AWS Identity and Access Management
User Guide

Actions, Resources, and Condition Keys for AWS Glue

AWS Glue (service prefix: glue) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by AWS Glue

You can specify the following actions in the Action element of an IAM policy statement. By using policies, you define the permissions for anyone performing an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions. For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
BatchCreatePartition Grants permission to create one or more partitions Write
BatchDeleteConnection Grants permission to delete one or more connections Write
BatchDeletePartition Grants permission to delete one or more partitions Write
BatchDeleteTable Grants permission to delete one or more tables Write
BatchGetPartition Grants permission to retrieve one or more partitions Read
CreateClassifier Grants permission to create a classifier Write
CreateConnection Grants permission to create a connection Write
CreateCrawler Grants permission to create a crawler Write
CreateDatabase Grants permission to create a database Write
CreateDevEndpoint Grants permission to create a development endpoint Write
CreateJob Grants permission to create a job Write
CreatePartition Grants permission to create a partition Write
CreateScript Grants permission to create a script Write
CreateSecurityConfiguration Grants permission to create a security configuration Write
CreateTable Grants permission to create a table Write
CreateTrigger Grants permission to create a trigger Write
CreateUserDefinedFunction Grants permission to create a function definition Write
DeleteClassifier Grants permission to delete a classifier Write
DeleteConnection Grants permission to delete a connection Write
DeleteCrawler Grants permission to delete a crawler Write
DeleteDatabase Grants permission to delete a database Write
DeleteDevEndpoint Grants permission to delete a development endpoint Write
DeleteJob Grants permission to delete a job Write
DeletePartition Grants permission to delete a partition Write
DeleteResourcePolicy Grants permission to delete a resource policy Write

catalog*

DeleteSecurityConfiguration Grants permission to delete a security configuration Write
DeleteTable Grants permission to delete a table Write
DeleteTrigger Grants permission to delete a trigger Write
DeleteUserDefinedFunction Grants permission to delete a function definition Write
GetCatalogImportStatus Grants permission to retrieve the catalog import status Read
GetClassifier Grants permission to retrieve a classifier Read
GetClassifiers Grants permission to list all classifiers Read
GetConnection Grants permission to retrieve a connection Read
GetConnections Grants permission to retrieve a list of connections Read
GetCrawler Grants permission to retrieve a crawler Read
GetCrawlerMetrics Grants permission to retrieve metrics about crawlers Read
GetCrawlers Grants permission to retrieve all crawlers Read
GetDataCatalogEncryptionSettings Grants permission to retrieve catalog encryption settings Read
GetDatabase Grants permission to retrieve a database Read
GetDatabases Grants permission to retrieve all databases Read
GetDataflowGraph Grants permission to transform a script into a directed acyclic graph (DAG) Read
GetDevEndpoint Grants permission to retrieve a development endpoint Read
GetDevEndpoints Grants permission to retrieve all development endpoints Read
GetJob Grants permission to retrieve a job Read
GetJobRun Grants permission to retrieve a job run Read
GetJobRuns Grants permission to retrieve all job runs of a job Read
GetJobs Grants permission to retrieve all current jobs Read
GetMapping Grants permission to create a mapping Write
GetPartition Grants permission to retrieve a partition Read
GetPartitions Grants permission to retrieve the partitions of a table Read
GetPlan Grants permission to retrieve a mapping for a script Read
GetResourcePolicy Grants permission to retrieve a resource policy Read

catalog*

GetSecurityConfiguration Grants permission to retrieve a security configuration Read
GetSecurityConfigurations Grants permission to retrieve one or more security configurations Read
GetTable Grants permission to retrieve a table Read
GetTableVersions Grants permission to retrieve a list of versions of a table Read
GetTables Grants permission to retrieve the tables in a database Read
GetTrigger Grants permission to retrieve a trigger Read
GetTriggers Grants permission to retrieve the triggers associated with a job Read
GetUserDefinedFunction Grants permission to retrieve a function definition. Read
GetUserDefinedFunctions Grants permission to retrieve multiple function definitions Read
ImportCatalogToGlue Grants permission to import an Athena data catalog into AWS Glue Write
PutDataCatalogEncryptionSettings Grants permission to update catalog encryption settings Write
PutResourcePolicy Grants permission to update a resource policy Write

catalog*

ResetJobBookmark Grants permission to reset a job bookmark Write
StartCrawler Grants permission to start a crawler Write
StartCrawlerSchedule Grants permission to change the schedule state of a crawler to SCHEDULED Write
StartJobRun Grants permission to start running a job Write
StartTrigger Grants permission to start a trigger Write
StopCrawler Grants permission to stop a running crawler Write
StopCrawlerSchedule Grants permission to set the schedule state of a crawler to NOT_SCHEDULED Write
StopTrigger Grants permission to stop a trigger Write
UpdateClassifier Grants permission to update a classifier Write
UpdateConnection Grants permission to update a connection Write
UpdateCrawler Grants permission to update a crawler Write
UpdateDatabase Grants permission to update a database Write
UpdateDevEndpoint Grants permission to update a development endpoint Write
UpdateJob Grants permission to update a job Write
UpdatePartition Grants permission to update a partition Write
UpdateTable Grants permission to update a table Write
UpdateTrigger Grants permission to update a trigger Write
UpdateUserDefinedFunction Grants permission to update a function definition Write

Resources Defined by Glue

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The Resource Types Table.

Resource Types ARN Condition Keys
catalog arn:${Partition}:glue:${Region}:${Account}:catalog/${CatalogName}
database arn:${Partition}:glue:${Region}:${Account}:database/${DatabaseName}
table arn:${Partition}:glue:${Region}:${Account}:table/${TableName}
partition arn:${Partition}:glue:${Region}:${Account}:partition/${PartitionName}
tableversion arn:${Partition}:glue:${Region}:${Account}:tableVersion/${TableVersionName}
connection arn:${Partition}:glue:${Region}:${Account}:connection/${ConnectionName}
userdefinedfunction arn:${Partition}:glue:${Region}:${Account}:userDefinedFunction/${UserDefinedFunctionName}
devendpoint arn:${Partition}:glue:${Region}:${Account}:devendpoint/${DevEndpointName}

Condition Keys for AWS Glue

Glue has no service-specific context keys that can be used in the Condition element of policy statements. For the list of the global context keys that are available to all services, see Available Keys for Conditions in the IAM Policy Reference.