Prerequisites
Before you create a federated catalog for S3 Tables in the AWS Glue Data Catalog, ensure your IAM principal (user or role) has the required permissions.
Required IAM permissions
Your IAM principal needs the following permissions to enable S3 Tables integration:
AWS Glue permissions:
glue:CreateCatalog– Required to create thes3tablescatalogfederated catalogglue:GetCatalog– Required to view catalog detailsglue:GetDatabase– Required to view S3 namespaces as databasesglue:GetTable– Required to view S3 tablesglue:passConnection– Grants the calling principal the right to delegate theaws:s3tablesconnection to the AWS Glue service
S3 Tables permissions (for IAM access control):
s3tables:CreateTableBuckets3tables:GetTableBuckets3tables:CreateNamespaces3tables:GetNamespaces3tables:ListNamespacess3tables:CreateTables3tables:GetTables3tables:ListTabless3tables:UpdateTableMetadataLocations3tables:GetTableMetadataLocations3tables:GetTableDatas3tables:PutTableData
IAM policy example
The following IAM policy provides the minimum permissions required to enable S3 Tables integration with the Data Catalog in IAM mode:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "GlueDataCatalogPermissions", "Effect": "Allow", "Action": [ "glue:CreateCatalog", "glue:GetCatalog", "glue:GetDatabase", "glue:GetTable" ], "Resource": [ "arn:aws:glue:region:account-id:catalog/s3tablescatalog", "arn:aws:glue:region:account-id:database/s3tablescatalog/*/*", "arn:aws:glue:region:account-id:table/s3tablescatalog/*/*/*" ] }, { "Sid": "S3TablesDataAccessPermissions", "Effect": "Allow", "Action": [ "s3tables:GetTableBucket", "s3tables:GetNamespace", "s3tables:GetTable", "s3tables:GetTableMetadataLocation", "s3tables:GetTableData" ], "Resource": [ "arn:aws:s3tables:region:account-id:bucket/*", "arn:aws:s3tables:region:account-id:bucket/*/table/*" ] } ] }
