# SQL extension data source connections
Before using the SQL extension in JupyterLab notebooks, administrators or users must create AWS Glue connections to their data sources. The SQL extension allows connecting to data sources such as Amazon Redshift Amazon Athena, or Snowflake.
To set up the connections, administrators must first ensure their network configuration allows communication between Studio and the data sources and then grant the necessary IAM permissions to allow Studio to access the data sources. For information on how administrators can set up the networking, see [Configure network access between Studio and data sources (for administrators)](sagemaker-sql-extension-networking.md). For information on what policies must be setup, see [Set up the IAM permissions to access the data sources (for administrators)](sagemaker-sql-extension-datasources-connection-permissions.md). Once the connections are set up, data scientists can use the SQL extension in their JupyterLab notebooks to browse and query the connected data sources.
**Note**
We recommend storing your database access credentials as a secret in Secrets Manager. To learn about how to create secrets for storing Amazon Redshift or Snowflake access credentials, see [Create secrets for database access credentials in Secrets Manager](sagemaker-sql-extension-glue-connection-secrets.md).
This section explains how to set up an AWS Glue connection and lists the IAM permissions required for the Studio JupyterLab application to access the data through the connection.
**Note**
[Amazon SageMaker Assets](sm-assets.md) integrates [Amazon DataZone](https://docs.aws.amazon.com/datazone/latest/userguide/what-is-datazone.html) with Studio. It includes a SageMaker AI blueprint for administrators to create Studio environments from Amazon DataZone projects within an Amazon DataZone domain.
Users of a JupyterLab application launched from a Studio domain created with the blueprint can automatically access AWS Glue connections to data assets in their Amazon DataZone catalog when using the SQL extension. This allows querying those data sources without manually setting up connections.
**Topics**
+ [Create secrets for database access credentials in Secrets Manager](sagemaker-sql-extension-glue-connection-secrets.md)
+ [Create AWS Glue connections (for administrators)](sagemaker-sql-extension-datasources-glue-connection.md)
+ [Create user-defined AWS Glue connections](sagemaker-sql-extension-datasources-glue-connection-user-defined.md)
+ [Set up the IAM permissions to access the data sources (for administrators)](sagemaker-sql-extension-datasources-connection-permissions.md)
# Create secrets for database access credentials in Secrets Manager
Before creating your connection, we recommend storing your database access credentials as a secret in AWS Secrets Manager. Alternatively, you can generate temporary database credentials based on permissions granted through an AWS Identity and Access Management (IAM) permissions policy to manage the access that your users have to your database. For more information, see [Using IAM authentication to generate database user credentials](https://docs.aws.amazon.com/redshift/latest/mgmt/generating-user-credentials.html)
## Create a secret for Amazon Redshift access credentials
**To store Amazon Redshift information in AWS Secrets Manager**
1. From the AWS Management Console, navigate to Secrets Manager.
1. Choose **Store a new secret**.
1. Under **Secret type**, choose **Credentials for Amazon Redshift**.
1. Enter the administrator username and password configured when launching the Amazon Redshift cluster.
1. Select the Amazon Redshift cluster associated with the secrets.
1. Name your secret.
1. The remaining settings can be left at their default values for initial secret creation, or customized if required.
1. Create the secret and retrieve its ARN.
## Create a secret for Amazon Redshift Serverless access credentials
**If you need to connect to Amazon Redshift Serverless, follow these steps**
1. From the AWS Management Console, navigate to Secrets Manager.
1. Choose **Store a new secret**.
1. Under **Secret type**, choose **Other type of secret**.
1. In the **Key-value pairs**, choose **Plaintext**, and then copy the following JSON content. Replace the user, and password with their actual values:
```
{
"user": "redshift_user",
"password": "redshift_password"
}
```
1. Create the secret and retrieve its ARN..
1. When creating a new connection in SQL extension in JupyterLab, supply all other Amazon Redshift connection parameters as needed.
## Create a secret for Snowflake access credentials
This section provides details on the secret and connection properties in JSON definition files that are specific to Snowflake. Before creating your connection, we recommend storing your Snowflake access credentials as a secret in Secrets Manager.
**To store Amazon Redshift information in Secrets Manager**
1. From the AWS Management Console, navigate to Secrets Manager.
1. Choose **Store a new secret**.
1. Under **Secret type**, choose **Other type of secret**.
1. In the key-value pair, choose **Plaintext**, and then copy the following JSON content. Replace the `user`, `password`, and `account` by their values.
```
{
"user":"snowflake_user",
"password":"snowflake_password",
"account":"account_id"
}
```
1. Name the secret.
1. The remaining settings can be left at their default values for initial secret creation, or customized if required.
1. Create the secret and retrieve its ARN.
# Create AWS Glue connections (for administrators)
To use data sources with the SQL extension, administrators can set up AWS Glue connections for each data source. These connections store the necessary configuration details to access and interact with the data sources. Once the connections are created, and the [appropriate permissions](sagemaker-sql-extension-datasources-connection-permissions.md) are granted, the connections become visible to all users of the [Amazon SageMaker Studio spaces](studio-updated-spaces.md) that share the same execution role.
To create these connections:
+ First, create a JSON file that defines the connection properties for each data source. The JSON file includes details such as the data source identifier, access credentials, and other relevant configuration parameters to access the data sources through the AWS Glue connections.
+ Then use the AWS Command Line Interface (AWS CLI) to create the AWS Glue connection, passing the JSON file as a parameter. The AWS CLI command reads the connection details from the JSON file and establishes the appropriate connection.
**Note**
The SQL extension supports creating connections using the AWS CLI only.
Before creating AWS Glue connections, ensure that you complete the following steps:
+ Install and configure the AWS Command Line Interface (AWS CLI). For more information about how to install and configure the AWS CLI, see [About AWS CLI version 2](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-welcome.html). Ensure that the access keys and tokens of the IAM user or role used to configure the AWS CLI have the required permissions to create AWS Glue connections. Add a policy that allows the `glue:CreateConnection` action otherwise.
+ Understand how to use AWS Secrets Manager. We recommend that you use Secrets Manager to provide connection credentials and any other sensitive information for your data store. For more information on using Secrets Manager to store credentials, see [Storing connection credentials in AWS Secrets Manager](https://docs.aws.amazon.com/glue/latest/dg/connection-properties-secrets-manager.html).
## Create a connection definition JSON file
To create an AWS Glue connection definition file, create a JSON file to define the connection details on the machine where you have installed and configured the AWS CLI. For this example, name the file `sagemaker-sql-connection.json`.
The connection definition file should follow the following general format:
+ **Name** is the name for the connection.
+ **Description** is a textual description of the connection.
+ **ConnectionType** is the type of connection. Choose `REDSHIFT`, `ATHENA`, or `SNOWFLAKE`.
+ **ConnectionProperties** is a map of key-value pairs for the connection properties, such as the ARN of your AWS secret, or the name of your database.
```
{
"ConnectionInput": {
"Name": ,
"Description": ,
"ConnectionType": "REDSHIFT | ATHENA | SNOWFLAKE",
"ConnectionProperties": {
"PythonProperties": "{\"aws_secret_arn\": , \"database\": <...>}"
}
}
}
```
**Note**
The properties within the `ConnectionProperties` key consist of stringified key-value pairs. Escape any double quotes used in the keys or values with a backslash (`\`) character.
All properties available in Secrets Manager can also be directly provided through `PythonProperties`. However, it is not recommended to include sensitive fields such as passwords in `PythonProperties`. Instead, the preferred approach is to use Secrets Manager.
Connection definition files specific to different data stores can be found in the following sections.
The connection definition files for each data source contain the specific properties and configuration required to connect to those data stores from the SQL extension. Refer to the appropriate section for details on defining connections to that source.
+ To create an AWS Glue connection for Amazon Redshift, see the sample definition file in [Configure an AWS Glue connection for Amazon Redshift](#sagemaker-sql-extension-redshift-glue-connection-config).
+ To create an AWS Glue connection for Amazon Athena, see the sample definition file in [Configure an AWS Glue connection for Athena](#sagemaker-sql-extension-athena-glue-connection-config).
+ To create an AWS Glue connection for Snowflake, see the sample definition file in [Configure an AWS Glue connection for Snowflake](#sagemaker-sql-extension-snowflake-glue-connection-config).
### Configure an AWS Glue connection for Amazon Redshift
This section provides details on the secret and connection properties in JSON definition files that are specific to Amazon Redshift. Before creating your connection configuration file, we recommend storing your Amazon Redshift access credentials as a secret in Secrets Manager. Alternatively, you can generate temporary database credentials based on permissions granted through an AWS Identity and Access Management (IAM) permissions policy to manage the access that your users have to your Amazon Redshift database. For more information, see [Using IAM authentication to generate database user credentials](https://docs.aws.amazon.com/redshift/latest/mgmt/generating-user-credentials.html).
#### Create a secret for Amazon Redshift access credentials
**To store Amazon Redshift information in AWS Secrets Manager**
1. From the AWS console, navigate to Secrets Manager.
1. Choose **Store a new secret**.
1. Under **Secret type**, choose **Credentials for Amazon Redshift**.
1. Enter the administrator username and password configured when launching the Amazon Redshift cluster.
1. Select the Amazon Redshift cluster associated with the secrets.
1. Name your secret.
1. The remaining settings can be left at their default values for initial secret creation, or customized if required.
1. Create the secret and retrieve its ARN.
#### Configure an AWS Glue connection for Amazon Redshift
The SQL extension connects to data sources using custom AWS Glue connections. For general information on creating AWS Glue connections to connect a data source, see [Create AWS Glue connections (for administrators)](#sagemaker-sql-extension-datasources-glue-connection). The following example is a sample AWS Glue connection definition for connecting to Amazon Redshift.
Before creating a new connection, keep these recommendations in mind:
+ The properties within the `PythonProperties` key consist of stringified key-value pairs. Escape any double quotes used in the keys or values with a backslash (`\`) character.
+ In the connection definition file, enter the name and description of the connection, replace the ARN of the secret in `aws_secret_arn` with the ARN of the secret previously created.
+ Ensure that the database declared by its name in the connection definition above matches the cluster database. You can verify this by going to the cluster details page on [Amazon Redshift console](https://console.aws.amazon.com/redshiftv2/), and verifying the database name under **Database configurations** in **Properties** section.
+ For additional parameters, see the list of connection properties supported by Amazon Redshift in [Amazon Redshift connection parameters](sagemaker-sql-extension-connection-properties.md#sagemaker-sql-extension-connection-properties-redshift).
**Note**
By default, the SQL extension connector for Python runs all queries in a transaction, unless the `auto_commit` in connection properties is set to `true`.
You can add all connection parameters, including the `database` name, to a secret.
```
{
"ConnectionInput": {
"Name": "Redshift connection name",
"Description": "Redshift connection description",
"ConnectionType": "REDSHIFT",
"ConnectionProperties": {
"PythonProperties":"{\"aws_secret_arn\": \"arn:aws:secretsmanager:region:account_id:secret:secret_name\", \"database\":\"database_name\", \"database_metadata_current_db_only\": false}"
}
}
}
```
Once your definition file is updated, follow the steps in [Create AWS Glue connections](#sagemaker-sql-extension-datasources-glue-connection-creation) to create your AWS Glue connection.
### Configure an AWS Glue connection for Athena
This section provides details on the connection properties in JSON definition files that are specific to Athena.
#### Configure an AWS Glue connection for Athena
The SQL extension connects to data sources using custom AWS Glue connections. For general information on creating AWS Glue connections to connect a data source, see [Create AWS Glue connections (for administrators)](#sagemaker-sql-extension-datasources-glue-connection). The following example is a sample AWS Glue connection definition for connecting to Athena.
Before creating a new connection, keep these recommendations in mind:
+ The properties within the `ConnectionProperties` key consist of stringified key-value pairs. Escape any double quotes used in the keys or values with a backslash (`\`) character.
