Actions, resources, and condition keys for AWS Glue - Service Authorization Reference

Actions, resources, and condition keys for AWS Glue

AWS Glue (service prefix: glue) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by AWS Glue

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.

Note

Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
BatchCreatePartition Grants permission to create one or more partitions Write

catalog*

database*

table*

BatchDeleteConnection Grants permission to delete one or more connections Write

catalog*

connection*

BatchDeletePartition Grants permission to delete one or more partitions Write

catalog*

database*

table*

BatchDeleteTable Grants permission to delete one or more tables Write

catalog*

database*

table*

BatchDeleteTableVersion Grants permission to delete one or more versions of a table Write

catalog*

database*

table*

BatchGetBlueprints Grants permission to retrieve one or more blueprints Read

blueprint*

BatchGetCrawlers Grants permission to retrieve one or more crawlers Read

crawler*

BatchGetCustomEntityTypes Grants permission to retrieve one or more Custom Entity Types Read
BatchGetDevEndpoints Grants permission to retrieve one or more development endpoints Read

devendpoint*

BatchGetJobs Grants permission to retrieve one or more jobs Read

job*

BatchGetPartition Grants permission to retrieve one or more partitions Read

catalog*

database*

table*

BatchGetStageFiles Grants permission to batch get stage files for SparkUI Permissions management
BatchGetTableOptimizer Grants permission to return the configuration for the specified table optimizers Read

catalog*

glue:GetTable

database*

table*

BatchGetTriggers Grants permission to retrieve one or more triggers Read

trigger*

BatchGetWorkflows Grants permission to retrieve one or more workflows Read

workflow*

BatchStopJobRun Grants permission to stop one or more job runs for a job Write

job*

BatchUpdatePartition Grants permission to update one or more partitions Write

catalog*

database*

table*

CancelDataQualityRuleRecommendationRun Grants permission to stop a running Data Quality rule recommendation run Write

dataQualityRuleset*

CancelDataQualityRulesetEvaluationRun Grants permission to stop a running Data Quality ruleset evaluation run Write

dataQualityRuleset*

CancelMLTaskRun Grants permission to stop a running ML Task Run Write

mlTransform*

CancelStatement Grants permission to cancel a statement in an interactive session Write

session*

CheckSchemaVersionValidity Grants permission to retrieve a check the validity of schema version Read
CreateBlueprint Grants permission to create a blueprint Write

blueprint*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateClassifier Grants permission to create a classifier Write
CreateConnection Grants permission to create a connection Write

catalog*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateCrawler Grants permission to create a crawler Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateCustomEntityType Grants permission to create a Custom Entity Type Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateDataQualityRuleset Grants permission to create a Data Quality ruleset Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateDatabase Grants permission to create a database Write

catalog*

database*

CreateDevEndpoint Grants permission to create a development endpoint Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateJob Grants permission to create a job Write

job*

aws:RequestTag/${TagKey}

aws:TagKeys

glue:VpcIds

glue:SubnetIds

glue:SecurityGroupIds

CreateMLTransform Grants permission to create an ML Transform Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreatePartition Grants permission to create a partition Write

catalog*

database*

table*

CreatePartitionIndex Grants permission to create a specified partition index in an existing table Write

catalog*

database*

table*

CreateRegistry Grants permission to create a new schema registry Write

registry*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateSchema Grants permission to create a new schema container Write

registry*

schema*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateScript Grants permission to create a script Write
CreateSecurityConfiguration Grants permission to create a security configuration Write
CreateSession Grants permission to create an interactive session Write

session*

aws:RequestTag/${TagKey}

aws:TagKeys

glue:VpcIds

glue:SubnetIds

glue:SecurityGroupIds

CreateTable Grants permission to create a table Write

catalog*

database*

table*

CreateTableOptimizer Grants permission to create a new table optimizer for a specific function. Compaction is the only currently supported optimizer type Write

catalog*

glue:GetTable

database*

table*

CreateTrigger Grants permission to create a trigger Write

trigger*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateUsageProfile Grants permission to create a usage profile Write

usageProfile*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateUserDefinedFunction Grants permission to create a function definition Write

catalog*

database*

CreateWorkflow Grants permission to create a workflow Write

workflow*

aws:RequestTag/${TagKey}

aws:TagKeys

DeleteBlueprint Grants permission to delete a blueprint Write

blueprint*

DeleteClassifier Grants permission to delete a classifier Write
DeleteColumnStatisticsForPartition Grants permission to delete the partition column statistics of a column Write

