Actions, resources, and condition keys for AWS Glue - AWS Identity and Access Management

Actions, resources, and condition keys for AWS Glue

Tip

This page is moving to a new location on November 16, 2020. Please update your bookmark to use the new page at https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsglue.html.

AWS Glue (service prefix: glue) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by AWS Glue

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see The actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
BatchCreatePartition Grants permission to create one or more partitions Write

catalog*

database*

table*

BatchDeleteConnection Grants permission to delete one or more connections Write

catalog*

connection*

BatchDeletePartition Grants permission to delete one or more partitions Write

catalog*

database*

table*

BatchDeleteTable Grants permission to delete one or more tables Write

catalog*

database*

table*

BatchDeleteTableVersion Grants permission to delete one or more versions of a table Write

catalog*

database*

table*

tableversion*

BatchGetCrawlers Grants permission to retrieve one or more crawlers Read
BatchGetDevEndpoints Grants permission to retrieve one or more development endpoints Read
BatchGetJobs Grants permission to retrieve one or more jobs Read
BatchGetPartition Grants permission to retrieve one or more partitions Read

catalog*

database*

table*

BatchGetTriggers Grants permission to retrieve one or more triggers Read
BatchGetWorkflows Grants permission to retrieve one or more workflows Read
BatchStopJobRun Grants permission to stop one or more job runs for a job Write
CancelMLTaskRun Grants permission to stop a running ML Task Run Write

mlTransform*

CreateClassifier Grants permission to create a classifier Write
CreateConnection Grants permission to create a connection Write

catalog*

connection*

CreateCrawler Grants permission to create a crawler Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateDatabase Grants permission to create a database Write

catalog*

database*

CreateDevEndpoint Grants permission to create a development endpoint Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateJob Grants permission to create a job Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateMLTransform Grants permission to create an ML Transform Write
CreatePartition Grants permission to create a partition Write

catalog*

database*

table*

CreateScript Grants permission to create a script Write
CreateSecurityConfiguration Grants permission to create a security configuration Write
CreateTable Grants permission to create a table Write

catalog*

database*

table*

CreateTrigger Grants permission to create a trigger Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateUserDefinedFunction Grants permission to create a function definition Write

catalog*

database*

userdefinedfunction*

CreateWorkflow Grants permission to create a workflow Write

aws:RequestTag/${TagKey}

aws:TagKeys

DeleteClassifier Grants permission to delete a classifier Write
DeleteConnection Grants permission to delete a connection Write

catalog*

connection*

DeleteCrawler Grants permission to delete a crawler Write
DeleteDatabase Grants permission to delete a database Write

catalog*

database*

DeleteDevEndpoint Grants permission to delete a development endpoint Write
DeleteJob Grants permission to delete a job Write
DeleteMLTransform Grants permission to delete an ML Transform Write

mlTransform*

DeletePartition Grants permission to delete a partition Write

catalog*

database*

table*

DeleteResourcePolicy Grants permission to delete a resource policy Write

catalog*

DeleteSecurityConfiguration Grants permission to delete a security configuration Write
DeleteTable Grants permission to delete a table Write

catalog*

database*

table*

DeleteTableVersion Grants permission to delete a version of a table Write

catalog*

database*

table*

tableversion*

DeleteTrigger Grants permission to delete a trigger Write
DeleteUserDefinedFunction Grants permission to delete a function definition Write

catalog*

database*

userdefinedfunction*

DeleteWorkflow Grants permission to delete a workflow Write
GetCatalogImportStatus Grants permission to retrieve the catalog import status Read

catalog*

GetClassifier Grants permission to retrieve a classifier Read
GetClassifiers Grants permission to list all classifiers Read
GetConnection Grants permission to retrieve a connection Read

