Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

AWS Glue - specific IAM permissions

0

Hello.

I am trying to configure specific iam permission for an user. I need a permission for only read tables from existing Data Catalog. So, I have configured this policiy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "glue:SearchTables",
                "glue:GetDatabase",
                "glue:GetPartition",
                "glue:GetTables",
                "glue:GetPartitions",
                "glue:GetDatabases",
                "glue:GetTable"
            ],
            "Resource": [
                "arn:aws:glue:*:*:catalog",
                "arn:aws:glue:*:*:database/*",
                "arn:aws:glue:*:*:table/*/*"
            ]
        }
    ]
}

But, no errors appear in aws console, but data is not visible. IAM policy simulator says: "denied Implicitly denied (no matching statements).", but I dont understand what is missing. Is there any way to validate what is missing or where is the error?

I have tried to give AdministratorAccess to this user, but the same issue, data is no visible, so I have a question: as I have not configured AWS Glue from the beginning, could AWS Glue have been configured for allowing access to some roles or users? how?

Thanks.

Topics
AnalyticsSecurity, Identity, & Compliance
Tags
AWS Identity and Access ManagementAWS GlueIAM Policies
Language
English
asked 2 years ago626 views
1 Answer
0

Hello Orlando,

Based on the information provided, it seems that the issue you're facing could be related to resource-based policies in AWS Glue Data Catalog.

AWS Glue supports resource-based policies that can be attached to individual databases and tables in the Data Catalog. These resource policies can further restrict access to specific resources, even if the IAM policy allows access.

In addition to the IAM policy you've configured, you need to ensure that the resource-based policies attached to the databases and tables you're trying to access allow the necessary permissions.

Resource-based policies in AWS Glue Data Catalog are JSON policy documents that specify the principal (IAM user, role, or account) and the actions they are allowed or denied to perform on the resource (database or table). These policies are attached directly to the resource and are evaluated in addition to the IAM policies.

To validate if resource-based policies are causing the issue, you can follow these steps:

  1. Use the AWS CLI or AWS Glue Console to list the databases and tables in the Data Catalog.

  2. For each database or table you're trying to access, use the get-resource-policy command in the AWS CLI or the AWS Glue Console to retrieve the resource-based policy attached to that resource.

  3. Review the resource-based policy and ensure that it allows the necessary permissions for the IAM user or role you're using. The policy should include a statement that grants the glue:GetDatabase, glue:GetTables, glue:GetTable, glue:GetPartitions, and glue:GetPartition actions to the IAM user or role.

  4. If the resource-based policy does not allow the necessary permissions, you'll need to update the policy or create a new policy that grants the required permissions.

  5. Use the put-resource-policy command in the AWS CLI or the AWS Glue Console to attach the updated or new resource-based policy to the database or table.

Additionally, the documentation mentions that AWS Glue also supports service-linked roles, which are predefined IAM roles that grant AWS Glue the necessary permissions to access other AWS services on your behalf. If you're using AWS Glue Crawlers or other AWS Glue features that interact with other AWS services, you might need to ensure that the service-linked role has the necessary permissions to access the Data Catalog resources.

By reviewing and updating the resource-based policies and ensuring that the service-linked roles have the necessary permissions, you should be able to resolve the issue and allow the IAM user to read tables from the existing Data Catalog.

AWS Documentation references : https://docs.aws.amazon.com/glue/latest/dg/security_iam_service-with-iam.html?icmpid=docs_console_unmapped#security_iam_service-with-iam-resource-based-policies https://docs.aws.amazon.com/glue/latest/dg/security_iam_resource-based-policy-examples.html

AWS
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content