catalog*

database*

table*

DeleteColumnStatisticsForTable Grants permission to delete the table statistics of columns Write

catalog*

database*

table*

DeleteConnection Grants permission to delete a connection Write

catalog*

connection*

DeleteCrawler Grants permission to delete a crawler Write

crawler*

DeleteCustomEntityType Grants permission to delete a Custom Entity Type Write
DeleteDataQualityRuleset Grants permission to delete a Data Quality ruleset Write

dataQualityRuleset*

DeleteDatabase Grants permission to delete a database Write

catalog*

database*

table*

userdefinedfunction*

DeleteDevEndpoint Grants permission to delete a development endpoint Write

devendpoint*

DeleteJob Grants permission to delete a job Write

job*

DeleteMLTransform Grants permission to delete an ML Transform Write

mlTransform*

DeletePartition Grants permission to delete a partition Write

catalog*

database*

table*

DeletePartitionIndex Grants permission to delete a specified partition index from an existing table Write

catalog*

database*

table*

DeleteRegistry Grants permission to delete a schema registry Write

registry*

DeleteResourcePolicy Grants permission to delete a resource policy Permissions management

catalog*

DeleteSchema Grants permission to delete a schema container Write

registry*

schema*

DeleteSchemaVersions Grants permission to delete a range of schema versions Write

registry*

schema*

DeleteSecurityConfiguration Grants permission to delete a security configuration Write
DeleteSession Grants permission to delete an interactive session after stopping the session if not already stopped Write

session*

DeleteTable Grants permission to delete a table Write

catalog*

database*

table*

DeleteTableOptimizer Grants permission to delete an optimizer and all associated metadata for a table. The optimization will no longer be performed on the table Write

catalog*

glue:GetTable

database*

table*

DeleteTableVersion Grants permission to delete a version of a table Write

catalog*

database*

table*

DeleteTrigger Grants permission to delete a trigger Write

trigger*

DeleteUsageProfile Grants permission to delete a usage profile Write

usageProfile*

DeleteUserDefinedFunction Grants permission to delete a function definition Write

catalog*

database*

userdefinedfunction*

DeleteWorkflow Grants permission to delete a workflow Write

workflow*

DeregisterDataPreview Grants permission to terminate Glue Studio Notebook session Permissions management
DescribeConnectionType Grants permission to describe connection type in glue studio Permissions management
DescribeEntity Grants permission to describe entity in glue studio Permissions management

catalog*

connection*

GetBlueprint Grants permission to retrieve a blueprint Read

blueprint*

GetBlueprintRun Grants permission to retrieve a blueprint run Read

blueprint*

GetBlueprintRuns Grants permission to retrieve all runs of a blueprint Read

blueprint*

GetCatalogImportStatus Grants permission to retrieve the catalog import status Read

catalog*

GetClassifier Grants permission to retrieve a classifier Read
GetClassifiers Grants permission to list all classifiers Read
GetColumnStatisticsForPartition Grants permission to retrieve partition statistics of columns Read

catalog*

database*

table*

GetColumnStatisticsForTable Grants permission to retrieve table statistics of columns Read

catalog*

database*

table*

GetColumnStatisticsTaskRun Grants permission to retrieve Column Statistics run information for the table based on run-id Read
GetColumnStatisticsTaskRuns Grants permission to retrieve Column Statistics run information for the table based on run-ids Read
GetCompletion Grants permission to get generated response for a completion request in Glue from AWS Q Read

completion*

GetConnection Grants permission to retrieve a connection Read

catalog*

connection*

GetConnections Grants permission to retrieve a list of connections Read

catalog*

connection*

GetCrawler Grants permission to retrieve a crawler Read

crawler*

GetCrawlerMetrics Grants permission to retrieve metrics about crawlers Read
GetCrawlers Grants permission to retrieve all crawlers Read
GetCustomEntityType Grants permission to read a Custom Entity Type Read
GetDataCatalogEncryptionSettings Grants permission to retrieve catalog encryption settings Read

catalog*

GetDataPreviewStatement Grants permission to get Data Preview Statement Permissions management
GetDataQualityModel Grants permission to retrieve the training status of the prediction model for a statistic Read

dataQualityRuleset*

job*

GetDataQualityModelResult Grants permission to retrieve the predictions for a statistic from the latest model Read

dataQualityRuleset*

job*

GetDataQualityResult Grants permission to retrieve a Data Quality result Read

dataQualityRuleset*

GetDataQualityRuleRecommendationRun Grants permission to retrieve a Data Quality rule recommendation run Read

