# Setting up IAM permissions for AWS Glue
The instructions in this topic help you quickly set up AWS Identity and Access Management (IAM) permissions for AWS Glue. You will complete the following tasks:
+ Grant your IAM identities access to AWS Glue resources.
+ Create a service role for running jobs, accessing data, and running AWS Glue Data Quality tasks.
For detailed instructions that you can use to customize IAM permissions for AWS Glue, see [Configuring IAM permissions for AWS Glue](configure-iam-for-glue.md).
**To set up IAM permissions for AWS Glue in the AWS Management Console**
1. Sign in to the AWS Management Console and open the AWS Glue console at [https://console.aws.amazon.com/glue/](https://console.aws.amazon.com/glue/).
1. Choose **Getting started**.
1. Under **Prepare your account for AWS Glue**, choose **Set up IAM permissions**.
1. Choose the IAM identities (roles or users) that you want to give AWS Glue permissions to. AWS Glue attaches the `[AWSGlueConsoleFullAccess](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AWSGlueConsoleFullAccess)` managed policy to these identities. You can skip this step if you want to set these permissions manually or only want to set a default service role.
1. Choose **Next**.
1. Choose the level of Amazon S3 access that your roles and users need. The options that you choose in this step are applied to all of the identities that you selected.
1. Under **Choose S3 locations**, choose the Amazon S3 locations that you want to grant access to.
1. Next, select whether your identities should have **Read only (recommended)** or **Read and write** access to the locations that you previously selected. AWS Glue adds permissions policies to your identities based on the combination of locations and read or write permissions you select.
The following table displays the permissions that AWS Glue attaches for Amazon S3 access.
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/glue/latest/dg/set-up-iam.html)
1. Choose **Next**.
1. Choose a default AWS Glue service role for your account. A service role is an IAM role that AWS Glue uses to access resources in other AWS services on your behalf. For more information, see [Service roles for AWS Glue](security_iam_service-with-iam.md#security_iam_service-with-iam-roles-service).
+ When you choose the standard AWS Glue service role, AWS Glue creates a new IAM role in your AWS account named `AWSGlueServiceRole` with the following managed policies attached. If your account already has an IAM role named `AWSGlueServiceRole`, AWS Glue attaches these policies to the existing role.
+ [ AWSGlueServiceRole](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/service-role/AWSGlueServiceRole) – This managed policy is required for AWS Glue to access and manage resources on your behalf. It allows AWS Glue to create, update, and delete various resources such as AWS Glue jobs, crawlers, and connections. This policy also grants permissions for AWS Glue to access Amazon CloudWatch logs for logging purposes. For the purposes of getting started, we recommend using this policy to learn how to use AWS Glue. As you get more comfortable with AWS Glue, you can create policies that allow you to fine-tune access to resources as needed.
+ [AWSGlueConsoleFullAccess](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AWSGlueConsoleFullAccess) – This managed policy grants full access to the AWS Glue service through the AWS Management Console. This policy grants permissions to perform any operation within AWS Glue, enabling you to create, modify, and delete any AWS Glue resource as needed. However, it's important to note that this policy does not grant permissions to access the underlying data stores or other AWS services that may be involved in the ETL process. Due to the broad scope of permissions granted by the `AWSGlueConsoleFullAccess` policy, it should be assigned with caution and following the principle of least privilege. It is generally recommended to create and use more granular policies tailored to specific use cases and requirements whenever possible.
+ [ AWSGlueConsole-S3-read-only-policy](https://console.aws.amazon.com/iam/home#policies/details/arn:aws:iam:aws:policy/AWSGlueConsole-S3-read-only-policy) – This policy allows AWS Glue to read data from specified Amazon S3 buckets, but it does not grant permissions to write or modify data in Amazon S3 or
[ AWSGlueConsole-S3-read-and-write](https://console.aws.amazon.com/iam/home#policies/details/arn:aws:iam:aws:policy/AWSGlueConsole-S3-read-and-write) – This policy allows AWS Glue to read and write data to specified Amazon S3 buckets as part of the ETL process.
+ When you choose an existing IAM role, AWS Glue sets the role as the default, but doesn't add `AWSGlueServiceRole` permissions to it. Ensure that you've configured the role to use as a service role for AWS Glue. For more information, see [Step 1: Create an IAM policy for the AWS Glue service](create-service-policy.md) and [Step 2: Create an IAM role for AWS Glue](create-an-iam-role.md).
