Permissions required to use the AWS Glue console - AWS Glue

Permissions required to use the AWS Glue console

For a user to work with the AWS Glue console, that user must have a minimum set of permissions that allows them to work with the AWS Glue resources for their AWS account. In addition to these AWS Glue permissions, the console requires permissions from the following services:

  • Amazon CloudWatch Logs permissions to display logs.

  • AWS Identity and Access Management (IAM) permissions to list and pass roles.

  • AWS CloudFormation permissions to work with stacks.

  • Amazon Elastic Compute Cloud (Amazon EC2) permissions to list VPCs, subnets, security groups, instances, and other objects.

  • Amazon Simple Storage Service (Amazon S3) permissions to list buckets and objects, and to retrieve and save scripts.

  • Amazon Redshift permissions to work with clusters.

  • Amazon Relational Database Service (Amazon RDS) permissions to list instances.

For more information about the permissions that users require to view and work with the AWS Glue console, see Step 3: Attach a Policy to IAM Users That Access AWS Glue.

If you create an IAM policy that is more restrictive than the minimum required permissions, the console won't function as intended for users with that IAM policy. To ensure that those users can still use the AWS Glue console, also attach the AWSGlueConsoleFullAccess managed policy to the user, as described in AWS Managed (Predefined) Policies for AWS Glue.

You don't need to allow minimum console permissions for users that are making calls only to the AWS CLI or the AWS Glue API.