Setting up IAM permissions for AWS Glue
The instructions in this topic help you quickly set up AWS Identity and Access Management (IAM) permissions for AWS Glue. You will complete the following tasks:
-
Grant your IAM identities access to AWS Glue resources.
-
Create a service role for running jobs, accessing data, and running AWS Glue Data Quality tasks.
For detailed instructions that you can use to customize IAM permissions for AWS Glue, see Configuring IAM permissions for AWS Glue.
To set up IAM permissions for AWS Glue in the AWS Management Console
-
Sign in to the AWS Management Console and open the AWS Glue console at https://console.aws.amazon.com/glue/
. -
Choose Getting started.
-
Under Prepare your account for AWS Glue, choose Set up IAM permissions.
-
Choose the IAM identities (roles or users) that you want to give AWS Glue permissions to. AWS Glue attaches the
AWSGlueConsoleFullAccess
managed policy to these identities. You can skip this step if you want to set these permissions manually or only want to set a default service role. -
Choose Next.
-
Choose the level of Amazon S3 access that your roles and users need. The options that you choose in this step are applied to all of the identities that you selected.
-
Under Choose S3 locations, choose the Amazon S3 locations that you want to grant access to.
-
Next, select whether your identities should have Read only (recommended) or Read and write access to the locations that you previously selected. AWS Glue adds permissions policies to your identities based on the combination of locations and read or write permissions you select.
The following table displays the permissions that AWS Glue attaches for Amazon S3 access.
If you choose ... AWS Glue attaches ... No change No permissions. AWS Glue won't make any changes to your identity's permissions. Grant access to specific Amazon S3 locations (read only) An inline policy embedded in your selected IAM identities. For more information, see Inline policies in the IAM User Guide.
AWS Glue names the policy using the following convention:
AWSGlueConsole
. For example:<Role/User>
InlinePolicy-read-specific-access-<UUID>
AWSGlueConsoleRoleInlinePolicy-read-specific-access-123456780123
.The following is an example of an inline policy that AWS Glue attaches to grant read-only access to a specified Amazon S3 location.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:Get*", "s3:List*" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-bucket/*" ] } ] }
Grant access to specific Amazon S3 locations (read and write) An inline policy embedded in your selected IAM identities. For more information, see Inline policies in the IAM User Guide. AWS Glue names the policy using the following convention:
AWSGlueConsole
. For example:<Role/User>
InlinePolicy-read -and-write-specific-access-<UUID>
AWSGlueConsoleRoleInlinePolicy-read-and-write-specific-access-123456780123
.The following is an example of an inline policy that AWS Glue attaches to grant read and write access to specified Amazon S3 locations.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:Get*", "s3:List*", "s3:*Object*" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-bucket1/*", "arn:aws:s3:::amzn-s3-demo-bucket2/*" ] } ] }
Grant full access to Amazon S3 (read only) The AmazonS3ReadOnlyAccess
managed IAM policy. To learn more, see AWS managed policy: AmazonS3ReadOnlyAccess.Grant full access to Amazon S3 (read and write) The AmazonS3FullAccess
managed IAM policy. To learn more, see AWS managed policy: AmazonS3FullAccess.
-
-
Choose Next.
-
Choose a default AWS Glue service role for your account. A service role is an IAM role that AWS Glue uses to access resources in other AWS services on your behalf. For more information, see Service roles for AWS Glue.
-
When you choose the standard AWS Glue service role, AWS Glue creates a new IAM role in your AWS account named
AWSGlueServiceRole
with the following managed policies attached. If your account already has an IAM role namedAWSGlueServiceRole
, AWS Glue attaches these policies to the existing role.-
AWSGlueServiceRole
– This managed policy is required for AWS Glue to access and manage resources on your behalf. It allows AWS Glue to create, update, and delete various resources such as AWS Glue jobs, crawlers, and connections. This policy also grants permissions for AWS Glue to access Amazon CloudWatch logs for logging purposes. For the purposes of getting started, we recommend using this policy to learn how to use AWS Glue. As you get more comfortable with AWS Glue, you can create policies that allow you to fine-tune access to resources as needed. -
AmazonS3FullAccess
– This managed policy grants the required permissions to AWS Glue for complete read and write access to Amazon S3 resources. This broad access is often necessary because AWS Glue may need to interact with multiple Amazon S3 buckets and paths during its operations. For the purposes of getting started, we recommend using this policy to learn how to use AWS Glue. While the `AmazonS3FullAccess` policy provides broad permissions, it's considered a best practice to follow the principle of least privilege and grant more restrictive permissions if possible. You can create a custom IAM policy that grants access only to the specific Amazon S3 buckets and paths required for your AWS Glue jobs, crawlers, and data sources. However, this approach requires more effort in managing and updating the policy as your AWS Glue usage evolves.
-
-
When you choose an existing IAM role, AWS Glue sets the role as the default, but doesn't add any permissions to it. Ensure that you've configured the role to use as a service role for AWS Glue. For more information, see Step 1: Create an IAM policy for the AWS Glue service and Step 2: Create an IAM role for AWS Glue.
-
-
Choose Next.
-
Finally, review the permissions you've selected and then choose Apply changes. When you apply the changes, AWS Glue adds IAM permissions to the identities that you selected. You can view or modify the new permissions in the IAM console at https://console.aws.amazon.com/iam/
.
You've now completed the minimum IAM permissions setup for AWS Glue. In a production environment, we recommend that you familiarize yourself with Security in AWS Glue and Identity and access management for AWS Glue to help you secure AWS resources for your use case.
Next steps
Now that you have IAM permissions set up, you can explore the following topics to get started using AWS Glue: