Data Catalog ARNs Non-catalog ARNs Access for non-catalog singular APIs Access for get[*] non-catalog APIs Access for BatchGet non-catalog APIs

Specifying AWS Glue resource ARNs

In AWS Glue, you can control access to resources using an AWS Identity and Access Management (IAM) policy. In a policy, you use an Amazon Resource Name (ARN) to identify the resource that the policy applies to. Not all resources in AWS Glue support ARNs.

Topics

Data Catalog ARNs
ARNs for non-catalog objects in AWS Glue
Access control for AWS Glue non-catalog singular API operations
Access control for AWS Glue non-catalog API operations that retrieve multiple items
Access control for AWS Glue non-catalog BatchGet API operations

Data Catalog ARNs

Data Catalog resources have a hierarchical structure, with catalog as the root.


arn:aws:glue:region:account-id:catalog

Each AWS account has a single Data Catalog in an AWS Region with the 12-digit account ID as the catalog ID. Resources have unique ARNs associated with them, as shown in the following table.

Resource type	ARN format
Catalog	`arn:aws:glue:region:account-id:catalog` For example: `arn:aws:glue:us-east-1:123456789012:catalog`
Database	`arn:aws:glue:region:account-id:database/database name` For example: `arn:aws:glue:us-east-1:123456789012:database/db1`
Table	`arn:aws:glue:region:account-id:table/database name/table name` For example: `arn:aws:glue:us-east-1:123456789012:table/db1/tbl1`
User-defined function	`arn:aws:glue:region:account-id:userDefinedFunction/database name/user-defined function name` For example: `arn:aws:glue:us-east-1:123456789012:userDefinedFunction/db1/func1`
Connection	`arn:aws:glue:region:account-id:connection/connection name` For example: `arn:aws:glue:us-east-1:123456789012:connection/connection1`
Interactive Session	`arn:aws:glue:region:account-id:session/interactive session id` For example: `arn:aws:glue:us-east-1:123456789012:session/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111`

To enable fine-grained access control, you can use these ARNs in your IAM policies and resource policies to grant and deny access to specific resources. Wildcards are allowed in the policies. For example, the following ARN matches all tables in database default.


arn:aws:glue:us-east-1:123456789012:table/default/*

Important

All operations performed on a Data Catalog resource require permission on the resource and all the ancestors of that resource. For example, to create a partition for a table requires permission on the table, database, and catalog where the table is located. The following example shows the permission required to create partitions on table PrivateTable in database PrivateDatabase in the Data Catalog.


{
   "Sid": "GrantCreatePartitions",
   "Effect": "Allow",
   "Action": [
       "glue:BatchCreatePartitions"
   ],
   "Resource": [
       "arn:aws:glue:us-east-1:123456789012:table/PrivateDatabase/PrivateTable",
       "arn:aws:glue:us-east-1:123456789012:database/PrivateDatabase",
       "arn:aws:glue:us-east-1:123456789012:catalog"
   ]
}

In addition to permission on the resource and all its ancestors, all delete operations require permission on all children of that resource. For example, deleting a database requires permission on all the tables and user-defined functions in the database, in addition to the database and the catalog where the database is located. The following example shows the permission required to delete database PrivateDatabase in the Data Catalog.


{
   "Sid": "GrantDeleteDatabase",
   "Effect": "Allow",
   "Action": [
       "glue:DeleteDatabase"
   ],
   "Resource": [
       "arn:aws:glue:us-east-1:123456789012:table/PrivateDatabase/*",
       "arn:aws:glue:us-east-1:123456789012:userDefinedFunction/PrivateDatabase/*",
       "arn:aws:glue:us-east-1:123456789012:database/PrivateDatabase",
       "arn:aws:glue:us-east-1:123456789012:catalog"
   ]
}

In summary, actions on Data Catalog resources follow these permission rules:

Actions on the catalog require permission on the catalog only.
Actions on a database require permission on the database and catalog.
Delete actions on a database require permission on the database and catalog plus all tables and user-defined functions in the database.
Actions on a table, partition, or table version require permission on the table, database, and catalog.
Actions on a user-defined function require permission on the user-defined function, database, and catalog.
Actions on a connection require permission on the connection and catalog.

ARNs for non-catalog objects in AWS Glue

Some AWS Glue resources allow resource-level permissions to control access using an ARN. You can use these ARNs in your IAM policies to enable fine-grained access control. The following table lists the resources that can contain resource ARNs.

Resource type	ARN format
Crawler	`arn:aws:glue:region:account-id:crawler/crawler-name` For example: `arn:aws:glue:us-east-1:123456789012:crawler/mycrawler`
Job	`arn:aws:glue:region:account-id:job/job-name` For example: `arn:aws:glue:us-east-1:123456789012:job/testjob`
Trigger	`arn:aws:glue:region:account-id:trigger/trigger-name` For example: `arn:aws:glue:us-east-1:123456789012:trigger/sampletrigger`
Development endpoint	`arn:aws:glue:region:account-id:devEndpoint/development-endpoint-name` For example: `arn:aws:glue:us-east-1:123456789012:devEndpoint/temporarydevendpoint`
Machine learning transform	`arn:aws:glue:region:account-id:mlTransform/transform-id` For example: `arn:aws:glue:us-east-1:123456789012:mlTransform/tfm-1234567890`

Access control for AWS Glue non-catalog singular API operations

AWS Glue non-catalog singular API operations act on a single item (development endpoint). Examples are GetDevEndpoint, CreateUpdateDevEndpoint, and UpdateDevEndpoint. For these operations, a policy must put the API name in the "action" block and the resource ARN in the "resource" block.

Suppose that you want to allow a user to call the GetDevEndpoint operation. The following policy grants the minimum necessary permissions to an endpoint named myDevEndpoint-1.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "MinimumPermissions",
            "Effect": "Allow",
            "Action": "glue:GetDevEndpoint",
            "Resource": "arn:aws:glue:us-east-1:123456789012:devEndpoint/myDevEndpoint-1"
        }
    ]
}

The following policy allows UpdateDevEndpoint access to resources that match myDevEndpoint- with a wildcard (*).


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PermissionWithWildcard",
            "Effect": "Allow",
            "Action": "glue:UpdateDevEndpoint",
            "Resource": "arn:aws:glue:us-east-1:123456789012:devEndpoint/myDevEndpoint-*"
        }
    ]
}

You can combine the two policies as in the following example. You might see EntityNotFoundException for any development endpoint whose name begins with A. However, an access denied error is returned when you try to access other development endpoints.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CombinedPermissions",
            "Effect": "Allow",
            "Action": [
                "glue:UpdateDevEndpoint",
                "glue:GetDevEndpoint"
            ],
            "Resource": "arn:aws:glue:us-east-1:123456789012:devEndpoint/A*"
        }
    ]
}

Access control for AWS Glue non-catalog API operations that retrieve multiple items

Some AWS Glue API operations retrieve multiple items (such as multiple development endpoints); for example, GetDevEndpoints. For this operation, you can specify only a wildcard (*) resource, and not specific ARNs.

For example, to include GetDevEndpoints in the policy, the resource must be scoped to the wildcard (*). The singular operations (GetDevEndpoint, CreateDevEndpoint, and DeleteDevendpoint) are also scoped to all (*) resources in the example.


{
            "Sid": "PluralAPIIncluded",
            "Effect": "Allow",
            "Action": [
                "glue:GetDevEndpoints",
                "glue:GetDevEndpoint",
                "glue:CreateDevEndpoint",
                "glue:UpdateDevEndpoint"
            ],
            "Resource": [
                "*"
            ]
}

Access control for AWS Glue non-catalog BatchGet API operations

Some AWS Glue API operations retrieve multiple items (such as multiple development endpoints); for example, BatchGetDevEndpoints. For this operation, you can specify an ARN to limit the scope of resources that can be accessed.

For example, to allow access to a specific development endpoint, include BatchGetDevEndpoints in the policy with its resource ARN.


{
            "Sid": "BatchGetAPIIncluded",
            "Effect": "Allow",
            "Action": [
                "glue:BatchGetDevEndpoints"
            ],
            "Resource": [
                "arn:aws:glue:us-east-1:123456789012:devEndpoint/de1" 
            ]
}

With this policy, you can successfully access the development endpoint named de1. However, if you try to access the development endpoint named de2, an error is returned.



An error occurred (AccessDeniedException) when calling the BatchGetDevEndpoints operation: No access to any requested resource.

Important

For alternative approaches to setting up IAM policies, such as using List and BatchGet API operations, see Identity-based policy examples for AWS Glue.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Granting AWS managed policies

Granting cross-account access