dataQualityRuleset*

GetDataQualityRuleset Grants permission to retrieve a Data Quality ruleset Read

dataQualityRuleset*

GetDataQualityRulesetEvaluationRun Grants permission to retrieve a Data Quality rule recommendation run Read

dataQualityRuleset*

GetDatabase Grants permission to retrieve a database Read

catalog*

database*

GetDatabases Grants permission to retrieve all databases Read

catalog*

database*

GetDataflowGraph Grants permission to transform a script into a directed acyclic graph (DAG) Read
GetDevEndpoint Grants permission to retrieve a development endpoint Read

devendpoint*

GetDevEndpoints Grants permission to retrieve all development endpoints Read
GetEnvironment Grants permission to get environment details for SparkUI Permissions management
GetExecutors Grants permission to get executors for SparkUI Permissions management
GetExecutorsThreads Grants permission to get executor threads for SparkUI Permissions management
GetJob Grants permission to retrieve a job Read

job*

GetJobBookmark Grants permission to retrieve a job bookmark Read
GetJobRun Grants permission to retrieve a job run Read

job*

GetJobRuns Grants permission to retrieve all job runs of a job Read

job*

GetJobs Grants permission to retrieve all current jobs Read
GetLogParsingStatus Grants permission to get log parsing status for SparkUI Permissions management
GetMLTaskRun Grants permission to retrieve an ML Task Run Read

mlTransform*

GetMLTaskRuns Grants permission to retrieve all ML Task Runs List

mlTransform*

GetMLTransform Grants permission to retrieve an ML Transform Read

mlTransform*

GetMLTransforms Grants permission to retrieve all ML Transforms List

mlTransform*

GetMapping Grants permission to create a mapping Read
GetNotebookInstanceStatus Grants permission to retrieve Glue Studio Notebooks session status Permissions management
GetPartition Grants permission to retrieve a partition Read

catalog*

database*

table*

GetPartitionIndexes Grants permission to retrieve partition indexes for a table Read

catalog*

database*

table*

GetPartitions Grants permission to retrieve the partitions of a table Read

catalog*

database*

table*

GetPlan Grants permission to retrieve a mapping for a script Read
GetQueries Grants permission to get queries for SparkUI Permissions management
GetQuery Grants permission to get a specific query for SparkUI Permissions management
GetRecipeAction Grants permission to get the result of a Data Preparation Recipe statement Permissions management
GetRegistry Grants permission to retrieve a schema registry Read

registry*

GetResourcePolicies Grants permission to retrieve resource policies Read

catalog*

GetResourcePolicy Grants permission to retrieve a resource policy Read

catalog*

GetSchema Grants permission to retrieve a schema container Read

registry*

schema*

GetSchemaByDefinition Grants permission to retrieve a schema version based on schema definition Read

registry*

schema*

GetSchemaVersion Grants permission to retrieve a schema version Read

registry

schema

GetSchemaVersionsDiff Grants permission to compare two schema versions in schema registry Read

registry*

schema*

GetSecurityConfiguration Grants permission to retrieve a security configuration Read
GetSecurityConfigurations Grants permission to retrieve one or more security configurations Read
GetSession Grants permission to retrieve an interactive session Read

session*

GetStage Grants permission to get a stage for SparkUI Permissions management
GetStageAttempt Grants permission to get a stage attempt for SparkUI Permissions management
GetStageAttemptTaskList Grants permission to get the task list for a stage attempt for SparkUI Permissions management
GetStageAttemptTaskSummary Grants permission to get the task summary for a stage attempt for SparkUI Permissions management
GetStageFiles Grants permission to get stage files for SparkUI Permissions management
GetStages Grants permission to get stages for SparkUI Permissions management
GetStatement Grants permission to retrieve result and information about a statement in an interactive session Read

session*

GetStorage Grants permission to get storage details for SparkUI Permissions management
GetStorageUnit Grants permission to get storage unit details for SparkUI Permissions management
GetTable Grants permission to retrieve a table Read

catalog*

database*

table*

GetTableOptimizer Grants permission to return the configuration of all optimizers associated with a specified table Read

catalog*

glue:GetTable

database*

table*

GetTableVersion Grants permission to retrieve a version of a table Read

catalog*

database*

table*

GetTableVersions Grants permission to retrieve a list of versions of a table Read

