Actions, resources, and condition keys for AWS Glue - Service Authorization Reference

Actions, resources, and condition keys for AWS Glue

AWS Glue (service prefix: glue) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by AWS Glue

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
BatchCreatePartition Grants permission to create one or more partitions Write

catalog*

database*

table*

BatchDeleteConnection Grants permission to delete one or more connections Write

catalog*

connection*

BatchDeletePartition Grants permission to delete one or more partitions Write

catalog*

database*

table*

BatchDeleteTable Grants permission to delete one or more tables Write

catalog*

database*

table*

BatchDeleteTableVersion Grants permission to delete one or more versions of a table Write

catalog*

database*

table*

BatchGetBlueprints Grants permission to retrieve one or more blueprints Read

blueprint*

BatchGetCrawlers Grants permission to retrieve one or more crawlers Read

crawler*

BatchGetCustomEntityTypes Grants permission to retrieve one or more Custom Entity Types Read
BatchGetDevEndpoints Grants permission to retrieve one or more development endpoints Read

devendpoint*

BatchGetJobs Grants permission to retrieve one or more jobs Read

job*

BatchGetPartition Grants permission to retrieve one or more partitions Read

catalog*

database*

table*

BatchGetTriggers Grants permission to retrieve one or more triggers Read

trigger*

BatchGetWorkflows Grants permission to retrieve one or more workflows Read

workflow*

BatchStopJobRun Grants permission to stop one or more job runs for a job Write

job*

BatchUpdatePartition Grants permission to update one or more partitions Write

catalog*

database*

table*

CancelMLTaskRun Grants permission to stop a running ML Task Run Write

mlTransform*

CancelStatement Grants permission to cancel a statement in an interactive session Write

session*

CheckSchemaVersionValidity Grants permission to retrieve a check the validity of schema version Read
CreateBlueprint Grants permission to create a blueprint Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateClassifier Grants permission to create a classifier Write
CreateConnection Grants permission to create a connection Write

catalog*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateCrawler Grants permission to create a crawler Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateCustomEntityType Grants permission to create a Custom Entity Type Write
CreateDatabase Grants permission to create a database Write

catalog*

CreateDevEndpoint Grants permission to create a development endpoint Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateJob Grants permission to create a job Write

aws:RequestTag/${TagKey}

aws:TagKeys

glue:VpcIds

glue:SubnetIds

glue:SecurityGroupIds

CreateMLTransform Grants permission to create an ML Transform Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreatePartition Grants permission to create a partition Write

catalog*

database*

table*

CreatePartitionIndex Grants permission to create a specified partition index in an existing table Write

catalog*

database*

table*

CreateRegistry Grants permission to create a new schema registry Write

registry*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateSchema Grants permission to create a new schema container Write

registry*

schema*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateScript Grants permission to create a script Write
CreateSecurityConfiguration Grants permission to create a security configuration Write
CreateSession Grants permission to create an interactive session Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateTable Grants permission to create a table Write

catalog*

database*

CreateTrigger Grants permission to create a trigger Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateUserDefinedFunction Grants permission to create a function definition Write

catalog*

database*

CreateWorkflow Grants permission to create a workflow Write

aws:RequestTag/${TagKey}

aws:TagKeys

DeleteBlueprint Grants permission to delete a blueprint Write

blueprint*

DeleteClassifier Grants permission to delete a classifier Write
DeleteColumnStatisticsForPartition Grants permission to delete the partition column statistics of a column Write

catalog*

database*

table*

DeleteColumnStatisticsForTable Grants permission to delete the table statistics of columns Write

catalog*

database*

table*

DeleteConnection Grants permission to delete a connection Write

catalog*

connection*

DeleteCrawler Grants permission to delete a crawler Write

crawler*

DeleteCustomEntityType Grants permission to delete a Custom Entity Type Write
DeleteDatabase Grants permission to delete a database Write

catalog*

database*

table*

userdefinedfunction*

DeleteDevEndpoint Grants permission to delete a development endpoint Write

devendpoint*

DeleteJob Grants permission to delete a job Write

job*

DeleteMLTransform Grants permission to delete an ML Transform Write

mlTransform*

DeletePartition Grants permission to delete a partition Write

catalog*

database*

table*

DeletePartitionIndex Grants permission to delete a specified partition index from an existing table Write

catalog*

database*

table*

DeleteRegistry Grants permission to delete a schema registry Write

registry*

DeleteResourcePolicy Grants permission to delete a resource policy Permissions management

catalog*

DeleteSchema Grants permission to delete a schema container Write

registry*

schema*

DeleteSchemaVersions Grants permission to delete a range of schema versions Write