1. Choose **Next**.
1. Finally, review the permissions you've selected and then choose **Apply changes**. When you apply the changes, AWS Glue adds IAM permissions to the identities that you selected. You can view or modify the new permissions in the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
You've now completed the minimum IAM permissions setup for AWS Glue. In a production environment, we recommend that you familiarize yourself with [Security in AWS Glue](security.md) and [Identity and access management for AWS Glue](security-iam.md) to help you secure AWS resources for your use case.
## Next steps
Now that you have IAM permissions set up, you can explore the following topics to get started using AWS Glue:
+ [Getting Started with AWS Glue in AWS Skill Builder](https://explore.skillbuilder.aws/learn/course/external/view/elearning/8171/getting-started-with-aws-glue)
+ [Getting started with the AWS Glue Data Catalog](start-data-catalog.md)
# Setting up for AWS Glue Studio
Complete the tasks in this section when you're using AWS Glue for the visual ETL for the first time:
**Topics**
+ [Review IAM permissions needed for the AWS Glue Studio user](getting-started-min-privs.md)
+ [Review IAM permissions needed for ETL jobs](getting-started-min-privs-job.md)
+ [Set up IAM permissions for AWS Glue Studio](getting-started-iam-permissions.md)
+ [Configure a VPC for your ETL job](getting-started-vpc-config.md)
# Review IAM permissions needed for the AWS Glue Studio user
To use AWS Glue Studio, the user must have access to various AWS resources. The user must be able to view and select Amazon S3 buckets, IAM policies and roles, and AWS Glue Data Catalog objects.
## AWS Glue service permissions
AWS Glue Studio uses the actions and resources of the AWS Glue service. Your user needs permissions on these actions and resources to effectively use AWS Glue Studio. You can grant the AWS Glue Studio user the `AWSGlueConsoleFullAccess` managed policy, or create a custom policy with a smaller set of permissions.
**Important**
Per security best practices, it is recommended to restrict access by tightening policies to further restrict access to Amazon S3 bucket and Amazon CloudWatch log groups. For an example Amazon S3 policy, see [Writing IAM Policies: How to Grant Access to an Amazon S3 Bucket](https://aws.amazon.com/blogs/security/writing-iam-policies-how-to-grant-access-to-an-amazon-s3-bucket/).
## Creating Custom IAM Policies for AWS Glue Studio
You can create a custom policy with a smaller set of permissions for AWS Glue Studio. The policy can grant permissions for a subset of objects or actions. Use the following information when creating a custom policy.
To use the AWS Glue Studio APIs, include `glue:UseGlueStudio` in the action policy in your IAM permissions. Using `glue:UseGlueStudio` will allow you to access all AWS Glue Studio actions even as more actions are added to the API over time.
For more information on actions defined by AWS Glue, see [ Actions defined by AWS Glue](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsglue.html).
**Data preparation authoring Actions**
+ SendRecipeAction
+ GetRecipeAction
**Directed acyclic graph (DAG) Actions**
+ CreateDag
+ UpdateDag
+ GetDag
+ DeleteDag
**Job Actions**
+ SaveJob
+ GetJob
+ CreateJob
+ DeleteJob
+ GetJobs
+ UpdateJob
**Job run Actions**
+ StartJobRun
+ GetJobRuns
+ BatchStopJobRun
+ GetJobRun
+ QueryJobRuns
+ QueryJobs
+ QueryJobRunsAggregated
**Schema Actions**
+ GetSchema
+ GetInferredSchema
**Database Actions**
+ GetDatabases
**Plan Actions**
+ GetPlan
**Table Actions**
+ SearchTables
+ GetTables
+ GetTable
**Connection Actions**
+ CreateConnection
+ DeleteConnection
+ UpdateConnection
+ GetConnections
+ GetConnection
**Mapping Actions**
+ GetMapping
**S3 Proxy Actions**
+ ListBuckets
+ ListObjectsV2
+ GetBucketLocation
**Security Configuration Actions**
+ GetSecurityConfigurations
**Script Actions**
+ CreateScript (different from API of same name in AWS Glue)
## Accessing AWS Glue Studio APIs
To access AWS Glue Studio, add `glue:UseGlueStudio` in the actions policy list in the IAM permissions.
