1 Answer
- Newest
- Most votes
- Most comments
1
Your understanding is correct. When configuring cross-account access to AWS Glue data catalogs, additional permissions are indeed required beyond what is explicitly outlined in the AWS documentation. Specifically:
- The owner account needs to grant access to the individual S3 buckets to the borrower's account, in addition to the Glue catalog permissions described in the documentation.
- This additional step involves attaching permissions to the S3 bucket's resource policies.
- You were only able to successfully query the Glue catalog table in the owner's account from the borrower's account after granting these additional S3 bucket permissions. This requirement aligns with AWS's security model, which separates permissions for metadata access (Glue catalog) from permissions for actual data access (S3 buckets). The documentation may not explicitly highlight this step, but it is crucial for full cross-account functionality.
To summarize the complete process:
- Configure Glue catalog permissions as described in the AWS documentation.
- Additionally, grant the borrower account access to the relevant S3 buckets in the owner account.
- Update the S3 bucket resource policies in the owner account to allow access from the borrower account. This comprehensive approach ensures that the borrower account has both the necessary metadata access through Glue and the actual data access through S3, enabling successful cross-account queries.
answered a month ago
Relevant content
- asked 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago