- Newest
- Most votes
- Most comments
Its outlined in this doc: https://docs.aws.amazon.com/glue/latest/dg/cross-account-access.html
Specifically:
Granting cross-account access using an IAM role
The following are the general steps for granting cross-account access using an IAM role:
- An administrator (or other authorized identity) in the account that owns the resource (Account A) creates an IAM role.
- The administrator in Account A attaches a policy to the role that grants cross-account permissions for access to the resource in question.
- The administrator in Account A attaches a trust policy to the role that identifies an IAM identity in a different account (Account B) as the principal who can assume the role. The principal in the trust policy can also be an AWS service principal if you want to grant an AWS service permission to assume the role.
- An administrator in Account B now delegates permissions to one or more IAM identities in Account B so that they can assume that role. Doing so gives those identities in Account B access to the resource in account A.
For more information about using IAM to delegate permissions, see Access management in the IAM User Guide. For more information about users, groups, roles, and permissions, see Identities (users, groups, and roles) in the IAM User Guide.
For a comparison of these two approaches, see How IAM roles differ from resource-based policies in the IAM User Guide. AWS Glue supports both options, with the restriction that a resource policy can grant access only to Data Catalog resources.
For example, to give the Dev role in Account B access to database db1 in Account A, attach the following resource policy to the catalog in Account A.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"glue:GetDatabase"
],
"Principal": {"AWS": [
"arn:aws:iam::account-B-id:role/Dev"
]},
"Resource": [
"arn:aws:glue:us-east-1:account-A-id:catalog",
"arn:aws:glue:us-east-1:account-A-id:database/db1"
]
}
]
}
In addition, Account B would have to attach the following IAM policy to the Dev role before it would actually get access to db1 in Account A.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"glue:GetDatabase"
],
"Resource": [
"arn:aws:glue:us-east-1:account-A-id:catalog",
"arn:aws:glue:us-east-1:account-A-id:database/db1"
]
}
]
}
Relevant content
- Accepted Answerasked a year ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated 2 years ago