+ In the connection definition file, enter the name and description of the connection, replace the `catalog_name` with the name of your catalog, `s3_staging_dir` with the Amazon S3 URI (Uniform Resource Identifier) of your output directory in your Amazon S3 bucket, and the `region_name` with the region of your Amazon S3 bucket.
+ For additional parameters, refer to the list of connection properties supported by Athena in [Athena connection parameters](sagemaker-sql-extension-connection-properties.md#sagemaker-sql-extension-connection-properties-athena).
**Note**
You can add all connection parameters, including the `catalog_name` or `s3_staging_dir`, to a secret.
If you specify a `workgroup`, you don't need to specify `s3_staging_dir`.
```
{
"ConnectionInput": {
"Name": "Athena connection name",
"Description": "Athena connection description",
"ConnectionType": "ATHENA",
"ConnectionProperties": {
"PythonProperties": "{\"catalog_name\": \"catalog_name\",\"s3_staging_dir\": \"s3://amzn-s3-demo-bucket_in_same_region/output_query_results_dir/\", \"region_name\": \"region\"}"
}
}
}
```
Once your definition file is updated, follow the steps in [Create AWS Glue connections](#sagemaker-sql-extension-datasources-glue-connection-creation) to create your AWS Glue connection.
### Configure an AWS Glue connection for Snowflake
This section provides details on the secret and connection properties in JSON definition files that are specific to Snowflake. Before creating your connection configuration file, we recommend storing your Snowflake access credentials as a secret in Secrets Manager.
#### Create a secret for Snowflake access credentials
**To store Amazon Redshift information in Secrets Manager**
1. From the AWS console, navigate to AWS Secrets Manager.
1. Choose **Store a new secret**.
1. Under **Secret type**, choose **Other type of secret**.
1. In the key-value pair, choose **Plaintext**, and then copy the following JSON content. Replace the `user`, `password`, and `account` by their values.
```
{
"user":"snowflake_user",
"password":"snowflake_password",
"account":"account_id"
}
```
1. Name the secret.
1. The remaining settings can be left at their default values for initial secret creation, or customized if required.
1. Create the secret and retrieve its ARN.
#### Configure an AWS Glue connection for Snowflake
The SQL extension connects to data sources using custom AWS Glue connections. For general information on creating AWS Glue connections to connect a data source, see [Create AWS Glue connections (for administrators)](#sagemaker-sql-extension-datasources-glue-connection). The following example is a sample AWS Glue connection definition for connecting to Snowflake.
Before creating a new connection, keep these recommendations in mind:
+ The properties within the `ConnectionProperties` key consist of stringified key-value pairs. Escape any double quotes used in the keys or values with a backslash (`\`) character.
+ In the connection definition file, enter the name and description of the connection, then replace the ARN of the secret in `aws_secret_arn` with the ARN of the secret previously created, and your account ID in `account`.
+ For additional parameters, refer to the list of connection properties supported by Snowflake in [Snowflake connection parameters](sagemaker-sql-extension-connection-properties.md#sagemaker-sql-extension-connection-properties-snowflake).
**Note**
You can add all connection parameters, including the `account`, to a secret.
```
{
"ConnectionInput": {
"Name": "Snowflake connection name",
"Description": "Snowflake connection description",
"ConnectionType": "SNOWFLAKE",
"ConnectionProperties": {
"PythonProperties": "{\"aws_secret_arn\": \"arn:aws:secretsmanager:region:account_id:secret:secret_name\", \"account\":\"account_id\"}"}"
}
}
}
```
Once your definition file is updated, follow the steps in [Create AWS Glue connections](#sagemaker-sql-extension-datasources-glue-connection-creation) to create your AWS Glue connection.
## Create AWS Glue connections
To create an AWS Glue connection through the AWS CLI, use your connection definition file and run this AWS CLI command. Replace the `region` placeholder with your AWS Region name and provide the local path to your definition file.
**Note**
The path to your configuration definition file must be preceded by `file://`.
```
aws --region region glue create-connection --cli-input-json file://path_to_file/sagemaker-sql-connection.json
```
Verify that the AWS Glue connection was created by running the following command and check for your connection name.
```
aws --region region glue get-connections
```
Alternatively, you can update an existing AWS Glue connection as follows:
+ Modify the AWS Glue connection definition file as required.
