This policy gives Amazon DataZone permissions to publish AWS Glue data to the catalog. It also gives Amazon DataZone permissions to grant access or revoke access to AWS Glue published assets in the catalog.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GlueTagDatabasePermissions",
"Effect": "Allow",
"Action": [
"glue:TagResource",
"glue:UntagResource"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
},
"ForAnyValue:StringLikeIfExists": {
"aws:TagKeys": "DataZoneDiscoverable_*"
}
}
},
{
"Sid": "GlueDataQualityPermissions",
"Effect": "Allow",
"Action": [
"glue:ListDataQualityResults",
"glue:GetDataQualityResult"
],
"Resource": "arn:aws:glue:*:*:dataQualityRuleset/*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "GlueCrawlerPermissions",
"Effect": "Allow",
"Action": "glue:ListCrawls",
"Resource": "arn:aws:glue:*:*:crawler/*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "GlueTableDatabasePermissions",
"Effect": "Allow",
"Action": [
"glue:CreateTable",
"glue:DeleteTable",
"glue:GetDatabases",
"glue:GetTables",
"glue:SearchTables"
],
"Resource": [
"arn:aws:glue:*:*:catalog",
"arn:aws:glue:*:*:catalog/*",
"arn:aws:glue:*:*:database/*",
"arn:aws:glue:*:*:table/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "GlueGetTagsPermissions",
"Effect": "Allow",
"Action": [
"glue:GetTags",
"glue:GetCatalog"
],
"Resource": [
"arn:aws:glue:*:*:catalog",
"arn:aws:glue:*:*:catalog/*",
"arn:aws:glue:*:*:database/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "LakeformationResourceSharingPermissions",
"Effect": "Allow",
"Action": [
"lakeformation:BatchGrantPermissions",
"lakeformation:BatchRevokePermissions",
"lakeformation:CreateDataCellsFilter",
"lakeformation:CreateLakeFormationOptIn",
"lakeformation:DeleteDataCellsFilter",
"lakeformation:DeleteLakeFormationOptIn",
"lakeformation:GrantPermissions",
"lakeformation:GetDataCellsFilter",
"lakeformation:GetResourceLFTags",
"lakeformation:ListDataCellsFilter",
"lakeformation:ListLakeFormationOptIns",
"lakeformation:ListPermissions",
"lakeformation:RegisterResource",
"lakeformation:RevokePermissions",
"lakeformation:UpdateDataCellsFilter",
"glue:GetDatabase",
"glue:GetTable",
"organizations:DescribeOrganization",
"ram:GetResourceShareInvitations",
"ram:ListResources"
],
"Resource": "*"
},
{
"Sid": "LakeformationResourceFederatedSharingPermissions",
"Effect": "Allow",
"Action": [
"lakeformation:GetDataAccess"
],
"Resource": "*",
"Condition": {
"Null": {
"lakeformation:GlueARN": "true"
},
"ForAnyValue:StringEquals": {
"aws:CalledVia": [
"glue.amazonaws.com",
"lakeformation.amazonaws.com"
]
}
}
},
{
"Sid": "CrossAccountRAMResourceSharingPermissions",
"Effect": "Allow",
"Action": [
"glue:DeleteResourcePolicy",
"glue:PutResourcePolicy"
],
"Resource": [
"arn:aws:glue:*:*:catalog",
"arn:aws:glue:*:*:catalog/*",
"arn:aws:glue:*:*:database/*",
"arn:aws:glue:*:*:table/*"
],
"Condition": {
"ForAnyValue:StringEquals": {
"aws:CalledVia": [
"ram.amazonaws.com"
]
}
}
},
{
"Sid": "CrossAccountLakeFormationResourceSharingPermissions",
"Effect": "Allow",
"Action": [
"ram:CreateResourceShare"
],
"Resource": "*",
"Condition": {
"StringEqualsIfExists": {
"ram:RequestedResourceType": [
"glue:Table",
"glue:Database",
"glue:Catalog"
]
},
"ForAnyValue:StringEquals": {
"aws:CalledVia": [
"lakeformation.amazonaws.com"
]
}
}
},
{
"Sid": "CrossAccountRAMResourceShareInvitationPermission",
"Effect": "Allow",
"Action": [
"ram:AcceptResourceShareInvitation"
],
"Resource": "arn:aws:ram:*:*:resource-share-invitation/*"
},
{
"Sid": "CrossAccountRAMResourceSharingViaLakeFormationPermissions",
"Effect": "Allow",
"Action": [
"ram:AssociateResourceShare",
"ram:DeleteResourceShare",
"ram:DisassociateResourceShare",
"ram:GetResourceShares",
"ram:ListResourceSharePermissions",
"ram:UpdateResourceShare"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ram:ResourceShareName": [
"LakeFormation*"
]
},
"ForAnyValue:StringEquals": {
"aws:CalledVia": [
"lakeformation.amazonaws.com"
]
}
}
},
{
"Sid": "CrossAccountRAMResourceSharingViaLakeFormationHybrid",
"Effect": "Allow",
"Action": "ram:AssociateResourceSharePermission",
"Resource": "*",
"Condition": {
"ArnLike": {
"ram:PermissionArn": "arn:aws:ram::aws:permission/AWSRAMLFEnabled*"
},
"ForAnyValue:StringEquals": {
"aws:CalledVia": [
"lakeformation.amazonaws.com"
]
}
}
},
{
"Sid": "KMSDecryptPermission",
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/datazone:projectId": "proj-all"
}
}
},
{
"Sid": "GetRoleForDataZone",
"Effect": "Allow",
"Action": [
"iam:GetRole"
],
"Resource": [
"arn:aws:iam::*:role/AmazonDataZone*",
"arn:aws:iam::*:role/service-role/AmazonDataZone*"
]
},
{
"Sid": "PassRoleForDataLocationRegistration",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/AmazonDataZone*",
"arn:aws:iam::*:role/service-role/AmazonDataZone*"
],
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"lakeformation.amazonaws.com"
]
}
}
}
]
}