In the example below, `glue:UseGlueStudio` is included in the action policy, but the AWS Glue Studio APIs are not individually identified. That is because when you include `glue:UseGlueStudio`, you are automatically granted access to the internal APIs without having to specify the individual AWS Glue Studio APIs in the IAM permissions.
In the example, the additional listed action policies (for example, `glue:SearchTables`) are not AWS Glue Studio APIs, so they will need to be included in the IAM permissions as required. You may also want to include Amazon S3 Proxy actions to specify the level of Amazon S3 access to grant. The example policy below provides access to open AWS Glue Studio, create a visual job, and save/run it if the IAM role selected has sufficient access.
## Notebook and data preview permissions
Data previews and notebooks allow you to see a sample of your data at any stage of your job (reading, transforming, writing), without having to run the job. You specify an AWS Identity and Access Management (IAM) role for AWS Glue Studio to use when accessing the data. IAM roles are intended to be assumable and do not have standard long-term credentials such as a password or access keys associated with it. Instead, when AWS Glue Studio assumes the role, IAM provides it with temporary security credentials.
To ensure data previews and notebook commands work correctly, use a role that has a name that starts with the string `AWSGlueServiceRole`. If you choose to use a different name for your role, then you must add the `iam:passrole` permission and configure a policy for the role in IAM. For more information, see [Create an IAM policy for roles not named "AWSGlueServiceRole\$1"](getting-started-iam-permissions.md#create-iam-policy).
**Warning**
If a role grants the `iam:passrole` permission for a notebook, and you implement role chaining, a user could unintentionally gain access to the notebook. There is currently no auditing implemented which would allow you to monitor which users have been granted access to the notebook.
If you would like to deny an IAM identity the ability to create data preview sessions, consult the following example [Deny an identity the ability to create data preview sessions](security_iam_id-based-policy-examples.md#deny-data-preview-sessions-per-identity).
## Amazon CloudWatch permissions
You can monitor your AWS Glue Studio jobs using Amazon CloudWatch, which collects and processes raw data from AWS Glue into readable, near-real-time metrics. By default, AWS Glue metrics data is sent to CloudWatch automatically. For more information, see [What Is Amazon CloudWatch?](https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/WhatIsCloudWatch.html) in the *Amazon CloudWatch User Guide*, and [AWS Glue Metrics](https://docs.aws.amazon.com/glue/latest/dg/monitoring-awsglue-with-cloudwatch-metrics.html#awsglue-metrics) in the *AWS Glue Developer Guide*.
To access CloudWatch dashboards, the user accessing AWS Glue Studio needs one of the following:
+ The `AdministratorAccess` policy
+ The `CloudWatchFullAccess` policy
+ A custom policy that includes one or more of these specific permissions:
+ `cloudwatch:GetDashboard` and `cloudwatch:ListDashboards` to view dashboards
+ `cloudwatch:PutDashboard` to create or modify dashboards
+ `cloudwatch:DeleteDashboards` to delete dashboards
For more information for changing permissions for an IAM user using policies, see [Changing Permissions for an IAM User](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html) in the *IAM User Guide*.
# Review IAM permissions needed for ETL jobs
When you create a job using AWS Glue Studio, the job assumes the permissions of the IAM role that you specify when you create it. This IAM role must have permission to extract data from your data source, write data to your target, and access AWS Glue resources.
The name of the role that you create for the job must start with the string `AWSGlueServiceRole` for it to be used correctly by AWS Glue Studio. For example, you might name your role `AWSGlueServiceRole-FlightDataJob`.
## Data source and data target permissions
An AWS Glue Studio job must have access to Amazon S3 for any sources, targets, scripts, and temporary directories that you use in your job. You can create a policy to provide fine-grained access to specific Amazon S3 resources.
+ Data sources require `s3:ListBucket` and `s3:GetObject` permissions.
+ Data targets require `s3:ListBucket`, `s3:PutObject`, and `s3:DeleteObject` permissions.
**Note**
Your IAM policy needs to allow `s3:GetObject` for the specific buckets used for hosting AWS Glue transforms.
The following buckets are owned by the AWS service account and is worldwide readable. These buckets serve as a repository for the source code pertinent to a subset of transformations accessible via the AWS Glue Studio visual editor. Permissions on the bucket are set up to deny any other API action on the bucket. Anybody can read those scripts we provide for the transformations, but nobody outside our service team can "put" anything in them. When your AWS Glue job runs, that file is pulled in as a local import so the file is downloaded to the local container. After that, there is no further communication with that account.
