Getting started with trusted identity propagation in Amazon Glue ETL - Amazon Glue
PrerequisitesPermissions needed to connect Amazon Glue ETL with IAM Identity CenterConnecting Amazon Glue with IAM Identity CenterCreating a Amazon Glue Interactive Session with Trusted Identity Propagation Enabled
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Getting started with trusted identity propagation in Amazon Glue ETL

This section helps you configure Amazon Glue application with interactive sessions to integrate with IAM Identity Center and enable Trusted identity propagation.

Prerequisites

Permissions needed to connect Amazon Glue ETL with IAM Identity Center

Create an IAM role

The role that creates IAM Identity Center connection requires permissions to create and modify application configuration in Amazon Glue and IAM Identity Center as in the following inline policy.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "glue:CreateGlueIdentityCenterConfiguration",
                "sso:CreateApplication",
                "sso:PutApplicationAssignmentConfiguration",
                "sso:PutApplicationAuthenticationMethod",
                "sso:PutApplicationGrant",
                "sso:PutApplicationAccessScope",
                "sso:ListInstances"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

The following inline policies contain specific permissions required to view, update, and delete properties of Amazon Glue integration with IAM Identity Center.

Use the following inline policy to allow an IAM role to view a Amazon Glue integration with IAM Identity Center.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "glue:GetGlueIdentityCenterConfiguration"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Use the following inline policy to allow an IAM role to update Amazon Glue integration with IAM Identity Center.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "glue:UpdateGlueIdentityCenterConfiguration",
                "sso:PutApplicationAccessScope",
                "sso:DeleteApplicationAccessScope"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Use the following inline policy to allow an IAM role to delete a Amazon Glue integration with IAM Identity Center.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "glue:DeleteGlueIdentityCenterConfiguration",
                "sso:DeleteApplication"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Permissions description

  • glue:CreateGlueIdentityCenterConfiguration – Grants permission to create the Amazon Glue IdC configuration.

  • glue:GetGlueIdentityCenterConfiguration – Grants permission to get an existing IdC configuration.

  • glue:DeleteGlueIdentityCenterConfiguration – Grants permission to delete an existing Amazon Glue IdC configuration.

  • glue:UpdateGlueIdentityCenterConfiguration – Grants permission to update an existing Amazon Glue IdC configuration.

  • sso:CreateApplication – Grants permission to create a Amazon Glue managed IAM Identity Center application.

  • sso:DescribeApplication - Grants permission to describe a Amazon Glue managed IAM Identity Center application.

  • sso:DeleteApplication – Grants permission to delete a Amazon Glue managed IAM Identity Center application.

  • sso:UpdateApplication – Grants permission to update a Amazon Glue managed IAM Identity Center application.

  • sso:PutApplicationGrant – Grants permission to apply token-exchange, introspectToken, refreshToken and RevokeToken grants on IdC Application.

  • sso:PutApplicationAuthenticationMethod – Grants permission to put authenticationMethod on Amazon Glue managed IdC Application that allows Amazon Glue service principal to interact with IdC Application.

  • sso:PutApplicationAccessScope – Grants permission to add or update the list of authorized down stream service scopes on the Amazon Glue managed IdC application.

  • sso:DeleteApplicationAccessScope - Grants permission to delete downstream scopes if a scope is removed for the Amazon Glue managed IdC application.

  • sso:PutApplicationAssignmentConfiguration – Grants permission to set "User-assignment-not-required" setting on IdC Application.

  • sso:ListInstances – Grants permission to list instances and validate the IdC InstanceArn that you specify in identity-center-configuration parameter.

Connecting Amazon Glue with IAM Identity Center

When Amazon Glue is connected to IAM Identity Center, it creates a singleton managed IdC application per account. The following example shows how you can connect Amazon Glue with IAM Identity Center:

aws glue create-glue-identity-center-configuration \
--instance-arn arn:aws:sso:::instance/ssoins-123456789 \
--scopes '["s3:access_grants:read_write", "redshift:connect","lakeformation:query"]'

To update the scopes of the managed application (usually done to propagate to more downstream services), you can use:

aws glue update-glue-identity-center-configuration \
--scopes '["s3:access_grants:read_write", "redshift:connect","lakeformation:query"]'

Scopes parameter is optional and all scopes will be added if not provided. The supported values are s3:access_grants:read_write, redshift:connect and lakeformation:query.

To get the details of the configuration, you can use:

aws glue get-glue-identity-center-configuration

You can delete the connection between Amazon Glue and IAM Identity Center by using the following command:

aws glue delete-glue-identity-center-configuration
Note

Amazon Glue creates a service managed Identity Center Application in your account that service leverages for identity validations and identity propagation to downstream services. Amazon Glue created managed Identity Center Application is shared across all trusted-identity-propagation sessions in your account.

Warning: Do not manually modify settings on the managed Identity Center Application. Any changes could affect all trusted-identity-propagation enabled Amazon Glue interactive sessions in your account.

Creating a Amazon Glue Interactive Session with Trusted Identity Propagation Enabled

After you connect Amazon Glue with IAM Identity Center, you can use identity-enhanced role credentials to create a Amazon Glue interactive session. You need not pass additional parameters when creating a 5.0 Amazon Glue session. Since Amazon Glue is connected with IAM identity center, if Amazon Glue detects identity-enhanced-role-credentials, it will automatically propagate the identity information to downstream services which are called as part of your statements. However, the runtime role for the session needs to have the sts:SetContext permission as depicted below.

Runtime Role permissions to propagate identity

As Amazon Glue sessions leverage Identity-enhanced credentials to propagate identity to downstream Amazon services, its runtime role's trust-policy need to have addition permission sts:SetContext to allow identity propagation to downstream services (Amazon S3 access-grant, Lake Formation, Amazon Redshift). To learn more about how to create a runtime role, see Setting up a runtime role. 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "glue.amazonaws.com"
      },
      "Action": [
        "sts:AssumeRole",
        "sts:SetContext"
      ]
    }
  ]
}

Additionally, Runtime role would need permissions for downstream Amazon services which job-run would invoke to fetch data using user identity. Please refer to the following links to configure Amazon S3 Access Grants and Lake Formation: