Actions, resources, and condition keys for AWS Glue
AWS Glue (service prefix: glue) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
Actions defined by AWS Glue
You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.
The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.
The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.
Note
Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.
For details about the columns in the following table, see Actions table.
| Actions | Description | Access level | Resource types (*required) | Condition keys | Dependent actions |
|---|---|---|---|---|---|
| AuthorizeInboundIntegration [permission only] | Grants permission to Glue to continuously validate that the target Arn can receive data replicated from the source ARN | Write | |||
| BatchCreatePartition | Grants permission to create one or more partitions | Write | |||
| BatchDeleteConnection | Grants permission to delete one or more connections | Write | |||
| BatchDeletePartition | Grants permission to delete one or more partitions | Write | |||
| BatchDeleteTable | Grants permission to delete one or more tables | Write | |||
| BatchDeleteTableVersion | Grants permission to delete one or more versions of a table | Write | |||
| BatchGetBlueprints | Grants permission to retrieve one or more blueprints | Read | |||
| BatchGetCrawlers | Grants permission to retrieve one or more crawlers | Read | |||
| BatchGetCustomEntityTypes | Grants permission to retrieve one or more Custom Entity Types | Read | |||
| BatchGetDevEndpoints | Grants permission to retrieve one or more development endpoints | Read | |||
| BatchGetJobs | Grants permission to retrieve one or more jobs | Read | |||
| BatchGetPartition | Grants permission to retrieve one or more partitions | Read | |||
| BatchGetStageFiles | Grants permission to batch get stage files for SparkUI | Permissions management | |||
| BatchGetTableOptimizer | Grants permission to return the configuration for the specified table optimizers | Read |
glue:GetTable |
||
| BatchGetTriggers | Grants permission to retrieve one or more triggers | Read | |||
| BatchGetWorkflows | Grants permission to retrieve one or more workflows | Read | |||
| BatchStopJobRun | Grants permission to stop one or more job runs for a job | Write | |||
| BatchUpdatePartition | Grants permission to update one or more partitions | Write | |||
| CancelDataQualityRuleRecommendationRun | Grants permission to stop a running Data Quality rule recommendation run | Write | |||
| CancelDataQualityRulesetEvaluationRun | Grants permission to stop a running Data Quality ruleset evaluation run | Write | |||
| CancelMLTaskRun | Grants permission to stop a running ML Task Run | Write | |||
| CancelStatement | Grants permission to cancel a statement in an interactive session | Write | |||
| CheckSchemaVersionValidity | Grants permission to retrieve a check the validity of schema version | Read | |||
| CreateBlueprint | Grants permission to create a blueprint | Write | |||
| CreateCatalog | Grants permission to create a catalog | Write | |||
| CreateClassifier | Grants permission to create a classifier | Write | |||
| CreateColumnStatisticsTaskSettings | Grants permission to create settings for a column statistics task | Write | |||
| CreateConnection | Grants permission to create a connection | Write | |||
| CreateCrawler | Grants permission to create a crawler | Write | |||
| CreateCustomEntityType | Grants permission to create a Custom Entity Type | Write | |||
| CreateDataQualityRuleset | Grants permission to create a Data Quality ruleset | Write | |||
| CreateDatabase | Grants permission to create a database | Write | |||
| CreateDevEndpoint | Grants permission to create a development endpoint | Write | |||
| CreateInboundIntegration [permission only] | Grants permission to the source principal to create an inbound integration for data to be replicated from the source into the target | Write | |||
| CreateIntegration | Grants permission to create an integration | Write |
kms:CreateGrant kms:DescribeKey |
||
| CreateIntegrationResourceProperty | Grants permission to create integration resource property | Write | |||
| CreateIntegrationTableProperties | Grants permission to create integration table properties | Write | |||
| CreateJob | Grants permission to create a job | Write | |||
| CreateMLTransform | Grants permission to create an ML Transform | Write | |||
| CreatePartition | Grants permission to create a partition | Write | |||
| CreatePartitionIndex | Grants permission to create a specified partition index in an existing table | Write | |||