registry*

schema*

DeleteSecurityConfiguration Grants permission to delete a security configuration Write
DeleteSession Grants permission to delete an interactive session after stopping the session if not already stopped Write

session*

DeleteTable Grants permission to delete a table Write

catalog*

database*

table*

DeleteTableVersion Grants permission to delete a version of a table Write

catalog*

database*

table*

DeleteTrigger Grants permission to delete a trigger Write

trigger*

DeleteUserDefinedFunction Grants permission to delete a function definition Write

catalog*

database*

userdefinedfunction*

DeleteWorkflow Grants permission to delete a workflow Write

workflow*

GetBlueprint Grants permission to retrieve a blueprint Read

blueprint*

GetBlueprintRun Grants permission to retrieve a blueprint run Read

blueprint*

GetBlueprintRuns Grants permission to retrieve all runs of a blueprint Read

blueprint*

GetCatalogImportStatus Grants permission to retrieve the catalog import status Read

catalog*

GetClassifier Grants permission to retrieve a classifier Read
GetClassifiers Grants permission to list all classifiers Read
GetColumnStatisticsForPartition Grants permission to retrieve partition statistics of columns Read

catalog*

database*

table*

GetColumnStatisticsForTable Grants permission to retrieve table statistics of columns Read

catalog*

database*

table*

GetConnection Grants permission to retrieve a connection Read

catalog*

connection*

GetConnections Grants permission to retrieve a list of connections Read

catalog*

connection*

GetCrawler Grants permission to retrieve a crawler Read

crawler*

GetCrawlerMetrics Grants permission to retrieve metrics about crawlers Read
GetCrawlers Grants permission to retrieve all crawlers Read
GetCustomEntityType Grants permission to read a Custom Entity Type Read
GetDataCatalogEncryptionSettings Grants permission to retrieve catalog encryption settings Read

catalog*

GetDatabase Grants permission to retrieve a database Read

catalog*

database*

GetDatabases Grants permission to retrieve all databases Read

catalog*

database*

GetDataflowGraph Grants permission to transform a script into a directed acyclic graph (DAG) Read
GetDevEndpoint Grants permission to retrieve a development endpoint Read

devendpoint*

GetDevEndpoints Grants permission to retrieve all development endpoints Read
GetJob Grants permission to retrieve a job Read

job*

GetJobBookmark Grants permission to retrieve a job bookmark Read
GetJobRun Grants permission to retrieve a job run Read

job*

GetJobRuns Grants permission to retrieve all job runs of a job Read

job*

GetJobs Grants permission to retrieve all current jobs Read
GetMLTaskRun Grants permission to retrieve an ML Task Run Read

mlTransform*

GetMLTaskRuns Grants permission to retrieve all ML Task Runs List

mlTransform*

GetMLTransform Grants permission to retrieve an ML Transform Read

mlTransform*

GetMLTransforms Grants permission to retrieve all ML Transforms List

mlTransform*

GetMapping Grants permission to create a mapping Read
GetPartition Grants permission to retrieve a partition Read

catalog*

database*

table*

GetPartitionIndexes Grants permission to retrieve partition indexes for a table Read

catalog*

database*

table*

GetPartitions Grants permission to retrieve the partitions of a table Read

catalog*

database*

table*

GetPlan Grants permission to retrieve a mapping for a script Read
GetRegistry Grants permission to retrieve a schema registry Read

registry*

GetResourcePolicies Grants permission to retrieve resource policies Read

catalog*

GetResourcePolicy Grants permission to retrieve a resource policy Read

catalog*

GetSchema Grants permission to retrieve a schema container Read

registry*

schema*

GetSchemaByDefinition Grants permission to retrieve a schema version based on schema definition Read

registry*

schema*

GetSchemaVersion Grants permission to retrieve a schema version Read

registry

schema

GetSchemaVersionsDiff Grants permission to compare two schema versions in schema registry Read

registry*

schema*

GetSecurityConfiguration Grants permission to retrieve a security configuration Read
GetSecurityConfigurations Grants permission to retrieve one or more security configurations Read
GetSession Grants permission to retrieve an interactive session Read

session*

GetStatement Grants permission to retrieve result and information about a statement in an interactive session Read

session*

GetTable Grants permission to retrieve a table Read

catalog*

database*

table*

GetTableVersion Grants permission to retrieve a version of a table Read

catalog*

database*

table*

GetTableVersions Grants permission to retrieve a list of versions of a table Read

catalog*

database*

table*

GetTables Grants permission to retrieve the tables in a database Read

catalog*

database*

table*

GetTags Grants permission to retrieve all tags associated with a resource Read

blueprint

crawler

devendpoint

job

trigger

workflow

GetTrigger Grants permission to retrieve a trigger Read

trigger*

GetTriggers Grants permission to retrieve the triggers associated with a job Read
GetUserDefinedFunction Grants permission to retrieve a function definition Read

catalog*

database*

userdefinedfunction*

GetUserDefinedFunctions Grants permission to retrieve multiple function definitions Read

catalog*

database*

userdefinedfunction*

GetWorkflow Grants permission to retrieve a workflow Read

workflow*

GetWorkflowRun Grants permission to retrieve a workflow run Read

workflow*

GetWorkflowRunProperties Grants permission to retrieve workflow run properties Read

workflow*

GetWorkflowRuns Grants permission to retrieve all runs of a workflow Read

workflow*

ImportCatalogToGlue Grants permission to import an Athena data catalog into AWS Glue Write

catalog*

ListBlueprints Grants permission to retrieve all blueprints List

aws:RequestTag/${TagKey}

aws:TagKeys

ListCrawlers Grants permission to retrieve all crawlers List

aws:RequestTag/${TagKey}

aws:TagKeys

ListCustomEntityTypes Grants permission to retrieve all Custom Entity Types List

aws:RequestTag/${TagKey}

aws:TagKeys

ListDevEndpoints Grants permission to retrieve all development endpoints List

aws:RequestTag/${TagKey}

aws:TagKeys

ListJobs Grants permission to retrieve all current jobs List

aws:RequestTag/${TagKey}

aws:TagKeys

ListMLTransforms Grants permission to retrieve all ML Transforms List

mlTransform*

aws:RequestTag/${TagKey}

aws:TagKeys

ListRegistries Grants permission to retrieve a list of schema registries List
ListSchemaVersions Grants permission to retrieve a list of schema versions List

registry*

schema*

ListSchemas Grants permission to retrieve a list of schema containers List

registry

ListSessions Grants permission to retrieve a list of interactive session List
ListStatements Grants permission to retrieve a list of statements in an interactive session List

session*

ListTriggers Grants permission to retrieve all triggers List

aws:RequestTag/${TagKey}

aws:TagKeys

ListWorkflows Grants permission to retrieve all workflows List
NotifyEvent Grants permission to notify an event to the event-driven workflow Write

workflow*

PutDataCatalogEncryptionSettings Grants permission to update catalog encryption settings Write

catalog*

PutResourcePolicy Grants permission to update a resource policy Permissions management

catalog*

PutSchemaVersionMetadata Grants permission to add metadata to schema version Write

registry

schema

PutWorkflowRunProperties Grants permission to update workflow run properties Write

workflow*

QuerySchemaVersionMetadata Grants permission to fetch metadata for a schema version List

registry

schema

RegisterSchemaVersion Grants permission to create a new schema version Write

registry*

schema*

RemoveSchemaVersionMetadata Grants permission to remove metadata from schema version Write

registry

schema

ResetJobBookmark Grants permission to reset a job bookmark Write
ResumeWorkflowRun Grants permission to resume a workflow run Write

workflow*

RunStatement Grants permission to run a code or statement in an interactive session Write

session*

SearchTables Grants permission to retrieve the tables in the catalog Read

catalog*

database*

table*

StartBlueprintRun Grants permission to start running a blueprint Write

blueprint*

StartCrawler Grants permission to start a crawler Write

crawler*

StartCrawlerSchedule Grants permission to change the schedule state of a crawler to SCHEDULED Write
StartExportLabelsTaskRun Grants permission to start an Export Labels ML Task Run Write

mlTransform*

StartImportLabelsTaskRun Grants permission to start an Import Labels ML Task Run Write

mlTransform*

StartJobRun Grants permission to start running a job Write

job*

StartMLEvaluationTaskRun Grants permission to start an Evaluation ML Task Run Write

mlTransform*

StartMLLabelingSetGenerationTaskRun Grants permission to start a Labeling Set Generation ML Task Run Write

mlTransform*

StartTrigger Grants permission to start a trigger Write

trigger*

StartWorkflowRun Grants permission to start running a workflow Write

workflow*

StopCrawler Grants permission to stop a running crawler Write

crawler*

StopCrawlerSchedule Grants permission to set the schedule state of a crawler to NOT_SCHEDULED Write
StopSession Grants permission to stop an interactive session Write

session*

StopTrigger Grants permission to stop a trigger Write

trigger*

StopWorkflowRun Grants permission to stop a workflow run Write

workflow*

TagResource Grants permission to add tags to a resource Tagging

blueprint

crawler

devendpoint

job

trigger

workflow

aws:TagKeys

aws:RequestTag/${TagKey}

UntagResource Grants permission to remove tags associated with a resource Tagging

blueprint

crawler

devendpoint

job

trigger

workflow

aws:TagKeys

aws:RequestTag/${TagKey}

UpdateBlueprint Grants permission to update a blueprint Write

blueprint*

UpdateClassifier Grants permission to update a classifier Write
UpdateColumnStatisticsForPartition Grants permission to update partition statistics of columns Write

catalog*

database*

table*

UpdateColumnStatisticsForTable Grants permission to update table statistics of columns Write

catalog*

database*

table*

UpdateConnection Grants permission to update a connection Write

catalog*

connection*

UpdateCrawler Grants permission to update a crawler Write

crawler*

UpdateCrawlerSchedule Grants permission to update the schedule of a crawler Write
UpdateDatabase Grants permission to update a database Write

catalog*

database*

UpdateDevEndpoint Grants permission to update a development endpoint Write

devendpoint*

UpdateJob Grants permission to update a job Write

job*

glue:VpcIds

glue:SubnetIds

glue:SecurityGroupIds

UpdateMLTransform Grants permission to update an ML Transform Write

mlTransform*

UpdatePartition Grants permission to update a partition Write

catalog*

database*

table*

UpdateRegistry Grants permission to update a schema registry Write

registry*

UpdateSchema Grants permission to update a schema container Write

registry*

schema*

UpdateTable Grants permission to update a table Write

catalog*

database*

table*

UpdateTrigger Grants permission to update a trigger Write

trigger*

UpdateUserDefinedFunction Grants permission to update a function definition Write

catalog*

database*

userdefinedfunction*

UpdateWorkflow Grants permission to update a workflow Write

workflow*

UseMLTransforms Grants permission to use an ML Transform from within a Glue ETL Script Write

mlTransform*

Resource types defined by AWS Glue

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see Resource types table.

Resource types ARN Condition keys
catalog arn:${Partition}:glue:${Region}:${Account}:catalog
database arn:${Partition}:glue:${Region}:${Account}:database/${DatabaseName}
table arn:${Partition}:glue:${Region}:${Account}:table/${DatabaseName}/${TableName}
tableversion arn:${Partition}:glue:${Region}:${Account}:tableVersion/${DatabaseName}/${TableName}/${TableVersionName}
connection arn:${Partition}:glue:${Region}:${Account}:connection/${ConnectionName}
userdefinedfunction arn:${Partition}:glue:${Region}:${Account}:userDefinedFunction/${DatabaseName}/${UserDefinedFunctionName}
devendpoint arn:${Partition}:glue:${Region}:${Account}:devEndpoint/${DevEndpointName}

aws:ResourceTag/${TagKey}

job arn:${Partition}:glue:${Region}:${Account}:job/${JobName}

aws:ResourceTag/${TagKey}

trigger arn:${Partition}:glue:${Region}:${Account}:trigger/${TriggerName}

aws:ResourceTag/${TagKey}

crawler arn:${Partition}:glue:${Region}:${Account}:crawler/${CrawlerName}

aws:ResourceTag/${TagKey}

workflow arn:${Partition}:glue:${Region}:${Account}:workflow/${WorkflowName}

aws:ResourceTag/${TagKey}

blueprint arn:${Partition}:glue:${Region}:${Account}:blueprint/${BlueprintName}

aws:ResourceTag/${TagKey}

mlTransform arn:${Partition}:glue:${Region}:${Account}:mlTransform/${TransformId}

aws:ResourceTag/${TagKey}

registry arn:${Partition}:glue:${Region}:${Account}:registry/${RegistryName}

aws:ResourceTag/${TagKey}

schema arn:${Partition}:glue:${Region}:${Account}:schema/${SchemaName}

aws:ResourceTag/${TagKey}

session arn:${Partition}:glue:${Region}:${Account}:session/${SessionId}

aws:ResourceTag/${TagKey}

Condition keys for AWS Glue

AWS Glue defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters actions based on the presence of tag key-value pairs in the request String
aws:ResourceTag/${TagKey} Filters actions based on tag key-value pairs attached to the resource String
aws:TagKeys Filters actions based on the presence of tag keys in the request ArrayOfString
glue:CredentialIssuingService Filters access by the service from which the credentials of the request is issued String
glue:RoleAssumedBy Filters access by the service from which the credentials of the request is obtained by assuming the customer role String
glue:SecurityGroupIds Filters access by the ID of security groups configured for the Glue job ArrayOfString
glue:SubnetIds Filters access by the ID of subnets configured for the Glue job ArrayOfString
glue:VpcIds Filters access by the ID of the VPC configured for the Glue job ArrayOfString