By using AWS re:Post, you agree to the Terms of Use

AWS Glue setup has error glue:GetConnection on resource: arn:aws:glue:us-west-2:876911572231:catalog because no identity-based policy allows the glue:GetConnection action .

0

I am working on configuring AWS Glue service, I have tried to setup database connections. One is Oracle database running on Oracle EC2(Source database) and other database is RDS running on AWS(Target database). After creating the connections , when I am testing the connections

oracle-xxx failed. DataCatalog Connection issue : User: arn:aws:sts::876911572231:assumed-role/Awsglue/GlueJobRunnerSession is not authorized to perform: glue:GetConnection on resource: arn:aws:glue:us-west-2:876911572231:catalog because no identity-based policy allows the glue:GetConnection action .

postgres-xxxx failed. DataCatalog Connection issue : User: arn:aws:sts::876911572231:assumed-role/Awsglue/GlueJobRunnerSession is not authorized to perform: glue:GetConnection on resource: arn:aws:glue:us-west-2:876911572231:catalog because no identity-based policy allows the glue:GetConnection action .

Please let me know how to fix this issue

1 Answers
0

When you test a connection, you specify an IAM role that will be used to access resources. That role needs certain permissions. In your case, it seems you're using a role called Awsglue.

As the error says, that role needs a policy that allows the action glue:GetConnection on the resource arn:aws:glue:us-west-2:xxxxxxxxxxxx:catalog. You'll also need a permission for same action over those two connections if no policy includes it already.

Typically with AWS Glue, you'd use a role that includes the AWSGlueServiceRole AWS managed policy as described in the Setting up IAM permissions for Glue documentation, although you might want to use self-managed policies for more granular controls.

In that case, in the IAM console, click on Roles, search for Awsglue and click on that role. There you will see all the policies attached to that role. Modify one of those existing attached policies or add a new one that includes that action on the necessary resources (catalog and connections). However, you'll likely need to add more permissions to that role if you are going to use it for other purposes in AWS Glue (e.g.: ETL jobs to write to S3). Check adding identity permissions and Actions, resources, and condition keys for AWS Glue in the IAM documentation for further reference.

EXPERT
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions