Identity-based policies (IAM policies) for access control - Amazon Glue
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Identity-based policies (IAM policies) for access control

Identity-based policies are attached to an IAM identity (user, group, role, or service). This type of policy grants permissions for that IAM identity to access specified resources.

Amazon Glue supports identity-based policies (IAM policies) for all Amazon Glue operations. By attaching a policy to a user or a group in your account, you can grant them permissions to create, access, or modify an Amazon Glue resource, such as a table in the Amazon Glue Data Catalog.

By attaching a policy to an IAM role, you can grant cross-account access permissions to IAM identities in other Amazon accounts. For more information, see Granting cross-account access.

Identity-based policy examples

The following is an example identity-based policy that grants permissions for Amazon Glue actions (glue:GetTable, GetTables, GetDatabase, and GetDatabases). The wildcard character (*) in the Resource value means that you are granting permission to these actions to obtain names and details of all the tables and databases in the Data Catalog. If the user also has access to other catalogs through a resource policy, then it is given access to these resources too.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "GetTables", "Effect": "Allow", "Action": [ "glue:GetTable", "glue:GetTables", "glue:GetDatabase", "glue:GetDataBases" ], "Resource": "*" } ] }

Here is another example, targeting the us-west-2 Region and using a placeholder for the specific Amazon account number.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "GetTablesActionOnBooks", "Effect": "Allow", "Action": [ "glue:GetTable", "glue:GetTables" ], "Resource": [ "arn:aws:glue:us-west-2:123456789012:catalog", "arn:aws:glue:us-west-2:123456789012:database/db1", "arn:aws:glue:us-west-2:123456789012:table/db1/books" ] } ] }

This policy grants read-only permission to a table named books in the database named db1. Notice that to grant Get permission to a table that permission to the catalog and database resources is also required.

To deny access to a table, requires that you create a policy to deny a user access to the table, or its parent database or catalog. This allows you to easily deny access to a specific resource that cannot be circumvented with a subsequent allow permission. For example, if you deny access to table books in database db1, then if you grant access to database db1, access to table books is still denied. The following is an example identity-based policy that denies permissions for Amazon Glue actions (glue:GetTables and GetTable) to database db1 and all of the tables within it.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyGetTablesToDb1", "Effect": "Deny", "Action": [ "glue:GetTables", "glue:GetTable" ], "Resource": [ "arn:aws:glue:us-west-2:123456789012:database/db1" ] } ] }

For more policy examples, see Identity-based policy examples.

Identity-based policies (IAM policies) with tags

You can also control access to certain types of Amazon Glue resources using Amazon tags. For more information about tags in Amazon Glue, see Amazon tags.

You can use the Condition element along with the glue:resourceTag context key in an IAM user policy to allow or deny access based on keys associated with crawlers, jobs, triggers, and development endpoints. For example:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "glue:*", "Resource": "*", "Condition": { "StringEquals": { "glue:resourceTag/Name": "Tom" } } } ] }
Important

The condition context keys apply only to those Amazon Glue API actions on crawlers, jobs, triggers, and development endpoints. For more information about which APIs are affected, see Amazon Glue API permissions: Actions and resources reference.

For information about how to control access using tags, see Examples of Amazon Glue identity-based (IAM) access control policies with tags.

Identity-based policies (IAM policies) that control settings using condition keys or context keys

You can use condition keys or context keys when granting permissions to create and update jobs. These sections discuss the keys:

IAM policies that control settings using condition keys

Amazon Glue provides three IAM condition keys glue:VpcIds, glue:SubnetIds and, glue:SecurityGroupIds. You can use the condition keys in IAM policies when granting permissions to create and update jobs. You can use this setting to ensure that jobs are not created (or updated to) to run outside of a desired VPC environment. The VPC setting information is not a direct input from the CreateJob request, but inferred from the Job "connections" field which points to an Amazon Glue connection.

Example usage

Create an Amazon Glue Network type connection named "traffic-monitored-connection" with the desired VpcId "vpc-id1234", SubnetIds, and SecurityGroupIds.

Specify the condition keys condition for the CreateJob and UpdateJob action in the IAM policy.

{ "Effect": "Allow", "Action": [ "glue:CreateJob", "glue:UpdateJob" ], "Resource": [ "*" ], "Condition": { "ForAnyValue:StringLike": { "glue:VpcIds": [ "vpc-id1234" ] } } }

You can create a similar IAM policy to prohibit creating an Amazon Glue job without specifying connection information.

IAM policies that control settings using context keys

Amazon Glue provides a context key (glue:CredentialIssuingService= glue.amazonaws.com) to each role session that Amazon Glue makes available to the job and developer endpoint. This allows you to implement security controls for the actions taken by Amazon Glue scripts. Amazon Glue provides another context key (glue:RoleAssumedBy=glue.amazonaws.com) to each role session where Amazon Glue makes a call to another Amazon service on the customer's behalf (not by a job/dev endpoint but directly by the Amazon Glue service).