| CreateRegistry | Grants permission to create a new schema registry | Write | |||
| CreateSchema | Grants permission to create a new schema container | Write | |||
| CreateScript | Grants permission to create a script | Write | |||
| CreateSecurityConfiguration | Grants permission to create a security configuration | Write | |||
| CreateSession | Grants permission to create an interactive session | Write | |||
| CreateTable | Grants permission to create a table | Write | |||
| CreateTableOptimizer | Grants permission to create a new table optimizer for a specific function. Compaction is the only currently supported optimizer type | Write |
glue:GetTable |
||
| CreateTrigger | Grants permission to create a trigger | Write | |||
| CreateUsageProfile | Grants permission to create a usage profile | Write | |||
| CreateUserDefinedFunction | Grants permission to create a function definition | Write | |||
| CreateWorkflow | Grants permission to create a workflow | Write | |||
| DeleteBlueprint | Grants permission to delete a blueprint | Write | |||
| DeleteCatalog | Grants permission to delete a catalog | Write | |||
| DeleteClassifier | Grants permission to delete a classifier | Write | |||
| DeleteColumnStatisticsForPartition | Grants permission to delete the partition column statistics of a column | Write | |||
| DeleteColumnStatisticsForTable | Grants permission to delete the table statistics of columns | Write | |||
| DeleteColumnStatisticsTaskSettings | Grants permission to delete settings for a column statistics task | Write | |||
| DeleteConnection | Grants permission to delete a connection | Write | |||
| DeleteCrawler | Grants permission to delete a crawler | Write | |||
| DeleteCustomEntityType | Grants permission to delete a Custom Entity Type | Write | |||
| DeleteDataQualityRuleset | Grants permission to delete a Data Quality ruleset | Write | |||
| DeleteDatabase | Grants permission to delete a database | Write | |||
| DeleteDevEndpoint | Grants permission to delete a development endpoint | Write | |||
| DeleteIntegration | Grants permission to delete an integration | Write | |||
| DeleteIntegrationTableProperties | Grants permission to delete integration table properties | Write | |||
| DeleteJob | Grants permission to delete a job | Write | |||
| DeleteMLTransform | Grants permission to delete an ML Transform | Write | |||
| DeletePartition | Grants permission to delete a partition | Write | |||
| DeletePartitionIndex | Grants permission to delete a specified partition index from an existing table | Write | |||
| DeleteRegistry | Grants permission to delete a schema registry | Write | |||
| DeleteResourcePolicy | Grants permission to delete a resource policy | Permissions management | |||
| DeleteSchema | Grants permission to delete a schema container | Write | |||
| DeleteSchemaVersions | Grants permission to delete a range of schema versions | Write | |||
| DeleteSecurityConfiguration | Grants permission to delete a security configuration | Write | |||
| DeleteSession | Grants permission to delete an interactive session after stopping the session if not already stopped | Write | |||
| DeleteTable | Grants permission to delete a table | Write | |||
| DeleteTableOptimizer | Grants permission to delete an optimizer and all associated metadata for a table. The optimization will no longer be performed on the table | Write |
glue:GetTable |
||
| DeleteTableVersion | Grants permission to delete a version of a table | Write | |||
| DeleteTrigger | Grants permission to delete a trigger | Write | |||
| DeleteUsageProfile | Grants permission to delete a usage profile | Write | |||
| DeleteUserDefinedFunction | Grants permission to delete a function definition | Write | |||
| DeleteWorkflow | Grants permission to delete a workflow | Write | |||
| DeregisterDataPreview | Grants permission to terminate Glue Studio Notebook session | Permissions management | |||
| DescribeConnectionType | Grants permission to describe connection type in glue studio | Permissions management | |||
| DescribeEntity | Grants permission to describe entity in glue studio | Permissions management | |||
| DescribeInboundIntegrations | Grants permission to list the inbound integrations | List | |||
| DescribeIntegrations | Grants permission to describe zero-ETL integrations | List | |||
| GetBlueprint | Grants permission to retrieve a blueprint | Read | |||
| GetBlueprintRun | Grants permission to retrieve a blueprint run | Read | |||
| GetBlueprintRuns | Grants permission to retrieve all runs of a blueprint | Read | |||
| GetCatalog | Grants permission to retrieve a catalog | Read | |||
| GetCatalogImportStatus | Grants permission to retrieve the catalog import status | Read | |||
| GetCatalogs | Grants permission to retrieve all catalogs | Read | |||
| GetClassifier | Grants permission to retrieve a classifier | Read | |||
| GetClassifiers | Grants permission to list all classifiers | Read | |||
| GetColumnStatisticsForPartition | Grants permission to retrieve partition statistics of columns | Read | |||
| GetColumnStatisticsForTable | Grants permission to retrieve table statistics of columns | Read | |||
| GetColumnStatisticsTaskRun | Grants permission to retrieve Column Statistics run information for the table based on run-id | Read | |||
| GetColumnStatisticsTaskRuns | Grants permission to retrieve Column Statistics run information for the table based on run-ids | Read | |||
| GetColumnStatisticsTaskSettings | Grants permission to retrieve settings for a column statistics task | Read | |||
| GetCompletion | Grants permission to get generated response for a completion request in Glue from AWS Q | Read | |||
| GetConnection | Grants permission to retrieve a connection | Read | |||
| GetConnections | Grants permission to retrieve a list of connections | Read | |||
| GetCrawler | Grants permission to retrieve a crawler | Read | |||
| GetCrawlerMetrics | Grants permission to retrieve metrics about crawlers | Read | |||
| GetCrawlers | Grants permission to retrieve all crawlers | Read | |||
| GetCustomEntityType | Grants permission to read a Custom Entity Type | Read | |||
| GetDashboardUrl | Grants permission to generate presigned url for accessing spark live UI | Read | |||
| GetDataCatalogEncryptionSettings | Grants permission to retrieve catalog encryption settings | Read | |||
| GetDataPreviewStatement | Grants permission to get Data Preview Statement | Permissions management | |||
| GetDataQualityModel | Grants permission to retrieve the training status of the prediction model for a statistic | Read | |||
| GetDataQualityModelResult | Grants permission to retrieve the predictions for a statistic from the latest model | Read | |||
| GetDataQualityResult | Grants permission to retrieve a Data Quality result | Read | |||
| GetDataQualityRuleRecommendationRun | Grants permission to retrieve a Data Quality rule recommendation run | Read | |||
| GetDataQualityRuleset | Grants permission to retrieve a Data Quality ruleset | Read | |||
| GetDataQualityRulesetEvaluationRun | Grants permission to retrieve a Data Quality rule recommendation run | Read | |||
| GetDatabase | Grants permission to retrieve a database | Read | |||
| GetDatabases | Grants permission to retrieve all databases | Read | |||
| GetDataflowGraph | Grants permission to transform a script into a directed acyclic graph (DAG) | Read | |||
| GetDevEndpoint | Grants permission to retrieve a development endpoint | Read | |||
| GetDevEndpoints | Grants permission to retrieve all development endpoints | Read | |||
| GetEntityRecords | Grants permission to preview entity records in glue | Read | |||
| GetEnvironment | Grants permission to get environment details for SparkUI | Permissions management | |||
| GetExecutors | Grants permission to get executors for SparkUI | Permissions management | |||
| GetExecutorsThreads | Grants permission to get executor threads for SparkUI | Permissions management | |||
| GetGeneratedCode | Transforms a directed acyclic graph (DAG) into code | Read | |||
| GetIntegrationResourceProperty | Grants permission to retrieve the integration resource property | Read | |||
| GetIntegrationTableProperties | Grants permission to retrieve the integration table properties | Read | |||
| GetJob | Grants permission to retrieve a job | Read | |||
| GetJobBookmark | Grants permission to retrieve a job bookmark | Read | |||
| GetJobRun | Grants permission to retrieve a job run | Read | |||
| GetJobRuns | Grants permission to retrieve all job runs of a job | Read | |||
| GetJobs | Grants permission to retrieve all current jobs | Read | |||
| GetLogParsingStatus | Grants permission to get log parsing status for SparkUI | Permissions management | |||
| GetMLTaskRun | Grants permission to retrieve an ML Task Run | Read | |||
| GetMLTaskRuns | Grants permission to retrieve all ML Task Runs | List | |||
| GetMLTransform | Grants permission to retrieve an ML Transform | Read | |||
| GetMLTransforms | Grants permission to retrieve all ML Transforms | List | |||
| GetMapping | Grants permission to create a mapping | Read | |||
| GetNotebookInstanceStatus | Grants permission to retrieve Glue Studio Notebooks session status | Permissions management | |||
| GetPartition | Grants permission to retrieve a partition | Read | |||