Region: Bucket name
+ af-south-1: aws-glue-studio-transforms-762339736633-prod-af-south-1
+ ap-east-1: aws-glue-studio-transforms-125979764932-prod-ap-east-1
+ ap-northeast-2: aws-glue-studio-transforms-673535381443-prod-ap-northeast-2
+ ap-northeast-3: aws-glue-studio-transforms-149976050262-prod-ap-northeast-3
+ ap-south-1: aws-glue-studio-transforms-584702181950-prod-ap-south-1
+ ap-south-2: aws-glue-studio-transforms-380279651983-prod-ap-south-2
+ ap-southeast-1: aws-glue-studio-transforms-737106620487-prod-ap-southeast-1
+ ap-southeast-2: aws-glue-studio-transforms-234881715811-prod-ap-southeast-2
+ ap-southeast-3: aws-glue-studio-transforms-151265630221-prod-ap-southeast-3
+ ap-southeast-4: aws-glue-studio-transforms-052235663858-prod-ap-southeast-4
+ ca-central-1: aws-glue-studio-transforms-622716468547-prod-ca-central-1
+ ca-west-1: aws-glue-studio-transforms-915795495192-prod-ca-west-1
+ eu-central-1: aws-glue-studio-transforms-560373232017-prod-eu-central-1
+ eu-central-2: aws-glue-studio-transforms-907358657121-prod-eu-central-2
+ eu-north-1: aws-glue-studio-transforms-312557305497-prod-eu-north-1
+ eu-south-1: aws-glue-studio-transforms-939684186351-prod-eu-south-1
+ eu-south-2: aws-glue-studio-transforms-239737454084-prod-eu-south-2
+ eu-west-1: aws-glue-studio-transforms-244479516193-prod-eu-west-1
+ eu-west-2: aws-glue-studio-transforms-804222392271-prod-eu-west-2
+ eu-west-3: aws-glue-studio-transforms-371299348807-prod-eu-west-3
+ il-central-1: aws-glue-studio-transforms-806964611811-prod-il-central-1
+ me-central-1: aws-glue-studio-transforms-733304270342-prod-me-central-1
+ me-south-1: aws-glue-studio-transforms-112120182341-prod-me-south-1
+ sa-east-1: aws-glue-studio-transforms-881619130292-prod-sa-east-1
+ us-east-1: aws-glue-studio-transforms-510798373988-prod-us-east-1
+ us-east-2: aws-glue-studio-transforms-251189692203-prod-us-east-2
+ us-west-1: aws-glue-studio-transforms-593230150239-prod-us-west-1
+ us-west-2: aws-glue-studio-transforms-818035625594-prod-us-west-2
+ ap-northeast-1: aws-glue-studio-transforms-200493242866-prod-ap-northeast-1
+ cn-north-1: aws-glue-studio-transforms-071033555442-prod-cn-north-1
+ cn-northwest-1: aws-glue-studio-transforms-070947029561-prod-cn-northwest-1
+ us-gov-west-1: aws-glue-studio-transforms-227493901923-prod-us-gov-west-1-2604
+ eusc-de-east-1: aws-glue-studio-transforms-780995497573-prod-eusc-de-east-1-555
If you choose Amazon Redshift as your data source, you can provide a role for cluster permissions. Jobs that run against a Amazon Redshift cluster issue commands that access Amazon S3 for temporary storage using temporary credentials. If your job runs for more than an hour, these credentials will expire causing the job to fail. To avoid this problem, you can assign a role to the Amazon Redshift cluster itself that grants the necessary permissions to jobs using temporary credentials. For more information, see [Moving Data to and from Amazon Redshift](https://docs.aws.amazon.com/glue/latest/dg/aws-glue-programming-etl-redshift.html) in the *AWS Glue Developer Guide*.
If the job uses data sources or targets other than Amazon S3, then you must attach the necessary permissions to the IAM role used by the job to access these data sources and targets. For more information, see [Setting Up Your Environment to Access Data Stores](https://docs.aws.amazon.com/glue/latest/dg/start-connecting.html) in the *AWS Glue Developer Guide*.
If you're using connectors and connections for your data store, you need additional permissions, as described in [Permissions required for using connectors](#getting-started-min-privs-connectors).
## Permissions required for deleting jobs
In AWS Glue Studio you can select multiple jobs in the console to delete. To perform this action, you must have the `glue:BatchDeleteJob` permission. This is different from the AWS Glue console, which requires the `glue:DeleteJob` permission for deleting jobs.
## AWS Key Management Service permissions
If you plan to access Amazon S3 sources and targets that use server-side encryption with AWS Key Management Service (AWS KMS), then attach a policy to the AWS Glue Studio role used by the job that enables the job to decrypt the data. The job role needs the `kms:ReEncrypt`, `kms:GenerateDataKey`, and `kms:DescribeKey` permissions. Additionally, the job role needs the `kms:Decrypt` permission to upload or download an Amazon S3 object that is encrypted with an AWS KMS customer master key (CMK).
There are additional charges for using AWS KMS CMKs. For more information, see [AWS Key Management Service Concepts - Customer Master Keys (CMKs)](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys) and [AWS Key Management Service Pricing](https://aws.amazon.com/kms/pricing) in the *AWS Key Management Service Developer Guide*.
## Permissions required for using connectors
If you're using an AWS Glue Custom Connector and connection to access a data store, the role used to run the AWS Glue ETL job needs additional permissions attached:
+ The AWS managed policy `AmazonEC2ContainerRegistryReadOnly` for accessing connectors purchased from AWS Marketplace.
+ The `glue:GetJob` and `glue:GetJobs` permissions.
+ AWS Secrets Manager permissions for accessing secrets that are used with connections. Refer to [Example: Permission to retrieve secret values](https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html#auth-and-access_examples_read) for example IAM policies.
If your AWS Glue ETL job runs within a VPC running Amazon VPC, then the VPC must be configured as described in [Configure a VPC for your ETL job](getting-started-vpc-config.md).
# Set up IAM permissions for AWS Glue Studio
You can create the roles and assign policies to users and job roles by using the AWS administrator user.
You can use the **AWSGlueConsoleFullAccess** AWS managed policy to provide the necessary permissions for using the AWS Glue Studio console.
To create your own policy, follow the steps documented in [Create an IAM Policy for the AWS Glue Service](https://docs.aws.amazon.com/glue/latest/dg/create-service-policy.html) in the *AWS Glue Developer Guide*. Include the IAM permissions described previously in [Review IAM permissions needed for the AWS Glue Studio user](getting-started-min-privs.md).
**Topics**
+ [Attach policies to the AWS Glue Studio user](#attach-iam-policy)
+ [Create an IAM policy for roles not named "AWSGlueServiceRole\$1"](#create-iam-policy)
## Attach policies to the AWS Glue Studio user
Any AWS user that signs in to the AWS Glue Studio console must have permissions to access specific resources. You provide those permissions by using assigning IAM policies to the user.
**To attach the **AWSGlueConsoleFullAccess** managed policy to a user**
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Policies**.
1. In the list of policies, select the check box next to the **AWSGlueConsoleFullAccess**. You can use the **Filter** menu and the search box to filter the list of policies.
1. Choose **Policy actions**, and then choose **Attach**.
1. Choose the user to attach the policy to. You can use the **Filter** menu and the search box to filter the list of principal entities. After choosing the user to attach the policy to, choose **Attach policy**.
1. Repeat the previous steps to attach additional policies to the user, as needed.
## Create an IAM policy for roles not named "AWSGlueServiceRole\$1"
**To configure an IAM policy for roles used by AWS Glue Studio**
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. Add a new IAM policy. You can add to an existing policy or create a new IAM inline policy. To create an IAM policy:
1. Choose **Policies**, and then choose **Create Policy**. If a **Get Started** button appears, choose it, and then choose **Create Policy**.
1. Next to **Create Your Own Policy**, choose **Select**.
1. For **Policy Name**, type any value that is easy for you to refer to later. Optionally, type descriptive text in **Description**.
1. For **Policy Document**, type a policy statement with the following format, and then choose **Create Policy**:
1. Copy and paste the following blocks into the policy under the "Statement" array, replacing *my-interactive-session-role-prefix* with the prefix for all common roles to associate with permissions for AWS Glue.