catalog*

connection*

GetConnections Grants permission to retrieve a list of connections Read

catalog*

connection*

GetCrawler Grants permission to retrieve a crawler Read
GetCrawlerMetrics Grants permission to retrieve metrics about crawlers Read
GetCrawlers Grants permission to retrieve all crawlers Read
GetDataCatalogEncryptionSettings Grants permission to retrieve catalog encryption settings Read
GetDatabase Grants permission to retrieve a database Read

catalog*

database*

GetDatabases Grants permission to retrieve all databases Read

catalog*

database*

GetDataflowGraph Grants permission to transform a script into a directed acyclic graph (DAG) Read
GetDevEndpoint Grants permission to retrieve a development endpoint Read
GetDevEndpoints Grants permission to retrieve all development endpoints Read
GetJob Grants permission to retrieve a job Read
GetJobBookmark Grants permission to retrieve a job bookmark Read
GetJobRun Grants permission to retrieve a job run Read
GetJobRuns Grants permission to retrieve all job runs of a job Read
GetJobs Grants permission to retrieve all current jobs Read
GetMLTaskRun Grants permission to retrieve an ML Task Run Read

mlTransform*

GetMLTaskRuns Grants permission to retrieve all ML Task Runs List

mlTransform*

GetMLTransform Grants permission to retrieve an ML Transform Read

mlTransform*

GetMLTransforms Grants permission to retrieve all ML Transforms List
GetMapping Grants permission to create a mapping Write
GetPartition Grants permission to retrieve a partition Read

catalog*

database*

table*

GetPartitions Grants permission to retrieve the partitions of a table Read

catalog*

database*

table*

GetPlan Grants permission to retrieve a mapping for a script Read
GetResourcePolicy Grants permission to retrieve a resource policy Read

catalog*

GetSecurityConfiguration Grants permission to retrieve a security configuration Read
GetSecurityConfigurations Grants permission to retrieve one or more security configurations Read
GetTable Grants permission to retrieve a table Read

catalog*

database*

table*

GetTableVersion Grants permission to retrieve a version of a table Read

catalog*

database*

table*

tableversion*

GetTableVersions Grants permission to retrieve a list of versions of a table Read

catalog*

database*

table*

tableversion*

GetTables Grants permission to retrieve the tables in a database Read

catalog*

database*

table*

GetTags Grants permission to retrieve all tags associated with a resource Read

crawler

devendpoint

job

trigger

workflow

GetTrigger Grants permission to retrieve a trigger Read
GetTriggers Grants permission to retrieve the triggers associated with a job Read
GetUserDefinedFunction Grants permission to retrieve a function definition. Read

catalog*

database*

userdefinedfunction*

GetUserDefinedFunctions Grants permission to retrieve multiple function definitions Read

catalog*

database*

userdefinedfunction*

GetWorkflow Grants permission to retrieve a workflow Read
GetWorkflowRun Grants permission to retrieve a workflow run Read
GetWorkflowRunProperties Grants permission to retrieve workflow run properties Read
GetWorkflowRuns Grants permission to retrieve all runs of a workflow Read
ImportCatalogToGlue Grants permission to import an Athena data catalog into AWS Glue Write

catalog*

ListCrawlers Grants permission to retrieve all crawlers List
ListDevEndpoints Grants permission to retrieve all development endpoints List
ListJobs Grants permission to retrieve all current jobs List
ListMLTransforms Grants permission to retrieve all ML Transforms List
ListTriggers Grants permission to retrieve all triggers List
ListWorkflows Grants permission to retrieve all workflows List
PutDataCatalogEncryptionSettings Grants permission to update catalog encryption settings Write
PutResourcePolicy Grants permission to update a resource policy Write

catalog*

PutWorkflowRunProperties Grants permission to update workflow run properties Write
ResetJobBookmark Grants permission to reset a job bookmark Write
SearchTables Grants permission to retrieve the tables in the catalog Read

catalog*

database*

table*

StartCrawler Grants permission to start a crawler Write
StartCrawlerSchedule Grants permission to change the schedule state of a crawler to SCHEDULED Write
StartExportLabelsTaskRun Grants permission to start an Export Labels ML Task Run Write

