Getting started with notebooks in AWS Glue Studio

When you start a notebook through AWS Glue Studio, all the configuration steps are done for you so that you can explore your data and start developing your job script after only a few seconds.

The following sections describe how to create a role and grant the appropriate permissions to use notebooks in AWS Glue Studio for ETL jobs.

Topics

Granting permissions for the IAM role

Granting permissions for the IAM role

Setting up AWS Glue Studio is a pre-requisite to using notebooks.

To use notebooks in AWS Glue, your role requires the following:

A trust relationship with AWS Glue for the sts:AssumeRole action and, if you want tagging then sts:TagSession.
An IAM policy containing all the API operations for notebooks, AWS Glue, and interactive sessions.
An IAM policy for a pass role since the role needs to be able to pass itself from the notebook to interactive sessions.

For example, when you create a new role, you can add a standard AWS managed policy like AWSGlueConsoleFullAccessRole to the role, and then add a new policy for the notebook operations and another for the IAM PassRole policy.

Actions needed for a trust relationship with AWS Glue

When starting a notebook session, you must add the sts:AssumeRole to the trust relationship of the role that is passed to the notebook. If your session includes tags, you must also pass the sts:TagSession action. Without these actions, the notebook session cannot start.

For example:


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "glue.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Policies containing the API operations for notebooks

The following sample policy describes the required AWS IAM permissions for notebooks. If you are creating a new role, create a policy that contains the following:


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "glue:StartNotebook",
                "glue:TerminateNotebook",
                "glue:GlueNotebookRefreshCredentials",
                "glue:DeregisterDataPreview",
                "glue:GetNotebookInstanceStatus",
                "glue:GlueNotebookAuthorize"
            ],
            "Resource": "*"
        }
    ]
}

You can use the following IAM policies to allow access to specific resources:

AwsGlueSessionUserRestrictedNotebookServiceRole: Provides full access to all AWS Glue resources except for sessions. Allows users to create and use only the notebook sessions that are associated with the user. This policy also includes other permissions needed by AWS Glue to manage AWS Glue resources in other AWS services.
AwsGlueSessionUserRestrictedNotebookPolicy: Provides permissions that allows users to create and use only the notebook sessions that are associated with the user. This policy also includes permissions to explicitly allow users to pass a restricted AWS Glue session role.

IAM policy to pass a role

When you create a notebook with a role, that role is then passed to interactive sessions so that the same role can be used in both places. As such, the iam:PassRole permission needs to be part of the role's policy.

Create a new policy for your role using the following example. Replace the account number with your own and the role name.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "arn:aws:iam::090000000210:role/<role_name>"
        }
    ]
}

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Configure a VPC for your ETL job

Getting started with the AWS Glue Data Catalog