+ Run the following command to update the connection.
```
aws --region region glue update-connection --name glue_connection_name --cli-input-json file://path_to_file/sagemaker-sql-connection.json
```
# Create user-defined AWS Glue connections
**Note**
All AWS Glue connections created by users via the SQL extension UI are automatically tagged with the following:
`UserProfile: user-profile-name`
`AppType: "JL"`
Those tags applied to the AWS Glue connections created via the SQL extension UI serve two purposes. The `"UserProfile": user-profile-name` tag allows the identification of the specific user profile that created the AWS Glue connection, providing visibility into the user responsible for the connection. The `"AppType": "JL"` tag categorizes the provenance of the connection, associating it with the JupyterLab application. This allows these connections to be differentiated from those that may have been created through other means, such as the AWS CLI.
## Prerequisites
Before creating a AWS Glue connection using the SQL extension UI, ensure that you have completed the following tasks:
+ Have your administrator:
+ Enable the network communication between your Studio domain and the data sources to which you want to connect. To learn about the networking requirements, see [Configure network access between Studio and data sources (for administrators)](sagemaker-sql-extension-networking.md).
+ Ensure that the necessary IAM permissions are set up for managing AWS Glue connections and access to Secrets Manager. To learn about the required permissions, see [Set up the IAM permissions to access the data sources (for administrators)](sagemaker-sql-extension-datasources-connection-permissions.md).
**Note**
Administrators can restrict user access to only the connections that were created by a user within the JupyterLab application. This can be done by configuring [tag-based access control](https://docs.aws.amazon.com/sagemaker/latest/dg/sagemaker-sql-extension-datasources-connection-permissions.html#user-defined-connections-permissions) scoped down to the user profile.
+ Check the connection properties and instructions to create a secret for your data source in [Create secrets for database access credentials in Secrets Manager](sagemaker-sql-extension-glue-connection-secrets.md).
## User workflow
The following steps provide the user workflow when creating user connections:
1. **Select the data source type**: Upon choosing the *Add new connection* icon, a form opens, prompting the user to select the type of data source they want to connect to, such as Amazon Redshift, Athena, or Snowflake.
1. **Provide connection properties**: Based on the selected data source, the relevant connection properties are dynamically loaded. The form indicates which fields are mandatory or optional for the chosen data source. To learn about the available properties for your data source, see [Connection parameters](sagemaker-sql-extension-connection-properties.md).
1. **Select your AWS Secrets Manager ARN**: For Amazon Redshift and Snowflake data sources, the user is prompted to select the AWS Secrets Manager ARN that stores sensitive information such as the username and password. To learn about the creation of a secret for your data source, see [Create secrets for database access credentials in Secrets Manager](sagemaker-sql-extension-glue-connection-secrets.md).
1. **Save your connection details**: Upon clicking **Create**, the provided connection properties are saved as a AWS Glue connection.
1. **Test your connection**: If the connection is successful, the associated databases and tables become visible in the explorer. If the connection fails, an error message is displayed, prompting the user to review and correct the connection details.
1. **Familiarize with SQL extension features**: To learn about the capabilities of the extension, see the [SQL extension features and usage](sagemaker-sql-extension-features.md).
1. **(Optional) Update or delete user-created connections**: Provided that the user has been granted the necessary permissions, they can update or delete the connections they have created. To learn more about the required permissions, see [User-defined connections required IAM permissions](sagemaker-sql-extension-datasources-connection-permissions.md#user-defined-connections-permissions).
# Set up the IAM permissions to access the data sources (for administrators)
Administrators should ensure that the execution role used by the JupyterLab applications has the necessary AWS IAM permissions to access the data through the configured AWS Glue connections.
+ **Connections created by administrators using the AWS CLI**: To view the AWS Glue connections [created by administrators](sagemaker-sql-extension-datasources-glue-connection.md) and access their data, users need to have their administrator attach specific permissions to the SageMaker AI execution role used by their JupyterLab application in Studio. This includes access to AWS Glue, Secrets Manager, and database-specific permissions. Connections created by administrators are visible to all applications sharing the execution role granted the permissions to view specific AWS Glue catalogs or databases. To learn about the list of required permissions per type of data source, see the admin-defined connections permissions in [Admin-defined connections required IAM permissions](#admin-defined-connections-permissions).