Example usage

Specify the conditional permission in IAM policy and attach it to the role to be used by an Amazon Glue job. This ensures certain actions are allowed/denied based on whether the role session is used for an Amazon Glue job execution environment.

{ "Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::confidential-bucket/*", "Condition": { "StringEquals": { "glue:CredentialIssuingService": "glue.amazonaws.com" } } }

Resource-level permissions only apply to specific Amazon Glue objects

You can only define fine-grained control for specific objects in Amazon Glue. Therefore you must write your client's IAM policy so that API operations that allow Amazon Resource Names (ARNs) for the Resource statement are not mixed with API operations that don't allow ARNs. For example, the following IAM policy allows API operations for GetClassifier and GetJobRun. It defines the Resource as * because Amazon Glue doesn't allow ARNs for classifiers and job runs. Because ARNs are allowed for specific API operations such as GetDatabase and GetTable, ARNs can be specified in the second half of the policy.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "glue:GetClassifier*", "glue:GetJobRun*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "glue:Get*" ], "Resource": [ "arn:aws:glue:us-east-1:123456789012:catalog", "arn:aws:glue:us-east-1:123456789012:database/default", "arn:aws:glue:us-east-1:123456789012:table/default/e*1*", "arn:aws:glue:us-east-1:123456789012:connection/connection2" ] } ] }

For a list of Amazon Glue objects that allow ARNs, see Resource ARNs.

Permissions required to use the Amazon Glue Console

For a user to work with the Amazon Glue console, that user must have a minimum set of permissions that allows them to work with the Amazon Glue resources for their Amazon account. In addition to these Amazon Glue permissions, the console requires permissions from the following services:

  • Amazon CloudWatch Logs permissions to display logs.

  • Amazon Identity and Access Management (IAM) permissions to list and pass roles.

  • Amazon CloudFormation permissions to work with stacks.

  • Amazon Elastic Compute Cloud (Amazon EC2) permissions to list VPCs, subnets, security groups, instances, and other objects.

  • Amazon Simple Storage Service (Amazon S3) permissions to list buckets and objects, and to retrieve and save scripts.

  • Amazon Redshift permissions to work with clusters.

  • Amazon Relational Database Service (Amazon RDS) permissions to list instances.

For more information about the permissions that users require to view and work with the Amazon Glue console, see Step 3: Attach a policy to IAM users that access Amazon Glue.

If you create an IAM policy that is more restrictive than the minimum required permissions, the console won't function as intended for users with that IAM policy. To ensure that those users can still use the Amazon Glue console, also attach the AWSGlueConsoleFullAccess managed policy to the user, as described in Amazon managed (predefined) policies for Amazon Glue.

You don't need to allow minimum console permissions for users that are making calls only to the Amazon CLI or the Amazon Glue API.

Amazon managed (predefined) policies for Amazon Glue

Amazon addresses many common use cases by providing standalone IAM policies that are created and administered by Amazon. These Amazon managed policies grant necessary permissions for common use cases so that you can avoid having to investigate what permissions are needed. For more information, see Amazon Managed Policies in the IAM User Guide.

The following Amazon managed policies, which you can attach to users in your account, are specific to Amazon Glue and are grouped by use case scenario:

  • AWSGlueConsoleFullAccess – Grants full access to Amazon Glue resources when using the Amazon Web Services Management Console. If you follow the naming convention for resources specified in this policy, users have full console capabilities. This policy is typically attached to users of the Amazon Glue console.

  • AWSGlueServiceRole – Grants access to resources that various Amazon Glue processes require to run on your behalf. These resources include Amazon Glue, Amazon S3, IAM, CloudWatch Logs, and Amazon EC2. If you follow the naming convention for resources specified in this policy, Amazon Glue processes have the required permissions. This policy is typically attached to roles specified when defining crawlers, jobs, and development endpoints.

  • AwsGlueSessionUserRestrictedServiceRole – Provides full access to all Amazon Glue resources except for sessions. Allows users to create and use only the interactive sessions that are associated with the user. This policy also includes other permissions needed by Amazon Glue to manage Glue resources in other Amazon services. The policy also allows adding tags to Amazon Glue resources in other Amazon services.

    Note

    To achieve the full security benefits, do not grant this policy to a user that was assigned the AWSGlueServiceRole, AWSGlueConsoleFullAccess, or AWSGlueConsoleSageMakerNotebookFullAccess policy.

  • AwsGlueSessionUserRestrictedPolicy – Provides access to create Amazon Glue interactive sessions using the CreateSession API only if a tag key “owner” and value matching the assignee's Amazon user ID is provided. This identity policy is attached to the IAM user that invokes the CreateSession API. This policy also permits the assignee to interact with the Amazon Glue interactive session resources that were created with a “owner” tag and value matching their Amazon user id. This policy denies permission to change or remove "owner" tags from an Amazon Glue session resource after the session is created.

    Note

    To achieve the full security benefits, do not grant this policy to a user that was assigned the AWSGlueServiceRole, AWSGlueConsoleFullAccess, or AWSGlueConsoleSageMakerNotebookFullAccess policy.

  • AwsGlueSessionUserRestrictedNotebookServiceRole – Provides sufficient access to the Amazon Glue Studio Notebook session to interact with the Amazon Glue interactive session resources that are created with the “owner” tag value matching the Amazon user id of the principal (IAM user or Role) that creates the Notebook. For more information about these tags, see the Principal key values chart in the IAM User Guide).

    This service-role policy is attached to the role that is specified with a magic statement within the notebook or passed as a role to the CreateSession API. This policy also permits the principal to create an Amazon Glue interactive session from the Amazon Glue Studio Notebook interface only if a tag key “owner” and value matching the Amazon user id of the principal. This policy denies permission to change or remove "owner" tags from a Amazon Glue session resource after the session is created. This policy also includes permissions for writing and reading from Amazon S3 buckets, writing CloudWatch logs, creating and deleting tags for Amazon EC2 resources used by Amazon Glue.

    Note

    To achieve the full security benefits, do not grant this policy to a role that was assigned the AWSGlueServiceRole, AWSGlueConsoleFullAccess, or AWSGlueConsoleSageMakerNotebookFullAccess policy.

  • AwsGlueSessionUserRestrictedNotebookPolicy – Provides access to create an Amazon Glue interactive session from the Amazon Glue Studio Notebook interface only if there is a tag key “owner” and value matching the Amazon user id of the principal (IAM user or Role) that creates the Notebook. For more information about these tags, see the Principal key values chart in the IAM User Guide).

    This policy is attached to the principal (IAM user or role) that creates sessions from the Amazon Glue Studio Notebook interface. This policy also permits sufficient access to the Amazon Glue Studio Notebook to interact with the Amazon Glue interactive session resources that are created with the “owner” tag value matching the Amazon user id of the principal. This policy denies permission to change or remove "owner" tags from an Amazon Glue session resource after the session is created.

  • AWSGlueServiceNotebookRole – Grants access to Amazon Glue sessions started in a notebook created in Amazon Glue Studio. This policy allows listing and getting session information for all sessions, but only permits users to create and use the sessions tagged with their Amazon user id. This policy denies permission to change or remove “owner” tags from Amazon Glue session resources tagged with their Amazon id.

    Assign this policy to the Amazon user who creates jobs using the notebook interface in Amazon Glue Studio.

  • AWSGlueConsoleSageMakerNotebookFullAccess – Grants full access to Amazon Glue and SageMaker resources when using the Amazon Web Services Management Console. If you follow the naming convention for resources specified in this policy, users have full console capabilities. This policy is typically attached to users of the Amazon Glue console who manage SageMaker notebooks.

  • AWSGlueSchemaRegistryFullAccess – Grants full access to Amazon Glue Schema Registry resources when using the Amazon Web Services Management Console or Amazon CLI. If you follow the naming convention for resources specified in this policy, users have full console capabilities. This policy is typically attached to users of the Amazon Glue console or Amazon CLI who manage Schema Registry.

  • AWSGlueSchemaRegistryReadonlyAccess – Grants read-only access to Amazon Glue Schema Registry resources when using the Amazon Web Services Management Console or Amazon CLI. If you follow the naming convention for resources specified in this policy, users have full console capabilities. This policy is typically attached to users of the Amazon Glue console or Amazon CLI who use Schema Registry.

Note

You can review these permissions policies by signing in to the IAM console and searching for specific policies there.

You can also create your own custom IAM policies to allow permissions for Amazon Glue actions and resources. You can attach these custom policies to the IAM users or groups that require those permissions.

Amazon Glue updates to Amazon managed policies

View details about updates to Amazon managed policies for Amazon Glue since this service began tracking these changes. For automatic alerts about these updates, subscribe to the RSS feed on the Amazon Glue Document history page.

Change Description Date

New managed policies added for the Interactive Sessions feature

  • AwsGlueSessionUserRestrictedServiceRole

  • AwsGlueSessionUserRestrictedPolicy

  • AwsGlueSessionUserRestrictedNotebookServiceRole

  • AwsGlueSessionUserRestrictedNotebookPolicy

These policies were designed to provide additional security for interactive sesssions and notebooks in Amazon Glue Studio. The policies restrict access to the CreateSession API so that only the owner has access.

November 30, 2021

AWSGlueConsoleSageMakerNotebookFullAccess – Update to an existing policy

Removed a redundant resource ARN (arn:aws:s3:::aws-glue-*/*) for the action that grants read/write permissions on Amazon S3 buckets that Amazon Glue uses to store scripts and temporary files.

Fixed a syntax issue by changing "StringEquals" to "ForAnyValue:StringLike", and moved the "Effect": "Allow" lines to precede the "Action": line in each place where they were out of order.

July 15, 2021

AWSGlueConsoleFullAccess – Update to an existing policy

Removed a redundant resource ARN (arn:aws:s3:::aws-glue-*/*) for the action that grants read/write permissions on Amazon S3 buckets that Amazon Glue uses to store scripts and temporary files. July 15, 2021

Amazon Glue started tracking changes

Amazon Glue started tracking changes for its Amazon managed policies.

June 10, 2021