| GetPartitionIndexes | Grants permission to retrieve partition indexes for a table | Read | |||
| GetPartitions | Grants permission to retrieve the partitions of a table | Read | |||
| GetPlan | Grants permission to retrieve a mapping for a script | Read | |||
| GetQueries | Grants permission to get queries for SparkUI | Permissions management | |||
| GetQuery | Grants permission to get a specific query for SparkUI | Permissions management | |||
| GetRecipeAction | Grants permission to get the result of a Data Preparation Recipe statement | Permissions management | |||
| GetRegistry | Grants permission to retrieve a schema registry | Read | |||
| GetResourcePolicies | Grants permission to retrieve resource policies | Read | |||
| GetResourcePolicy | Grants permission to retrieve a resource policy | Read | |||
| GetSchema | Grants permission to retrieve a schema container | Read | |||
| GetSchemaByDefinition | Grants permission to retrieve a schema version based on schema definition | Read | |||
| GetSchemaVersion | Grants permission to retrieve a schema version | Read | |||
| GetSchemaVersionsDiff | Grants permission to compare two schema versions in schema registry | Read | |||
| GetSecurityConfiguration | Grants permission to retrieve a security configuration | Read | |||
| GetSecurityConfigurations | Grants permission to retrieve one or more security configurations | Read | |||
| GetSession | Grants permission to retrieve an interactive session | Read | |||
| GetStage | Grants permission to get a stage for SparkUI | Permissions management | |||
| GetStageAttempt | Grants permission to get a stage attempt for SparkUI | Permissions management | |||
| GetStageAttemptTaskList | Grants permission to get the task list for a stage attempt for SparkUI | Permissions management | |||
| GetStageAttemptTaskSummary | Grants permission to get the task summary for a stage attempt for SparkUI | Permissions management | |||
| GetStageFiles | Grants permission to get stage files for SparkUI | Permissions management | |||
| GetStages | Grants permission to get stages for SparkUI | Permissions management | |||
| GetStatement | Grants permission to retrieve result and information about a statement in an interactive session | Read | |||
| GetStorage | Grants permission to get storage details for SparkUI | Permissions management | |||
| GetStorageUnit | Grants permission to get storage unit details for SparkUI | Permissions management | |||
| GetTable | Grants permission to retrieve a table | Read | |||
| GetTableOptimizer | Grants permission to return the configuration of all optimizers associated with a specified table | Read |
glue:GetTable |
||
| GetTableVersion | Grants permission to retrieve a version of a table | Read | |||
| GetTableVersions | Grants permission to retrieve a list of versions of a table | Read | |||
| GetTables | Grants permission to retrieve the tables in a database | Read | |||
| GetTags | Grants permission to retrieve all tags associated with a resource | Read | |||
| GetTrigger | Grants permission to retrieve a trigger | Read | |||
| GetTriggers | Grants permission to retrieve the triggers associated with a job | Read | |||
| GetUsageProfile | Grants permission to retrieve a usage profile | Read | |||
| GetUserDefinedFunction | Grants permission to retrieve a function definition | Read | |||
| GetUserDefinedFunctions | Grants permission to retrieve multiple function definitions | Read | |||
| GetWorkflow | Grants permission to retrieve a workflow | Read | |||
| GetWorkflowRun | Grants permission to retrieve a workflow run | Read | |||
| GetWorkflowRunProperties | Grants permission to retrieve workflow run properties | Read | |||
| GetWorkflowRuns | Grants permission to retrieve all runs of a workflow | Read | |||
| GlueNotebookAuthorize | Grants permission to access Glue Studio Notebooks | Permissions management | |||
| GlueNotebookRefreshCredentials | Grants permission to refresh Glue Studio Notebooks credentials | Permissions management | |||
| ImportCatalogToGlue | Grants permission to import an Athena data catalog into AWS Glue | Write | |||
| ListBlueprints | Grants permission to retrieve all blueprints | List | |||
| ListColumnStatisticsTaskRuns | Grants permission to list all Column Statistics run-ids that have been executed for the account | Read | |||
| ListConnectionTypes | Grants permission to list connection types in glue studio | Permissions management | |||
| ListCrawlers | Grants permission to retrieve all crawlers | List | |||
| ListCrawls | Grants permission to retrieve crawl run history for a crawler | List | |||
| ListCustomEntityTypes | Grants permission to retrieve all Custom Entity Types | List | |||