```
{
"Action": [
"iam:PassRole"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::*:role/my-interactive-session-role-prefix*",
"Condition": {
"StringLike": {
"iam:PassedToService": [
"glue.amazonaws.com "
]
}
}
}
```
Here is the full example with the Version and Statement arrays included in the policy
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"iam:PassRole"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::*:role/my-interactive-session-role-prefix*",
"Condition": {
"StringLike": {
"iam:PassedToService": [
"glue.amazonaws.com "
]
}
}
}
]
}
```
------
1. To enable the policy for a user, choose **Users**.
1. Choose the user to whom you want to attach the policy.
# Configure a VPC for your ETL job
You can use Amazon Virtual Private Cloud (Amazon VPC) to define a virtual network in your own logically isolated area within the AWS Cloud, known as a *virtual private cloud (VPC)*. You can launch your AWS resources, such as instances, into your VPC. Your VPC closely resembles a traditional network that you might operate in your own data center, with the benefits of using the scalable infrastructure of AWS. You can configure your VPC; you can select its IP address range, create subnets, and configure route tables, network gateways, and security settings. You can connect instances in your VPC to the internet. You can connect your VPC to your own corporate data center, making the AWS Cloud an extension of your data center. To protect the resources in each subnet, you can use multiple layers of security, including security groups and network access control lists. For more information, see the [Amazon VPC User Guide](https://docs.aws.amazon.com/vpc/latest/userguide/).
You can configure your AWS Glue ETL jobs to run within a VPC when using connectors. You must configure your VPC for the following, as needed:
+ Public network access for data stores not in AWS. All data stores that are accessed by the job must be available from the VPC subnet.
+ If your job needs to access both VPC resources and the public internet, the VPC needs to have a network address translation (NAT) gateway inside the VPC.
For more information, see [Setting Up Your Environment to Access Data Stores](https://docs.aws.amazon.com/glue/latest/dg/start-connecting.html) in the *AWS Glue Developer Guide*.
# Getting started with notebooks in AWS Glue Studio
When you start a notebook through AWS Glue Studio, all the configuration steps are done for you so that you can explore your data and start developing your job script after only a few seconds.
The following sections describe how to create a role and grant the appropriate permissions to use notebooks in AWS Glue Studio for ETL jobs.
For more information on actions defined by AWS Glue, see [ Actions defined by AWS Glue ](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsglue.html).
**Topics**
+ [Granting permissions for the IAM role](#studio-notebook-permissions)
## Granting permissions for the IAM role
Setting up AWS Glue Studio is a pre-requisite to using notebooks.
To use notebooks in AWS Glue, your role requires the following:
+ A trust relationship with AWS Glue for the `sts:AssumeRole` action and, if you want tagging then `sts:TagSession`.
+ An IAM policy containing all the permissions for notebooks, AWS Glue, and interactive sessions.
+ An IAM policy for a pass role since the role needs to be able to pass itself from the notebook to interactive sessions.
For example, when you create a new role, you can add a standard AWS managed policy like `AWSGlueConsoleFullAccessRole` to the role, and then add a new policy for the notebook operations and another for the IAM PassRole policy.
### Actions needed for a trust relationship with AWS Glue
When starting a notebook session, you must add the `sts:AssumeRole` to the trust relationship of the role that is passed to the notebook. If your session includes tags, you must also pass the `sts:TagSession` action. Without these actions, the notebook session cannot start.
For example:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "glue.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
```
------
### Policies containing IAM permissions for notebooks
The following sample policy describes the required AWS IAM permissions for notebooks. If you are creating a new role, create a policy that contains the following:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"glue:StartNotebook",
"glue:TerminateNotebook",
"glue:GlueNotebookRefreshCredentials",
"glue:DeregisterDataPreview",
"glue:GetNotebookInstanceStatus",
"glue:GlueNotebookAuthorize"
],
"Resource": "*"
}
]
}
```
------
You can use the following IAM policies to allow access to specific resources:
+ *AwsGlueSessionUserRestrictedNotebookServiceRole*: Provides full access to all AWS Glue resources except for sessions. Allows users to create and use only the notebook sessions that are associated with the user. This policy also includes other permissions needed by AWS Glue to manage AWS Glue resources in other AWS services.
+ *AwsGlueSessionUserRestrictedNotebookPolicy*: Provides permissions that allows users to create and use only the notebook sessions that are associated with the user. This policy also includes permissions to explicitly allow users to pass a restricted AWS Glue session role.
### IAM policy to pass a role
When you create a notebook with a role, that role is then passed to interactive sessions so that the same role can be used in both places. As such, the `iam:PassRole` permission needs to be part of the role's policy.
Create a new policy for your role using the following example. Replace the account number with your own and the role name.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::111122223333:role/"
}
]
}
```
------