AWS politique gérée : AmazonDataZoneGlueManageAccessRolePolicy - Amazon DataZone

Les traductions sont fournies par des outils de traduction automatique. En cas de conflit entre le contenu d'une traduction et celui de la version originale en anglais, la version anglaise prévaudra.

AWS politique gérée : AmazonDataZoneGlueManageAccessRolePolicy

Cette politique autorise Amazon DataZone à publier les données AWS Glue dans le catalogue. Cela donne également à Amazon l' DataZone autorisation d'accorder ou de révoquer l'accès aux ressources publiées par AWS Glue dans le catalogue.


{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "GlueTagDatabasePermissions",
			"Effect": "Allow",
			"Action": [
				"glue:TagResource",
				"glue:UntagResource",
				"glue:GetTags"
			],
			"Resource": "*",
			"Condition": {
				"StringEquals": {
					"aws:ResourceAccount": "${aws:PrincipalAccount}"
				},
				"ForAnyValue:StringLikeIfExists": {
					"aws:TagKeys": "DataZoneDiscoverable_*"
				}
			}
		},
		{
			"Sid": "GlueDataQualityPermissions",
			"Effect": "Allow",
			"Action": [
				"glue:ListDataQualityResults",
				"glue:GetDataQualityResult"
			],
			"Resource": "arn:aws:glue:*:*:dataQualityRuleset/*",
			"Condition": {
				"StringEquals": {
					"aws:ResourceAccount": "${aws:PrincipalAccount}"
				}
			}
		},
		{
			"Sid": "GlueTableDatabasePermissions",
			"Effect": "Allow",
			"Action": [
				"glue:CreateTable",
				"glue:DeleteTable",
				"glue:GetDatabases",
				"glue:GetTables"
			],
			"Resource": [
				"arn:aws:glue:*:*:catalog",
				"arn:aws:glue:*:*:database/*",
				"arn:aws:glue:*:*:table/*"
			],
			"Condition": {
				"StringEquals": {
					"aws:ResourceAccount": "${aws:PrincipalAccount}"
				}
			}
		},
		{
			"Sid": "LakeformationResourceSharingPermissions",
			"Effect": "Allow",
			"Action": [
				"lakeformation:BatchGrantPermissions",
				"lakeformation:BatchRevokePermissions",
				"lakeformation:CreateLakeFormationOptIn",
				"lakeformation:DeleteLakeFormationOptIn",
				"lakeformation:GrantPermissions",
				"lakeformation:GetResourceLFTags",
				"lakeformation:ListLakeFormationOptIns",
				"lakeformation:ListPermissions",
				"lakeformation:RegisterResource",
				"lakeformation:RevokePermissions",
				"glue:GetDatabase",
				"glue:GetTable",
				"organizations:DescribeOrganization",
				"ram:GetResourceShareInvitations",
				"ram:ListResources"
			],
			"Resource": "*"
		},
		{
			"Sid": "CrossAccountRAMResourceSharingPermissions",
			"Effect": "Allow",
			"Action": [
				"glue:DeleteResourcePolicy",
				"glue:PutResourcePolicy"
			],
			"Resource": [
				"arn:aws:glue:*:*:catalog",
				"arn:aws:glue:*:*:database/*",
				"arn:aws:glue:*:*:table/*"
			],
			"Condition": {
				"ForAnyValue:StringEquals": {
					"aws:CalledVia": [
						"ram.amazonaws.com"
					]
				}
			}
		},
		{
			"Sid": "CrossAccountLakeFormationResourceSharingPermissions",
			"Effect": "Allow",
			"Action": [
				"ram:CreateResourceShare"
			],
			"Resource": "*",
			"Condition": {
				"StringEqualsIfExists": {
					"ram:RequestedResourceType": [
						"glue:Table",
						"glue:Database",
						"glue:Catalog"
					]
				},
				"ForAnyValue:StringEquals": {
					"aws:CalledVia": [
						"lakeformation.amazonaws.com"
					]
				}
			}
		},
		{
			"Sid": "CrossAccountRAMResourceShareInvitationPermission",
			"Effect": "Allow",
			"Action": [
				"ram:AcceptResourceShareInvitation"
			],
			"Resource": "arn:aws:ram:*:*:resource-share-invitation/*"
		},
		{
			"Sid": "CrossAccountRAMResourceSharingViaLakeFormationPermissions",
			"Effect": "Allow",
			"Action": [
				"ram:AssociateResourceShare",
				"ram:DeleteResourceShare",
				"ram:DisassociateResourceShare",
				"ram:GetResourceShares",
				"ram:ListResourceSharePermissions",
				"ram:UpdateResourceShare"
			],
			"Resource": "*",
			"Condition": {
				"StringLike": {
					"ram:ResourceShareName": [
						"LakeFormation*"
					]
				},
				"ForAnyValue:StringEquals": {
					"aws:CalledVia": [
						"lakeformation.amazonaws.com"
					]
				}
			}
		},
		{
			"Sid": "CrossAccountRAMResourceSharingViaLakeFormationHybrid",
			"Effect": "Allow",
			"Action": "ram:AssociateResourceSharePermission",
			"Resource": "*",
			"Condition": {
				"StringLike": {
					"ram:PermissionArn": "arn:aws:ram::aws:permission/AWSRAMLFEnabled*"
				},
				"ForAnyValue:StringEquals": {
					"aws:CalledVia": [
						"lakeformation.amazonaws.com"
					]
				}
			}
		},
		{
			"Sid": "KMSDecryptPermission",
			"Effect": "Allow",
			"Action": [
				"kms:Decrypt"
			],
			"Resource": "*",
			"Condition": {
				"StringEquals": {
					"aws:ResourceTag/datazone:projectId": "proj-all"
				}
			}
		},
		{
			"Sid": "GetRoleForDataZone",
			"Effect": "Allow",
			"Action": [
				"iam:GetRole"
			],
			"Resource": [
				"arn:aws:iam::*:role/AmazonDataZone*",
				"arn:aws:iam::*:role/service-role/AmazonDataZone*"
			]
		},
		{
			"Sid": "PassRoleForDataLocationRegistration",
			"Effect": "Allow",
			"Action": [
				"iam:PassRole"
			],
			"Resource": [
				"arn:aws:iam::*:role/AmazonDataZone*",
				"arn:aws:iam::*:role/service-role/AmazonDataZone*"
			],
			"Condition": {
				"StringEquals": {
					"iam:PassedToService": [
						"lakeformation.amazonaws.com"
					]
				}
			}
		}
	]
}