| ListDataQualityResults | Grants permission to retrieve all Data Quality results | List | |||
| ListDataQualityRuleRecommendationRuns | Grants permission to retrieve all Data Quality rule recommendation runs | List | |||
| ListDataQualityRulesetEvaluationRuns | Grants permission to retrieve all Data Quality rule recommendation runs | List | |||
| ListDataQualityRulesets | Grants permission to retrieve a list of Data Quality rulesets | List | |||
| ListDevEndpoints | Grants permission to retrieve all development endpoints | List | |||
| ListEntities | Grants permission to list entities in glue studio | Permissions management | |||
| ListJobs | Grants permission to retrieve all current jobs | List | |||
| ListMLTransforms | Grants permission to retrieve all ML Transforms | List | |||
| ListRegistries | Grants permission to retrieve a list of schema registries | List | |||
| ListSchemaVersions | Grants permission to retrieve a list of schema versions | List | |||
| ListSchemas | Grants permission to retrieve a list of schema containers | List | |||
| ListSessions | Grants permission to retrieve a list of interactive session | List | |||
| ListStatements | Grants permission to retrieve a list of statements in an interactive session | List | |||
| ListTableOptimizerRuns | Grants permission to list the history of previous optimizer runs for a specific table | List |
glue:GetTable |
||
| ListTriggers | Grants permission to retrieve all triggers | List | |||
| ListUsageProfiles | Grants permission to retrieve a list of usage profiles | List | |||
| ListWorkflows | Grants permission to retrieve all workflows | List | |||
| ModifyIntegration | Grants permission to modify a zero-ETL integration | Write | |||
| NotifyEvent | Grants permission to notify an event to the event-driven workflow | Write | |||
| PassConnection [permission only] | Grants permission to pass glue connection name in input for APIs that require them | Write | |||
| PublishDataQuality [permission only] | Grants permission to publish Data Quality results | Write | |||
| PutDataCatalogEncryptionSettings | Grants permission to update catalog encryption settings | Write | |||
| PutDataQualityProfileAnnotation | Grants permission to annotate all datapoints for a profile | Write | |||
| PutDataQualityStatisticAnnotation | Grants permission to annotate datapoints over time for a specific data quality statistic | Write | |||
| PutResourcePolicy | Grants permission to update a resource policy | Permissions management | |||
| PutSchemaVersionMetadata | Grants permission to add metadata to schema version | Write | |||
| PutWorkflowRunProperties | Grants permission to update workflow run properties | Write | |||
| QuerySchemaVersionMetadata | Grants permission to fetch metadata for a schema version | List | |||
| RefreshOAuth2Tokens | Grants permission to refresh the oauth2 tokens for connection during job execution | Permissions management | |||
| RegisterSchemaVersion | Grants permission to create a new schema version | Write | |||
| RemoveSchemaVersionMetadata | Grants permission to remove metadata from schema version | Write | |||
| RequestLogParsing | Grants permission to request log parsing for SparkUI | Permissions management | |||
| ResetJobBookmark | Grants permission to reset a job bookmark | Write | |||
| ResumeWorkflowRun | Grants permission to resume a workflow run | Write | |||
| RunDataPreviewStatement | Grants permission to run Data Preview Statement | Permissions management | |||
| RunStatement | Grants permission to run a code or statement in an interactive session | Write | |||
| SearchTables | Grants permission to retrieve the tables in the catalog | Read | |||
| SendFeedback | Grants permission to provide feedback about a glue completion experience in AWS Q | Write | |||
| SendRecipeAction | Grants permission to execute a Data Preparation Recipe statement in data preview | Permissions management | |||
| StartBlueprintRun | Grants permission to start running a blueprint | Write | |||
| StartColumnStatisticsTaskRun | Grants permission to start a run for generating Column Statistics for the table | Write |
glue:GetSecurityConfiguration glue:GetTable |
||
| StartColumnStatisticsTaskRunSchedule | Grants permission to start a column statistics task run schedule | Write | |||
| StartCompletion | Grants permission to create a completion request in Glue for AWS Q experience | Write | |||
| StartCrawler | Grants permission to start a crawler | Write | |||
| StartCrawlerSchedule | Grants permission to change the schedule state of a crawler to SCHEDULED | Write | |||
