Setting up IAM permissions for AWS Glue

The instructions in this topic help you quickly set up AWS Identity and Access Management (IAM) permissions for AWS Glue. You will complete the following tasks:

Grant your IAM identities access to AWS Glue resources.
Create a service role for running jobs, accessing data, and running AWS Glue Data Quality tasks.

For detailed instructions that you can use to customize IAM permissions for AWS Glue, see Configuring IAM permissions for AWS Glue.

To set up IAM permissions for AWS Glue in the AWS Management Console

Sign in to the AWS Management Console and open the AWS Glue console at https://console.aws.amazon.com/glue/.
Choose Getting started.
Under Prepare your account for AWS Glue, choose Set up IAM permissions.
Choose the IAM identities (roles or users) that you want to give AWS Glue permissions to. AWS Glue attaches the AWSGlueConsoleFullAccess managed policy to these identities. You can skip this step if you want to set these permissions manually or only want to set a default service role.
Choose Next.

Choose the level of Amazon S3 access that your roles and users need. The options that you choose in this step are applied to all of the identities that you selected.

Under Choose S3 locations, choose the Amazon S3 locations that you want to grant access to.

Next, select whether your identities should have Read only (recommended) or Read and write access to the locations that you previously selected. AWS Glue adds permissions policies to your identities based on the combination of locations and read or write permissions you select.

The following table displays the permissions that AWS Glue attaches for Amazon S3 access.

If you choose ... AWS Glue attaches ...

No change No permissions. AWS Glue won't make any changes to your identity's permissions.

If you choose ...	AWS Glue attaches ...
No change	No permissions. AWS Glue won't make any changes to your identity's permissions.
Grant access to specific Amazon S3 locations (read only)	The customer-managed policy, `AWSGlueConsole-S3-read-only-policy`, grants access to specific Amazon S3 locations with read-only permissions. `{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::80shiphop/", "arn:aws:s3:::adamrohr-bucket/", "arn:aws:s3:::80shiphop", "arn:aws:s3:::adamrohr-bucket" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "590186200215" } } } ] }`
Grant access to specific Amazon S3 locations (read and write)	The `AWSGlueConsole-S3-read-and-write-policy` grants access to specific Amazon S3 locations with read and write permissions. `{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::aes-siem-590186200215-log/", "arn:aws:s3:::aes-siem-590186200215-snapshot/", "arn:aws:s3:::aes-siem-590186200215-log", "arn:aws:s3:::aes-siem-590186200215-snapshot" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "590186200215" } } } ] }`

Grant access to specific Amazon S3 locations (read only)

The customer-managed policy, AWSGlueConsole-S3-read-only-policy, grants access to specific Amazon S3 locations with read-only permissions.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::80shiphop/*",
                "arn:aws:s3:::adamrohr-bucket/*",
                "arn:aws:s3:::80shiphop",
                "arn:aws:s3:::adamrohr-bucket"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:ResourceAccount": "590186200215"
                }
            }
        }
    ]
}

Grant access to specific Amazon S3 locations (read and write)

The AWSGlueConsole-S3-read-and-write-policy grants access to specific Amazon S3 locations with read and write permissions.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::aes-siem-590186200215-log/*",
                "arn:aws:s3:::aes-siem-590186200215-snapshot/*",
                "arn:aws:s3:::aes-siem-590186200215-log",
                "arn:aws:s3:::aes-siem-590186200215-snapshot"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:ResourceAccount": "590186200215"
                }
            }
        }
    ]
}

Choose Next.
Choose a default AWS Glue service role for your account. A service role is an IAM role that AWS Glue uses to access resources in other AWS services on your behalf. For more information, see Service roles for AWS Glue.
- When you choose the standard AWS Glue service role, AWS Glue creates a new IAM role in your AWS account named AWSGlueServiceRole with the following managed policies attached. If your account already has an IAM role named AWSGlueServiceRole, AWS Glue attaches these policies to the existing role.
  - AWSGlueServiceRole – This managed policy is required for AWS Glue to access and manage resources on your behalf. It allows AWS Glue to create, update, and delete various resources such as AWS Glue jobs, crawlers, and connections. This policy also grants permissions for AWS Glue to access Amazon CloudWatch logs for logging purposes. For the purposes of getting started, we recommend using this policy to learn how to use AWS Glue. As you get more comfortable with AWS Glue, you can create policies that allow you to fine-tune access to resources as needed.
  - AWSGlueConsoleFullAccess – This managed policy grants full access to the AWS Glue service through the AWS Management Console. This policy grants permissions to perform any operation within AWS Glue, enabling you to create, modify, and delete any AWS Glue resource as needed. However, it's important to note that this policy does not grant permissions to access the underlying data stores or other AWS services that may be involved in the ETL process. Due to the broad scope of permissions granted by the AWSGlueConsoleFullAccess policy, it should be assigned with caution and following the principle of least privilege. It is generally recommended to create and use more granular policies tailored to specific use cases and requirements whenever possible.
  - AWSGlueConsole-S3-read-only-policy – This policy allows AWS Glue to read data from specified Amazon S3 buckets, but it does not grant permissions to write or modify data in Amazon S3 or
    
    AWSGlueConsole-S3-read-and-write – This policy allows AWS Glue to read and write data to specified Amazon S3 buckets as part of the ETL process.
- When you choose an existing IAM role, AWS Glue sets the role as the default, but doesn't add AWSGlueServiceRole permissions to it. Ensure that you've configured the role to use as a service role for AWS Glue. For more information, see Step 1: Create an IAM policy for the AWS Glue service and Step 2: Create an IAM role for AWS Glue.
Choose Next.
Finally, review the permissions you've selected and then choose Apply changes. When you apply the changes, AWS Glue adds IAM permissions to the identities that you selected. You can view or modify the new permissions in the IAM console at https://console.aws.amazon.com/iam/.

You've now completed the minimum IAM permissions setup for AWS Glue. In a production environment, we recommend that you familiarize yourself with Security in AWS Glue and Identity and access management for AWS Glue to help you secure AWS resources for your use case.

Next steps

Now that you have IAM permissions set up, you can explore the following topics to get started using AWS Glue:

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Overview of using AWS Glue

Setting up for AWS Glue Studio