Policy config for Firehose format conversion glue access

Question

I'm looking to set up format conversion for my firehose delivery stream. The configuration involves specifying a role with access to glue to determine the output schema. I haven't been able to find the exact requirements for this role anywhere in the docs, the only descriptor is "The role that Kinesis Data Firehose can use to access AWS Glue."

What actions/resources does a policy need to specify for firehose to be able to use the role for format conversion?

Answer

Hello,

I understand that you have been having issues specifying the appropriate policy to give Firehose permission to access AWS glue for format conversion.

The below statement, which can be added to your current policy, is taken from the official AWS documentation [1]:

Grant Kinesis  Data  Firehose Access to AWS Glue for Data Format Conversion

If your delivery stream performs data-format conversion, Kinesis Data Firehose references table definitions stored in AWS Glue. To give Kinesis Data Firehose the necessary access to AWS Glue, add the following statement to your policy. For information on how to find the ARN of the table, see Specifying AWS Glue Resource ARNs (https://docs.aws.amazon.com/glue/latest/dg/glue-specifying-resource-arns.html).

{
  "Effect": "Allow",
  "Action": [
    "glue:GetTable",
    "glue:GetTableVersion",
    "glue:GetTableVersions"
  ],
  "Resource": "table-arn"
}

[1]Controlling Access with Amazon Kinesis Data Firehose - Amazon Kinesis Data Firehose (https://docs.aws.amazon.com/firehose/latest/dev/controlling-access.html#using-iam-glue)

Please let me know if this response helps to resolve your issue or if you have any other questions.

Policy config for Firehose format conversion glue access

Relevant content