| StartDataQualityRuleRecommendationRun | Grants permission to start a Data Quality rule recommendation run | Write | |||
| StartDataQualityRulesetEvaluationRun | Grants permission to start a Data Quality rule recommendation run | Write | |||
| StartExportLabelsTaskRun | Grants permission to start an Export Labels ML Task Run | Write | |||
| StartImportLabelsTaskRun | Grants permission to start an Import Labels ML Task Run | Write | |||
| StartJobRun | Grants permission to start running a job | Write | |||
| StartMLEvaluationTaskRun | Grants permission to start an Evaluation ML Task Run | Write | |||
| StartMLLabelingSetGenerationTaskRun | Grants permission to start a Labeling Set Generation ML Task Run | Write | |||
| StartNotebook | Grants permission to start Glue Studio Notebooks | Permissions management | |||
| StartTrigger | Grants permission to start a trigger | Write | |||
| StartWorkflowRun | Grants permission to start running a workflow | Write | |||
| StopColumnStatisticsTaskRun | Grants permission to stop execution for Column Statistics run | Write | |||
| StopColumnStatisticsTaskRunSchedule | Grants permission to stop a column statistics task run schedule | Write | |||
| StopCrawler | Grants permission to stop a running crawler | Write | |||
| StopCrawlerSchedule | Grants permission to set the schedule state of a crawler to NOT_SCHEDULED | Write | |||
| StopSession | Grants permission to stop an interactive session | Write | |||
| StopTrigger | Grants permission to stop a trigger | Write | |||
| StopWorkflowRun | Grants permission to stop a workflow run | Write | |||
| TagResource | Grants permission to add tags to a resource | Tagging | |||
| TerminateNotebook | Grants permission to terminate Glue Studio Notebooks | Permissions management | |||
| TestConnection | Grants permission to test connection in Glue Studio | Permissions management | |||
| UntagResource | Grants permission to remove tags associated with a resource | Tagging | |||
| UpdateBlueprint | Grants permission to update a blueprint | Write | |||
| UpdateCatalog | Grants permission to update a catalog | Write | |||
| UpdateClassifier | Grants permission to update a classifier | Write | |||
| UpdateColumnStatisticsForPartition | Grants permission to update partition statistics of columns | Write | |||
| UpdateColumnStatisticsForTable | Grants permission to update table statistics of columns | Write | |||
| UpdateColumnStatisticsTaskSettings | Grants permission to update settings for a column statistics task | Write | |||
| UpdateConnection | Grants permission to update a connection | Write | |||
| UpdateCrawler | Grants permission to update a crawler | Write | |||
| UpdateCrawlerSchedule | Grants permission to update the schedule of a crawler | Write | |||
| UpdateDataQualityRuleset | Grants permission to update a Data Quality ruleset | Write | |||
| UpdateDatabase | Grants permission to update a database | Write | |||
| UpdateDevEndpoint | Grants permission to update a development endpoint | Write | |||
| UpdateIntegrationResourceProperty | Grants permission to update the integration resource property | Write | |||
| UpdateIntegrationTableProperties | Grants permission to update the integration table properties | Write | |||
| UpdateJob | Grants permission to update a job | Write | |||
| UpdateJobFromSourceControl | Grants permission to update a job from source control provider | Write | |||
| UpdateMLTransform | Grants permission to update an ML Transform | Write | |||
| UpdatePartition | Grants permission to update a partition | Write | |||
| UpdateRegistry | Grants permission to update a schema registry | Write | |||
| UpdateSchema | Grants permission to update a schema container | Write | |||
| UpdateSourceControlFromJob | Grants permission to update source control provider from a job | Write | |||
| UpdateTable | Grants permission to update a table | Write | |||
| UpdateTableOptimizer | Grants permission to update the configuration for an existing table optimizer | Write |
glue:GetTable |
||
| UpdateTrigger | Grants permission to update a trigger | Write | |||
| UpdateUsageProfile | Grants permission to update a usage profile | Write | |||
| UpdateUserDefinedFunction | Grants permission to update a function definition | Write | |||
| UpdateWorkflow | Grants permission to update a workflow | Write | |||
| UseGlueStudio | Grants permission to use Glue Studio and access its internal APIs | Permissions management | |||
| UseMLTransforms [permission only] | Grants permission to use an ML Transform from within a Glue ETL Script | Write |
Resource types defined by AWS Glue
The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.
