Setting up IAM permissions for AWS Glue - AWS Glue

Setting up IAM permissions for AWS Glue

The instructions in this topic help you quickly set up AWS Identity and Access Management (IAM) permissions for AWS Glue. You will complete the following tasks:

  • Grant your IAM identities access to AWS Glue resources.

  • Create a service role for running jobs, accessing data, and running AWS Glue Data Quality tasks.

For detailed instructions that you can use to customize IAM permissions for AWS Glue, see Configuring IAM permissions for AWS Glue.

To set up IAM permissions for AWS Glue in the AWS Management Console
  1. Sign in to the AWS Management Console and open the AWS Glue console at https://console.aws.amazon.com/glue/.

  2. Choose Getting started.

  3. Under Prepare your account for AWS Glue, choose Set up IAM permissions.

  4. Choose the IAM identities (roles or users) that you want to give AWS Glue permissions to. AWS Glue attaches the AWSGlueConsoleFullAccess managed policy to these identities. You can skip this step if you want to set these permissions manually or only want to set a default service role.

  5. Choose Next.

  6. Choose the level of Amazon S3 access that your roles and users need. The options that you choose in this step are applied to all of the identities that you selected.

    1. Under Choose S3 locations, choose the Amazon S3 locations that you want to grant access to.

    2. Next, select whether your identities should have Read only (recommended) or Read and write access to the locations that you previously selected. AWS Glue adds permissions policies to your identities based on the combination of locations and read or write permissions you select.

      The following table displays the permissions that AWS Glue attaches for Amazon S3 access.

      If you choose ... AWS Glue attaches ...
      No change No permissions. AWS Glue won't make any changes to your identity's permissions.
      Grant access to specific Amazon S3 locations (read only)

      An inline policy embedded in your selected IAM identities. For more information, see Inline policies in the IAM User Guide.

      AWS Glue names the policy using the following convention: AWSGlueConsole<Role/User>InlinePolicy-read-specific-access-<UUID>. For example: AWSGlueConsoleRoleInlinePolicy-read-specific-access-123456780123.

      The following is an example of an inline policy that AWS Glue attaches to grant read-only access to a specified Amazon S3 location.

      { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:Get*", "s3:List*" ], "Resource": [ "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*" ] } ] }
      Grant access to specific Amazon S3 locations (read and write) An inline policy embedded in your selected IAM identities. For more information, see Inline policies in the IAM User Guide.

      AWS Glue names the policy using the following convention: AWSGlueConsole<Role/User>InlinePolicy-read -and-write-specific-access-<UUID>. For example: AWSGlueConsoleRoleInlinePolicy-read-and-write-specific-access-123456780123.

      The following is an example of an inline policy that AWS Glue attaches to grant read and write access to specified Amazon S3 locations.

      { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:Get*", "s3:List*", "s3:*Object*" ], "Resource": [ "arn:aws:s3:::DOC-EXAMPLE-BUCKET1/*", "arn:aws:s3:::DOC-EXAMPLE-BUCKET2/*" ] } ] }
      Grant full access to Amazon S3 (read only) The AmazonS3ReadOnlyAccess managed IAM policy. To learn more, see AWS managed policy: AmazonS3ReadOnlyAccess.
      Grant full access to Amazon S3 (read and write) The AmazonS3FullAccess managed IAM policy. To learn more, see AWS managed policy: AmazonS3FullAccess.
  7. Choose Next.

  8. Choose a default AWS Glue service role for your account. A service role is an IAM role that AWS Glue uses to access resources in other AWS services on your behalf. For more information, see Service roles for AWS Glue.

    • When you choose the standard AWS Glue service role, AWS Glue creates a new IAM role in your AWS account named AWSGlueServiceRole with the following managed policies attached. If your account already has an IAM role named AWSGlueServiceRole, AWS Glue attaches these policies to the existing role.

    • When you choose an existing IAM role, AWS Glue sets the role as the default, but doesn't add any permissions to it. Ensure that you've configured the role to use as a service role for AWS Glue. For more information, see Step 1: Create an IAM policy for the AWS Glue service and Step 2: Create an IAM role for AWS Glue.

  9. Choose Next.

  10. Finally, review the permissions you've selected and then choose Apply changes. When you apply the changes, AWS Glue adds IAM permissions to the identities that you selected. You can view or modify the new permissions in the IAM console at https://console.aws.amazon.com/iam/.

You've now completed the minimum IAM permissions setup for AWS Glue. In a production environment, we recommend that you familiarize yourself with Security in AWS Glue and Identity and access management for AWS Glue to help you secure AWS resources for your use case.

Next steps

Now that you have IAM permissions set up, you can explore the following topics to get started using AWS Glue: