Policies containing the API operations for registering connection types and creating/using connections
The following sample IAM policy describes the required permissions for registering, creating, managing and using the REST API connections within AWS Glue ETL jobs. If you are creating a new role, create a policy that contains the following:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "glue:RegisterConnectionType", "glue:ListConnectionTypes", "glue:DescribeConnectionType", "glue:CreateConnection", "glue:RefreshOAuth2Tokens", "glue:ListEntities", "glue:DescribeEntity" ], "Resource": "*" } ] }
You can also use the following IAM policies to allow access:
AWSGlueServiceRole
– Grants access to resources that various AWS Glue processes require to run on your behalf. These resources include AWS Glue, Amazon S3, IAM, CloudWatch Logs, and Amazon EC2. If you follow the naming convention for resources specified in this policy, AWS Glue processes have the required permissions. This policy is typically attached to roles specified when defining crawlers, jobs, and development endpoints. AWSGlueConsoleFullAccess
– Grants full access to AWS Glue resources when an identity that the policy is attached to uses the AWS Management Console. If you follow the naming convention for resources specified in this policy, users have full console capabilities. This policy is typically attached to users of the AWS Glue console.
If providing Network Options when creating a REST API connection, the following actions must also be included in the IAM role:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue", "secretsmanager:PutSecretValue", "ec2:CreateNetworkInterface", "ec2:DescribeNetworkInterfaces", "ec2:DeleteNetworkInterface" ], "Resource": "*" } ] }