| Resource types | ARN | Condition keys |
|---|---|---|
| rootcatalog |
arn:${Partition}:glue:${Region}:${Account}:catalog
|
|
| catalog |
arn:${Partition}:glue:${Region}:${Account}:catalog/${CatalogName}
|
|
| database |
arn:${Partition}:glue:${Region}:${Account}:database/${DatabaseName}
|
|
| table |
arn:${Partition}:glue:${Region}:${Account}:table/${DatabaseName}/${TableName}
|
|
| tableversion |
arn:${Partition}:glue:${Region}:${Account}:tableVersion/${DatabaseName}/${TableName}/${TableVersionName}
|
|
| connection |
arn:${Partition}:glue:${Region}:${Account}:connection/${ConnectionName}
|
|
| userdefinedfunction |
arn:${Partition}:glue:${Region}:${Account}:userDefinedFunction/${DatabaseName}/${UserDefinedFunctionName}
|
|
| devendpoint |
arn:${Partition}:glue:${Region}:${Account}:devEndpoint/${DevEndpointName}
|
|
| job |
arn:${Partition}:glue:${Region}:${Account}:job/${JobName}
|
|
| trigger |
arn:${Partition}:glue:${Region}:${Account}:trigger/${TriggerName}
|
|
| crawler |
arn:${Partition}:glue:${Region}:${Account}:crawler/${CrawlerName}
|
|
| workflow |
arn:${Partition}:glue:${Region}:${Account}:workflow/${WorkflowName}
|
|
| blueprint |
arn:${Partition}:glue:${Region}:${Account}:blueprint/${BlueprintName}
|
|
| mlTransform |
arn:${Partition}:glue:${Region}:${Account}:mlTransform/${TransformId}
|
|
| registry |
arn:${Partition}:glue:${Region}:${Account}:registry/${RegistryName}
|
|
| schema |
arn:${Partition}:glue:${Region}:${Account}:schema/${SchemaName}
|
|
| session |
arn:${Partition}:glue:${Region}:${Account}:session/${SessionId}
|
|
| usageProfile |
arn:${Partition}:glue:${Region}:${Account}:usageProfile/${UsageProfileId}
|
|
| dataQualityRuleset |
arn:${Partition}:glue:${Region}:${Account}:dataQualityRuleset/${RulesetName}
|
|
| customEntityType |
arn:${Partition}:glue:${Region}:${Account}:customEntityType/${CustomEntityTypeId}
|
|
| completion |
arn:${Partition}:glue:${Region}:${Account}:completion/${CompletionId}
|
|
| integration |
arn:${Partition}:glue:${Region}:${Account}:integration:${IntegrationId}
|
Condition keys for AWS Glue
AWS Glue defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.
To view the global condition keys that are available to all services, see Available global condition keys.
| Condition keys | Description | Type |
|---|---|---|
| aws:RequestTag/${TagKey} | Filters access by the presence of tag key-value pairs in the request | String |
| aws:ResourceTag/${TagKey} | Filters access by tag key-value pairs attached to the resource | String |
| aws:TagKeys | Filters access by the presence of tag keys in the request | ArrayOfString |
| glue:CredentialIssuingService | Filters access by the service from which the credentials of the request is issued | String |
| glue:EnabledForRedshiftAutoDiscovery | Filters access by the presence of the key configured for role's identity-based policy | Bool |
| glue:RoleAssumedBy | Filters access by the service from which the credentials of the request is obtained by assuming the customer role | String |
| glue:SecurityGroupIds | Filters access by the ID of security groups configured for the Glue job | ArrayOfString |
| glue:SubnetIds | Filters access by the ID of subnets configured for the Glue job | ArrayOfString |
| glue:VpcIds | Filters access by the ID of the VPC configured for the Glue job | ArrayOfString |