mlTransform*

StartImportLabelsTaskRun Grants permission to start an Import Labels ML Task Run Write

mlTransform*

StartJobRun Grants permission to start running a job Write
StartMLEvaluationTaskRun Grants permission to start an Evaluation ML Task Run Write

mlTransform*

StartMLLabelingSetGenerationTaskRun Grants permission to start a Labeling Set Generation ML Task Run Write

mlTransform*

StartTrigger Grants permission to start a trigger Write
StartWorkflowRun Grants permission to start running a workflow Write
StopCrawler Grants permission to stop a running crawler Write
StopCrawlerSchedule Grants permission to set the schedule state of a crawler to NOT_SCHEDULED Write
StopTrigger Grants permission to stop a trigger Write
TagResource Grants permission to add tags to a resource Tagging

crawler

devendpoint

job

trigger

workflow

aws:TagKeys

aws:RequestTag/${TagKey}

UntagResource Grants permission to remove tags associated with a resource Tagging

crawler

devendpoint

job

trigger

workflow

aws:TagKeys

UpdateClassifier Grants permission to update a classifier Write
UpdateConnection Grants permission to update a connection Write

catalog*

connection*

UpdateCrawler Grants permission to update a crawler Write
UpdateCrawlerSchedule Grants permission to update the schedule of a crawler Write
UpdateDatabase Grants permission to update a database Write

catalog*

database*

UpdateDevEndpoint Grants permission to update a development endpoint Write
UpdateJob Grants permission to update a job Write
UpdateMLTransform Grants permission to update an ML Transform Write

mlTransform*

UpdatePartition Grants permission to update a partition Write

catalog*

database*

table*

UpdateTable Grants permission to update a table Write

catalog*

database*

table*

UpdateTrigger Grants permission to update a trigger Write
UpdateUserDefinedFunction Grants permission to update a function definition Write

catalog*

database*

userdefinedfunction*

UpdateWorkflow Grants permission to update a workflow Write
UseMLTransforms Grants permission to use an ML Transform from within a Glue ETL Script Write

mlTransform*

Resource types defined by AWS Glue

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The resource types table.

Resource types ARN Condition keys
catalog arn:${Partition}:glue:${Region}:${Account}:catalog
database arn:${Partition}:glue:${Region}:${Account}:database/${DatabaseName}
table arn:${Partition}:glue:${Region}:${Account}:table/${DatabaseName}/${TableName}
tableversion arn:${Partition}:glue:${Region}:${Account}:tableVersion/${DatabaseName}/${TableName}/${TableVersionName}
connection arn:${Partition}:glue:${Region}:${Account}:connection/${ConnectionName}
userdefinedfunction arn:${Partition}:glue:${Region}:${Account}:userDefinedFunction/${DatabaseName}/${UserDefinedFunctionName}
devendpoint arn:${Partition}:glue:${Region}:${Account}:devendpoint/${DevEndpointName}

aws:ResourceTag/${TagKey}

job arn:${Partition}:glue:${Region}:${Account}:job/${JobName}

aws:ResourceTag/${TagKey}

trigger arn:${Partition}:glue:${Region}:${Account}:trigger/${TriggerName}

aws:ResourceTag/${TagKey}

crawler arn:${Partition}:glue:${Region}:${Account}:crawler/${CrawlerName}

aws:ResourceTag/${TagKey}

workflow arn:${Partition}:glue:${Region}:${Account}:workflow/${WorkflowName}

aws:ResourceTag/${TagKey}

mlTransform arn:${Partition}:glue:${Region}:${Account}:mlTransform/${TransformId}

aws:ResourceTag/${TagKey}

Condition keys for AWS Glue

AWS Glue defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters actions based on the presence of tag key-value pairs in the request String
aws:ResourceTag/${TagKey} Filters actions based on tag key-value pairs attached to the resource String
aws:TagKeys Filters actions based on the presence of tag keys in the request String