catalog*

database*

table*

GetTables Grants permission to retrieve the tables in a database Read

catalog*

database*

table*

GetTags Grants permission to retrieve all tags associated with a resource Read

blueprint

crawler

customEntityType

devendpoint

job

trigger

usageProfile

workflow

GetTrigger Grants permission to retrieve a trigger Read

trigger*

GetTriggers Grants permission to retrieve the triggers associated with a job Read
GetUsageProfile Grants permission to retrieve a usage profile Read

usageProfile*

GetUserDefinedFunction Grants permission to retrieve a function definition Read

catalog*

database*

userdefinedfunction*

GetUserDefinedFunctions Grants permission to retrieve multiple function definitions Read

catalog*

database*

userdefinedfunction*

GetWorkflow Grants permission to retrieve a workflow Read

workflow*

GetWorkflowRun Grants permission to retrieve a workflow run Read

workflow*

GetWorkflowRunProperties Grants permission to retrieve workflow run properties Read

workflow*

GetWorkflowRuns Grants permission to retrieve all runs of a workflow Read

workflow*

GlueNotebookAuthorize Grants permission to access Glue Studio Notebooks Permissions management
GlueNotebookRefreshCredentials Grants permission to refresh Glue Studio Notebooks credentials Permissions management
ImportCatalogToGlue Grants permission to import an Athena data catalog into AWS Glue Write

catalog*

ListBlueprints Grants permission to retrieve all blueprints List
ListColumnStatisticsTaskRuns Grants permission to list all Column Statistics run-ids that have been executed for the account Read
ListConnectionTypes Grants permission to list connection types in glue studio Permissions management
ListCrawlers Grants permission to retrieve all crawlers List
ListCrawls Grants permission to retrieve crawl run history for a crawler List
ListCustomEntityTypes Grants permission to retrieve all Custom Entity Types List
ListDataQualityResults Grants permission to retrieve all Data Quality results List

dataQualityRuleset*

ListDataQualityRuleRecommendationRuns Grants permission to retrieve all Data Quality rule recommendation runs List

dataQualityRuleset*

ListDataQualityRulesetEvaluationRuns Grants permission to retrieve all Data Quality rule recommendation runs List

dataQualityRuleset*

ListDataQualityRulesets Grants permission to retrieve a list of Data Quality rulesets List

dataQualityRuleset*

ListDevEndpoints Grants permission to retrieve all development endpoints List
ListEntities Grants permission to list entities in glue studio Permissions management

catalog*

connection*

ListJobs Grants permission to retrieve all current jobs List
ListMLTransforms Grants permission to retrieve all ML Transforms List

mlTransform*

ListRegistries Grants permission to retrieve a list of schema registries List
ListSchemaVersions Grants permission to retrieve a list of schema versions List

registry*

schema*

ListSchemas Grants permission to retrieve a list of schema containers List

registry

ListSessions Grants permission to retrieve a list of interactive session List
ListStatements Grants permission to retrieve a list of statements in an interactive session List

session*

ListTableOptimizerRuns Grants permission to list the history of previous optimizer runs for a specific table List

catalog*

glue:GetTable

database*

table*

ListTriggers Grants permission to retrieve all triggers List
ListUsageProfiles Grants permission to retrieve a list of usage profiles List
ListWorkflows Grants permission to retrieve all workflows List
NotifyEvent Grants permission to notify an event to the event-driven workflow Write

workflow*

PassConnection [permission only] Grants permission to pass glue connection name in input for APIs that require them Write

connection*

PublishDataQuality [permission only] Grants permission to publish Data Quality results Write

dataQualityRuleset*

PutDataCatalogEncryptionSettings Grants permission to update catalog encryption settings Write

catalog*

PutDataQualityProfileAnnotation Grants permission to annotate all datapoints for a profile Write

dataQualityRuleset*

job*

PutDataQualityStatisticAnnotation Grants permission to annotate datapoints over time for a specific data quality statistic Write

dataQualityRuleset*

job*

PutResourcePolicy Grants permission to update a resource policy Permissions management

catalog*

PutSchemaVersionMetadata Grants permission to add metadata to schema version Write

registry

schema

PutWorkflowRunProperties Grants permission to update workflow run properties Write

workflow*

QuerySchemaVersionMetadata Grants permission to fetch metadata for a schema version List

registry

schema

RefreshOAuth2Tokens Grants permission to refresh the oauth2 tokens for connection during job execution Permissions management

catalog*

connection*

RegisterSchemaVersion Grants permission to create a new schema version Write

registry*

schema*

RemoveSchemaVersionMetadata Grants permission to remove metadata from schema version Write

registry

schema

RequestLogParsing Grants permission to request log parsing for SparkUI Permissions management
ResetJobBookmark Grants permission to reset a job bookmark Write
ResumeWorkflowRun Grants permission to resume a workflow run Write

workflow*

RunDataPreviewStatement Grants permission to run Data Preview Statement Permissions management
RunStatement Grants permission to run a code or statement in an interactive session Write

session*

SearchTables Grants permission to retrieve the tables in the catalog Read

catalog*

database*

table*

SendFeedback Grants permission to provide feedback about a glue completion experience in AWS Q Write
SendRecipeAction Grants permission to execute a Data Preparation Recipe statement in data preview Permissions management
StartBlueprintRun Grants permission to start running a blueprint Write

blueprint*

StartColumnStatisticsTaskRun Grants permission to start a run for generating Column Statistics for the table Write

database*

glue:GetSecurityConfiguration

glue:GetTable

table*

StartCompletion Grants permission to create a completion request in Glue for AWS Q experience Write
StartCrawler Grants permission to start a crawler Write

crawler*

StartCrawlerSchedule Grants permission to change the schedule state of a crawler to SCHEDULED Write
StartDataQualityRuleRecommendationRun Grants permission to start a Data Quality rule recommendation run Write

dataQualityRuleset*

StartDataQualityRulesetEvaluationRun Grants permission to start a Data Quality rule recommendation run Write

dataQualityRuleset*

StartExportLabelsTaskRun Grants permission to start an Export Labels ML Task Run Write

mlTransform*

StartImportLabelsTaskRun Grants permission to start an Import Labels ML Task Run Write

mlTransform*

StartJobRun Grants permission to start running a job Write

job*

StartMLEvaluationTaskRun Grants permission to start an Evaluation ML Task Run Write

mlTransform*

StartMLLabelingSetGenerationTaskRun Grants permission to start a Labeling Set Generation ML Task Run Write

mlTransform*

StartNotebook Grants permission to start Glue Studio Notebooks Permissions management
StartTrigger Grants permission to start a trigger Write

trigger*

StartWorkflowRun Grants permission to start running a workflow Write

workflow*

StopColumnStatisticsTaskRun Grants permission to stop execution for Column Statistics run Write

database*

table*

StopCrawler Grants permission to stop a running crawler Write

crawler*

StopCrawlerSchedule Grants permission to set the schedule state of a crawler to NOT_SCHEDULED Write
StopSession Grants permission to stop an interactive session Write

session*

StopTrigger Grants permission to stop a trigger Write

trigger*

StopWorkflowRun Grants permission to stop a workflow run Write

workflow*

TagResource Grants permission to add tags to a resource Tagging

blueprint

connection

crawler

customEntityType

dataQualityRuleset

devendpoint

job

mlTransform

registry

schema

session

trigger

usageProfile

workflow

aws:TagKeys

aws:RequestTag/${TagKey}

TerminateNotebook Grants permission to terminate Glue Studio Notebooks Permissions management
TestConnection Grants permission to test connection in Glue Studio Permissions management
UntagResource Grants permission to remove tags associated with a resource Tagging

blueprint

connection

crawler

customEntityType

dataQualityRuleset

devendpoint

job

mlTransform

registry

schema

session

trigger

usageProfile

workflow

aws:TagKeys

UpdateBlueprint Grants permission to update a blueprint Write

blueprint*

UpdateClassifier Grants permission to update a classifier Write
UpdateColumnStatisticsForPartition Grants permission to update partition statistics of columns Write

catalog*

database*

table*

UpdateColumnStatisticsForTable Grants permission to update table statistics of columns Write

catalog*

database*

table*

UpdateConnection Grants permission to update a connection Write

catalog*

connection*

UpdateCrawler Grants permission to update a crawler Write

crawler*

UpdateCrawlerSchedule Grants permission to update the schedule of a crawler Write
UpdateDataQualityRuleset Grants permission to update a Data Quality ruleset Write

dataQualityRuleset*

UpdateDatabase Grants permission to update a database Write

catalog*

database*

UpdateDevEndpoint Grants permission to update a development endpoint Write

devendpoint*

UpdateJob Grants permission to update a job Write

job*

glue:VpcIds

glue:SubnetIds

glue:SecurityGroupIds

UpdateJobFromSourceControl Grants permission to update a job from source control provider Write

job*

UpdateMLTransform Grants permission to update an ML Transform Write

mlTransform*

UpdatePartition Grants permission to update a partition Write

catalog*

database*

table*

UpdateRegistry Grants permission to update a schema registry Write

registry*

UpdateSchema Grants permission to update a schema container Write

registry*

schema*

UpdateSourceControlFromJob Grants permission to update source control provider from a job Write

job*

UpdateTable Grants permission to update a table Write

catalog*

database*

table*

UpdateTableOptimizer Grants permission to update the configuration for an existing table optimizer Write

catalog*

glue:GetTable

database*

table*

UpdateTrigger Grants permission to update a trigger Write

trigger*

UpdateUsageProfile Grants permission to update a usage profile Write

usageProfile*

UpdateUserDefinedFunction Grants permission to update a function definition Write

catalog*

database*

userdefinedfunction*

UpdateWorkflow Grants permission to update a workflow Write

workflow*

UseGlueStudio Grants permission to use Glue Studio and access its internal APIs Permissions management
UseMLTransforms [permission only] Grants permission to use an ML Transform from within a Glue ETL Script Write

mlTransform*

Resource types defined by AWS Glue

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.

Resource types ARN Condition keys
catalog arn:${Partition}:glue:${Region}:${Account}:catalog
database arn:${Partition}:glue:${Region}:${Account}:database/${DatabaseName}
table arn:${Partition}:glue:${Region}:${Account}:table/${DatabaseName}/${TableName}
tableversion arn:${Partition}:glue:${Region}:${Account}:tableVersion/${DatabaseName}/${TableName}/${TableVersionName}
connection arn:${Partition}:glue:${Region}:${Account}:connection/${ConnectionName}

aws:ResourceTag/${TagKey}

userdefinedfunction arn:${Partition}:glue:${Region}:${Account}:userDefinedFunction/${DatabaseName}/${UserDefinedFunctionName}
devendpoint arn:${Partition}:glue:${Region}:${Account}:devEndpoint/${DevEndpointName}

aws:ResourceTag/${TagKey}

job arn:${Partition}:glue:${Region}:${Account}:job/${JobName}

aws:ResourceTag/${TagKey}

trigger arn:${Partition}:glue:${Region}:${Account}:trigger/${TriggerName}

aws:ResourceTag/${TagKey}

crawler arn:${Partition}:glue:${Region}:${Account}:crawler/${CrawlerName}

aws:ResourceTag/${TagKey}

workflow arn:${Partition}:glue:${Region}:${Account}:workflow/${WorkflowName}

aws:ResourceTag/${TagKey}

blueprint arn:${Partition}:glue:${Region}:${Account}:blueprint/${BlueprintName}

aws:ResourceTag/${TagKey}

mlTransform arn:${Partition}:glue:${Region}:${Account}:mlTransform/${TransformId}

aws:ResourceTag/${TagKey}

registry arn:${Partition}:glue:${Region}:${Account}:registry/${RegistryName}

aws:ResourceTag/${TagKey}

schema arn:${Partition}:glue:${Region}:${Account}:schema/${SchemaName}

aws:ResourceTag/${TagKey}

session arn:${Partition}:glue:${Region}:${Account}:session/${SessionId}

aws:ResourceTag/${TagKey}

usageProfile arn:${Partition}:glue:${Region}:${Account}:usageProfile/${UsageProfileId}

aws:ResourceTag/${TagKey}

dataQualityRuleset arn:${Partition}:glue:${Region}:${Account}:dataQualityRuleset/${RulesetName}

aws:ResourceTag/${TagKey}

customEntityType arn:${Partition}:glue:${Region}:${Account}:customEntityType/${CustomEntityTypeId}

aws:ResourceTag/${TagKey}

completion arn:${Partition}:glue:${Region}:${Account}:completion/${CompletionId}

Condition keys for AWS Glue

AWS Glue defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters access by the presence of tag key-value pairs in the request String
aws:ResourceTag/${TagKey} Filters access by tag key-value pairs attached to the resource String
aws:TagKeys Filters access by the presence of tag keys in the request ArrayOfString
glue:CredentialIssuingService Filters access by the service from which the credentials of the request is issued String
glue:RoleAssumedBy Filters access by the service from which the credentials of the request is obtained by assuming the customer role String
glue:SecurityGroupIds Filters access by the ID of security groups configured for the Glue job ArrayOfString
glue:SubnetIds Filters access by the ID of subnets configured for the Glue job ArrayOfString
glue:VpcIds Filters access by the ID of the VPC configured for the Glue job ArrayOfString