Managing access permissions for AWS Glue resources - AWS Glue

Managing access permissions for AWS Glue resources

You can have valid credentials to authenticate your requests, but unless you have the appropriate permissions, you can't create or access an AWS Glue resource such as a table in the AWS Glue Data Catalog.

Every AWS resource is owned by an AWS account, and permissions to create or access a resource are governed by permissions policies. An account administrator can attach permissions policies to IAM identities (that is, users, groups, and roles). Some services (such as AWS Glue and Amazon S3) also support attaching permissions policies to the resources themselves.


An account administrator (or administrator user) is a user who has administrative privileges. For more information, see IAM Best Practices in the IAM User Guide.

When granting permissions, you decide who is getting the permissions, the resources they get permissions for, and the specific actions that you want to allow on those resources.


You can grant access to your data by using AWS Glue methods or by using AWS Lake Formation grants. The AWS Glue methods use AWS Identity and Access Management (IAM) policies to achieve fine-grained access control. Lake Formation uses a simpler GRANT/REVOKE permissions model similar to the GRANT/REVOKE commands in a relational database system.

This section describes using the AWS Glue methods. For information about using Lake Formation grants, see Granting Lake Formation Permissions in the AWS Lake Formation Developer Guide.