Configure Permissions
Create a Policy for Amazon S3 Bucket (Console)
- Sign in to the IAM console at https://console.aws.amazon.com/iam/ with your user that has administrator permissions.
- In the navigation pane, choose Policies.
- In the content pane, choose Create policy.
- Select “JSON” tab.
- Paste the following string in the text area. DO NOT FORGET TO PUT YOUR BUCKET NAME INSTEAD OF “YOUR-BUCKET-NAME”
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "s0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::YOUR-BUCKET-NAME",
"arn:aws:s3:::YOUR-BUCKET-NAME/*"
]
}
]
}
- Click “Review policy”
- Enter the name of policy as “BYOD-S3Policy”
- Click “Create policy”
Create a Role for AWS Service Glue (Console)
- Open the IAM console at https://console.aws.amazon.com/iam/.
- In the navigation pane of the IAM console, choose Roles, and then choose Create role.
- For Select type of trusted entity, choose AWS service.
- Choose Glue as the service that you want to allow to assume this role.
- Choose Next: Permissions.
- Mark “AWSGlueServiceRole” policy as checked to attach to the role.
- Mark “BYOD-S3Policy” policy as checked to attach to the role.
- Choose Next: Tags.
- (Optional) Add metadata to the role by attaching tags as key–value pairs. For more information about using tags in IAM, see Tagging IAM Users and Roles.
- Choose Next: Review.
- For Role name, enter “glue-processor-role”.
- Review the role and then choose Create role.
NOTE: “AWSGlueServiceRole” is an AWS Managed Policy to provide Glue with needed permissions to access S3 data. However, you still need to allow access to your specific S3 bucket for Glue by attaching “BYOD-S3Policy” created policy.