+ **Connections created by users using the SQL extension UI in JupyterLab**: Connections [created by user profiles](sagemaker-sql-extension-datasources-glue-connection-user-defined.md) sharing the same execution role will also be listed unless the visibility of their connections is scoped down to only those created by the user. Connections created by users are tagged with the user profile that created them. To restrict the ability to view, update, or delete those user-created connections to only the user who created them, administrators can add additional tag-based access control restrictions to the execution role IAM permissions. To learn about the additional tag-based access control required, see [User-defined connections required IAM permissions](#user-defined-connections-permissions).
## Admin-defined connections required IAM permissions
To grant the SageMaker AI execution role used by your JupyterLab application in Studio access to a data source through an AWS Glue connection, attach the following inline policy to the role.
To view the specific permissions and policy details for each data source or authentication method, choose the relevant connection type below.
**Note**
We recommend limiting your policy's permissions to only the resources and actions required.
To scope down policies and grant least privilege access, replace wildcard `"Resource": ["*"]` in your policy with specific ARNs for the exact resources needing access. For more information about how to control access to your resources, see [Fine-tune AWS resource access with granular ARN permissions](#resource-access-control).
### All connection types
**Note**
We strongly recommend scoping down this policy to only the actions and resources required.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "GetS3AndDataSourcesMetadata",
"Effect": "Allow",
"Action": [
"glue:GetDatabases",
"glue:GetSchema",
"glue:GetTables",
"s3:ListBucket",
"s3:GetObject",
"s3:GetBucketLocation",
"glue:GetDatabase",
"glue:GetTable",
"glue:ListSchemas",
"glue:GetPartitions"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket/*",
"arn:aws:glue:us-east-1:111122223333:catalog",
"arn:aws:glue:us-east-1:111122223333:connection/*"
]
},
{
"Sid": "ExecuteQueries",
"Effect": "Allow",
"Action": [
"athena:ListDataCatalogs",
"athena:ListDatabases",
"athena:ListTableMetadata",
"athena:StartQueryExecution",
"athena:GetQueryExecution",
"athena:RunQuery",
"athena:StartSession",
"athena:GetQueryResults",
"athena:ListWorkGroups",
"s3:ListMultipartUploadParts",
"s3:ListBucket",
"s3:GetBucketLocation",
"athena:GetDataCatalog",
"s3:AbortMultipartUpload",
"s3:GetObject",
"s3:PutObject",
"athena:GetWorkGroup"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket/*",
"arn:aws:athena:us-east-1:111122223333:workgroup/workgroup-name"
]
},
{
"Sid": "GetGlueConnections",
"Effect": "Allow",
"Action": [
"glue:GetConnections",
"glue:GetConnection"
],
"Resource": [
"arn:aws:glue:us-east-1:111122223333:catalog",
"arn:aws:glue:us-east-1:111122223333:connection/*"
]
},
{
"Sid": "GetSecrets",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:us-east-1:111122223333:secret:secret-name"
]
},
{
"Sid": "GetClusterCredentials",
"Effect": "Allow",
"Action": [
"redshift:GetClusterCredentials"
],
"Resource": [
"arn:aws:redshift:us-east-1:111122223333:cluster:cluster-name"
]
}
]
}
```
------
### Athena
**Note**
We strongly recommend scoping down this policy to only the resources required.
For more information, see *Example IAM permissions policies* in [Athena documentation](https://docs.aws.amazon.com/athena/latest/ug/federated-query-iam-access.html).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "GetS3AndDataSourcesMetadata",
"Effect": "Allow",
"Action": [
"glue:GetDatabases",
"glue:GetSchema",
"glue:GetTables",
"s3:ListBucket",
"s3:GetObject",
"s3:GetBucketLocation",
"glue:GetDatabase",
"glue:GetTable",
"glue:ListSchemas",
"glue:GetPartitions"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket/*",
"arn:aws:glue:us-east-2:111122223333:catalog",
"arn:aws:glue:us-east-2:111122223333:connection/*"
]
},
{
"Sid": "ExecuteAthenaQueries",
"Effect": "Allow",
"Action": [
"athena:ListDataCatalogs",
"athena:ListDatabases",
"athena:ListTableMetadata",
"athena:StartQueryExecution",
"athena:GetQueryExecution",
"athena:RunQuery",
"athena:StartSession",
"athena:GetQueryResults",
"athena:ListWorkGroups",
"s3:ListMultipartUploadParts",
"s3:ListBucket",
"s3:GetBucketLocation",
"athena:GetDataCatalog",
"s3:AbortMultipartUpload",
"s3:GetObject",
"s3:PutObject",
"athena:GetWorkGroup"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket/*",
"arn:aws:athena:us-east-2:111122223333:workgroup/workgroup-name"
]
},
{
"Sid": "GetGlueConnections",
"Effect": "Allow",
"Action": [
"glue:GetConnections",
"glue:GetConnection"
],
"Resource": [
"arn:aws:glue:us-east-2:111122223333:catalog",
"arn:aws:glue:us-east-2:111122223333:connection/*"
]
},
{
"Sid": "GetSecrets",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:us-east-2:111122223333:secret:secret-name"
]
}
]
}
```
------
### Amazon Redshift and Amazon Redshift Serverless (username & password auth) / Snowflake
**Note**
We strongly recommend scoping down this policy to only the resources required.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "GetS3Metadata",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket/*"
]
},
{
"Sid": "GetGlueConnections",
"Effect": "Allow",
"Action": [
"glue:GetConnections",
"glue:GetConnection"
],
"Resource": [
"arn:aws:glue:us-east-2:111122223333:catalog",
"arn:aws:glue:us-east-2:111122223333:connection/*"
]
},
{
"Sid": "GetSecrets",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:us-east-2:111122223333:secret:secret-name"
]
}
]
}
```
------
### Amazon Redshift (IAM auth)
**Note**
We strongly recommend scoping down this policy to only the resources required.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "GetS3Metadata",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket/*",
"arn:aws:s3:::amzn-s3-demo-bucket/*"
]
},
{
"Sid": "GetGlueConnections",
"Effect": "Allow",
"Action": [
"glue:GetConnections",
"glue:GetConnection"
],
"Resource": [
"arn:aws:glue:us-east-1:111122223333:catalog",
"arn:aws:glue:us-east-1:111122223333:connection/*",
"arn:aws:glue:us-east-1:111122223333:connection/connection-name"
]
},
{
"Sid": "GetSecrets",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:us-east-1:111122223333:secret:secret-name",
"arn:aws:secretsmanager:us-east-1:111122223333:secret:secret-name-with-suffix"
]
},
{
"Sid": "GetClusterCredentials",
"Effect": "Allow",
"Action": [
"redshift:GetClusterCredentials"
],
"Resource": [
"arn:aws:redshift:us-east-1:111122223333:cluster:cluster-name",
"arn:aws:redshift:us-east-1:111122223333:dbuser:cluster-name/db-user-name"
]
}
]
}
```
------
### Amazon Redshift serverless (IAM auth)
**Note**
We strongly recommend scoping down this policy to only the resources required.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "GetS3Metadata",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket/*"
]
},
{
"Sid": "GetGlueConnections",
"Effect": "Allow",
"Action": [
"glue:GetConnections",
"glue:GetConnection"
],
"Resource": [
"arn:aws:glue:us-east-2:111122223333:catalog",
"arn:aws:glue:us-east-2:111122223333:connection/*"
]
},
{
"Sid": "GetSecrets",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:us-east-2:111122223333:secret:secret-name"
]
},
{
"Sid": "GetRedshiftServerlessCredentials",
"Effect": "Allow",
"Action": [
"redshift-serverless:GetCredentials"
],
"Resource": [
"arn:aws:redshift-serverless:us-east-2:111122223333:namespace/namespace-id"
]
}
]
}
```
------
## User-defined connections required IAM permissions
The IAM policy permissions for a user can account for the presence of the `UserProfile` tag on AWS Glue connection resources.
+ **For viewing AWS Glue connections**:
+ Users can view all connections that do not have the `UserProfile` tag (created by an administrator).
+ Users can view connections that have the `UserProfile` tag with the same value as their user profile name.
+ Users cannot view connections that have the `UserProfile` tag with a different value than their user profile name.
+ **For updating or deleting AWS Glue connections**:
+ Users can update or delete a connection that has the `UserProfile` tag with the same value as their user profile name.
+ Users cannot update or delete a connection that has the `UserProfile` tag with a different value than their user profile name.
+ Users cannot update or delete connections that do not have the `UserProfile` tag.
To achieve this, administrators must grant the execution role used by the user profile's JupyterLab application additional permissions beyond their existing [admin-defined connections permissions](#admin-defined-connections-permissions). Specifically, in addition to the permissions required for accessing admin-defined AWS Glue connections, the following two additional IAM permissions must be granted to the user's execution role:
+ Permission to create AWS Glue connections and associate the `UserProfile` tag with the value of the user's profile name.
+ Permission to view, update, and delete AWS Glue connections that have the `UserProfile` tag matching the user's profile name.
This permission restricts access to AWS Glue connections based on a specific user profile tag value. Update the `UserProfile` tag value with the profile name of the user you want to target.
```
"Action": [
"glue:GetConnection",
"glue:GetConnections"
],
"Resource": [
"arn:aws:glue:region:account_id:connection/*"
],
"Condition": {
"StringEqualsIfExists": {
"aws:ResourceTag/UserProfile": "user_profile_name"
}
}
```
This permission restricts the ability to create, update, and delete user-created connections to only the connections created by the user profile with the specified `UserProfile` tag value.
```
"Action": [
"glue:DeleteConnection",
"glue:UpdateConnection",
"glue:CreateConnection",
"glue:TagResource"
],
"Resource": [
"arn:aws:glue:region:account_id:connection/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/UserProfile": "user_profile"
}
}
```
## Fine-tune AWS resource access with granular ARN permissions
For finer-grained control over access to your AWS resources, replace the wildcard resource `"Resource": ["*"]` in your policies with the specific Amazon Resource Names (ARNs) of only those resources that require access. Using the exact ARNs rather than a wildcard restricts access to the intended resources.
+ **Use specific Amazon S3 bucket ARNs**
For example `"arn:aws:s3:::bucket-name"` or ` "arn:aws:s3:::bucket-name/*"` for bucket-level or object-level operations.
For information about all resource types in Amazon S3, see [Resource types defined by Amazon S3](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html#amazons3-resources-for-iam-policies).
+ **Use specific AWS Glue database ARNs**
For example ` "arn:aws:glue:region:account-id:catalog"` or ` "arn:aws:glue:region:account-id:database/db-name"`. For information about all resource types in AWS Glue, see [Resource types defined by AWS Glue](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsglue.html#awsglue-resources-for-iam-policies).
+ **Use specific Athena workgroup ARNs**
For example `"arn:aws:athena:region:account-id:workgroup/workgroup-name"`. For information about all resource types in Athena, see [Resource types defined by Athena](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonathena.html#amazonathena-resources-for-iam-policies).
+ **Use specific AWS Secrets Manager secret ARNs**
For example `"arn:aws:secretsmanager:region:account-id:secret:secret-name"`. For information about all resource types in AWS Secrets Manager, see [Resource types defined by AWS Secrets Manager](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecretsmanager.html#awssecretsmanager-resources-for-iam-policies)
+ **Use specific Amazon Redshift cluster ARNs**
For example `"arn:aws:redshift:region:account-id:cluster:cluster-name"`. For information about resource types in Amazon Redshift, see [Resource types defined by Amazon Redshift](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonredshift.html#amazonredshift-resources-for-iam-policies). For information about all resource types in Redshift Serverless, see [Resource types defined by Redshift Serverless](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonredshiftserverless.html#amazonredshiftserverless-resources-for-iam-policies).