAM User Guide.

      Amazon Glue names the policy using the following convention: AWSGlueConsole<Role/User>InlinePolicy-read -and-write-specific-access-<UUID>. For example: AWSGlueConsoleRoleInlinePolicy-read-and-write-specific-access-123456780123.

      The following is an example of an inline policy that Amazon Glue attaches to grant read and write access to specified Amazon S3 locations.

      {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:Get*",
                "s3:List*",
                "s3:*Object*"
            ],
            "Resource": [
                "arn:aws:s3:::DOC-EXAMPLE-BUCKET1/*",
                "arn:aws:s3:::DOC-EXAMPLE-BUCKET2/*"
            ]
        }
    ]
}
      Grant full access to Amazon S3 (read only) The AmazonS3ReadOnlyAccess managed IAM policy. To learn more, see Amazon managed policy: AmazonS3ReadOnlyAccess.
      Grant full access to Amazon S3 (read and write) The AmazonS3FullAccess managed IAM policy. To learn more, see Amazon managed policy: AmazonS3FullAccess.

  7. Choose Next.

  8. Choose a default Amazon Glue service role for your account. A service role is an IAM role that Amazon Glue uses to access resources in other Amazon services on your behalf. For more information, see Service roles for Amazon Glue.

    • When you choose the standard Amazon Glue service role, Amazon Glue creates a new IAM role in your Amazon Web Services account named AWSGlueServiceRole with the following managed policies attached. If your account already has an IAM role named AWSGlueServiceRole, Amazon Glue attaches these policies to the existing role.

    • When you choose an existing IAM role, Amazon Glue sets the role as the default, but doesn't add any permissions to it. Ensure that you've configured the role to use as a service role for Amazon Glue. For more information, see Step 1: Create an IAM policy for the Amazon Glue service and Step 2: Create an IAM role for Amazon Glue.

  9. Choose Next.

  10. Finally, review the permissions you've selected and then choose Apply changes. When you apply the changes, Amazon Glue adds IAM permissions to the identities that you selected. You can view or modify the new permissions in the IAM console at https://console.amazonaws.cn/iam/.

You've now completed the minimum IAM permissions setup for Amazon Glue. In a production environment, we recommend that you familiarize yourself with Security in Amazon Glue and Identity and access management for Amazon Glue to help you secure Amazon resources for your use case.

Next steps

Now that you have IAM permissions set up, you can explore the following topics to get started using Amazon Glue: