Permissions for @turbot/aws-glue
Taking a look at permissions and associated grant levels for each permission for Glue:
| Permission | Grant Level | Help |
|---|---|---|
| cloudformation:DescribeStacks | Metadata | |
| cloudformation:GetTemplateSummary | Metadata | |
| ec2:DescribeInstances | Metadata | |
| ec2:DescribeKeyPairs | Metadata | |
| ec2:DescribeRouteTables | Metadata | |
| ec2:DescribeSecurityGroups | Metadata | |
| ec2:DescribeSubnets | Metadata | |
| ec2:DescribeVpcAttribute | Metadata | |
| ec2:DescribeVpcEndpoints | Metadata | |
| ec2:DescribeVpcs | Metadata | |
| glue:BatchCreatePartition | Admin | Creates one or more partitions in a batch operation. |
| glue:BatchDeleteConnection | Admin | Deletes a list of connection definitions from the Data Catalog. |
| glue:BatchDeletePartition | Admin | |
| glue:BatchDeleteTable | Admin | |
| glue:BatchDeleteTableVersion | Admin | |
| glue:BatchGetBlueprints | Metadata | |
| glue:BatchGetCrawlers | Metadata | |
| glue:BatchGetDevEndpoints | Metadata | |
| glue:BatchGetJobs | Metadata | |
| glue:BatchGetPartition | Metadata | |
| glue:BatchGetTriggers | Metadata | |
| glue:BatchGetWorkflows | Metadata | |
| glue:BatchStopJobRun | Operator | |
| glue:BatchUpdatePartition | Admin | |
| glue:CancelMLTaskRun | Operator | |
| glue:CancelStatement | Operator | |
| glue:CheckSchemaVersionValidity | Operator | |
| glue:CreateBlueprint | Admin | |
| glue:CreateClassifier | Admin | Admin can creates a classifier in the user's account. |
| glue:CreateConnection | Admin | Admins can create a new Crawler with specified targets or role or configuration or optional schedule. At least one crawl target must be specified in either the s3Targets or the jdbcTargets field. |
| glue:CreateCrawler | Admin | |
| glue:CreateDatabase | Admin | |
| glue:CreateDevEndpoint | Admin | |
| glue:CreateJob | Admin | |
| glue:CreateMLTransform | Admin | |
| glue:CreatePartition | Admin | |
| glue:CreatePartitionIndex | Admin | |
| glue:CreateRegistry | Admin | |
| glue:CreateSchema | Admin | |
| glue:CreateScript | Operator | |
| glue:CreateSecurityConfiguration | Admin | |
| glue:CreateSession | Admin | |
| glue:CreateTable | Admin | This can take cross account S3 bucket as data inout store. Cross account S3 access is controlled by S3. Guardrails may come up secific guardrail in future. |
| glue:CreateTrigger | Admin | |
| glue:CreateUserDefinedFunction | Admin | Creates a new function definition in the Data Catalog. |
| glue:CreateWorkflow | Admin | |
| glue:DeleteBlueprint | Admin | |
| glue:DeleteClassifier | Admin | |
| glue:DeleteColumnStatisticsForPartition | Admin | |
| glue:DeleteColumnStatisticsForTable | Admin | |
| glue:DeleteConnection | Admin | |
| glue:DeleteCrawler | Admin | |
| glue:DeleteDatabase | Admin | |
| glue:DeleteDevEndpoint | Admin | |
| glue:DeleteJob | Admin | |
| glue:DeleteMLTransform | Admin | |
| glue:DeletePartition | Admin | |
| glue:DeletePartitionIndex | Admin | |
| glue:DeleteRegistry | Admin | |
| glue:DeleteResourcePolicy | Admin | Deletes a specified policy. |
| glue:DeleteSchema | Admin | |
| glue:DeleteSchemaVersions | Admin | |
| glue:DeleteSecurityConfiguration | Admin | |
| glue:DeleteSession | Admin | |
| glue:DeleteTable | Admin | |
| glue:DeleteTableVersion | Admin | |
| glue:DeleteTrigger | Admin | |
| glue:DeleteUserDefinedFunction | Admin | |
| glue:DeleteWorkflow | Admin | |
| glue:GetBlueprint | Metadata | |
| glue:GetBlueprintRun | Metadata | |
| glue:GetBlueprintRuns | Metadata | |
| glue:GetCatalogImportStatus | Metadata | |
| glue:GetClassifier | Metadata | |
| glue:GetClassifiers | Metadata | |
| glue:GetColumnStatisticsForPartition | Metadata | |
| glue:GetColumnStatisticsForTable | Metadata | |
| glue:GetConnection | Metadata | Retrieves a connection definition from the Data Catalog. http://docs.aws.amazon.com/glue/latest/webapi/API\_GetConnection.html |
| glue:GetConnections | Metadata | |
| glue:GetCrawler | Metadata | |
| glue:GetCrawlerMetrics | Metadata | |
| glue:GetCrawlers | Metadata | |
| glue:GetDataCatalogEncryptionSettings | Metadata | |
| glue:GetDatabase | Metadata | |
| glue:GetDatabases | Metadata | |
| glue:GetDataflowGraph | Metadata | |
| glue:GetDevEndpoint | Metadata | |
| glue:GetDevEndpoints | Metadata | |
| glue:GetJob | Metadata | |
| glue:GetJobBookmark | Metadata | |
| glue:GetJobRun | Metadata | |
| glue:GetJobRuns | Metadata | |
| glue:GetJobs | Metadata | |
| glue:GetMLTaskRun | Metadata | |
| glue:GetMLTaskRuns | Metadata | |
| glue:GetMLTransform | Metadata | |
| glue:GetMLTransforms | Metadata | |
| glue:GetMapping | Operator | Operator can create the mappings. http://docs.aws.amazon.com/glue/latest/webapi/API\_GetMapping.html |
| glue:GetPartition | Metadata | |
| glue:GetPartitionIndexes | Metadata | |
| glue:GetPartitions | Metadata | |
| glue:GetPlan | Metadata | |
| glue:GetRegistry | Metadata | |
| glue:GetResourcePolicies | Metadata | |
| glue:GetResourcePolicy | Metadata | |
| glue:GetSchema | Metadata | |
| glue:GetSchemaByDefinition | Metadata | |
| glue:GetSchemaVersion | Metadata | |
| glue:GetSchemaVersionsDiff | Metadata | |
| glue:GetSecurityConfiguration | Metadata | |
| glue:GetSecurityConfigurations | Metadata | |
| glue:GetSession | Metadata | |
| glue:GetStatement | Metadata | |
| glue:GetTable | Metadata | |
| glue:GetTableVersion | Metadata | |
| glue:GetTableVersions | Metadata | |
| glue:GetTables | Metadata | Retrieves the definitions of some or all of the tables in a given Database. |
| glue:GetTags | Metadata | |
| glue:GetTrigger | Metadata | |
| glue:GetTriggers | Metadata | |
| glue:GetUserDefinedFunction | Metadata | |
| glue:GetUserDefinedFunctions | Metadata | |
| glue:GetWorkflow | Metadata | |
| glue:GetWorkflowRun | Metadata | |
| glue:GetWorkflowRunProperties | Metadata | |
| glue:GetWorkflowRuns | Metadata | |
| glue:GetWorkflowRunsMetadata | Metadata | |
| glue:ImportCatalogToGlue | Admin | |
| glue:ListBlueprints | Metadata | |
| glue:ListCrawlers | Metadata | |
| glue:ListDevEndpoints | Metadata | |
| glue:ListJobs | Metadata | |
| glue:ListMLTransforms | Metadata | |
| glue:ListRegistries | Metadata | |
| glue:ListSchemaVersions | Metadata | |
| glue:ListSchemas | Metadata | |
| glue:ListSessions | Metadata | |
| glue:ListStatements | Metadata | |
| glue:ListTriggers | Metadata | |
| glue:ListWorkflows | Metadata | |
| glue:NotifyEvent | Operator | |
| glue:PutDataCatalogEncryptionSettings | Admin | Admins can set the security configuration for a specified catalog. Once set the specified encryption configuration is applied to every catalog write thereafter. |
| glue:PutResourcePolicy | Admin | Sets the Data Catalog resource policy for access control. |
| glue:PutSchemaVersionMetadata | Admin | |
| glue:PutWorkflowRunProperties | Admin | |
| glue:QuerySchemaVersionMetadata | Operator | |
| glue:RegisterSchemaVersion | Operator | |
| glue:RemoveSchemaVersionMetadata | Admin | |
| glue:ResetJobBookmark | Operator | |
| glue:ResumeWorkflowRun | Operator | |
| glue:RunStatement | Operator | |
| glue:SearchTables | Metadata | |
| glue:StartBlueprintRun | Operator | |
| glue:StartCrawler | Operator | |
| glue:StartCrawlerSchedule | Operator | |
| glue:StartExportLabelsTaskRun | Operator | |
| glue:StartImportLabelsTaskRun | Operator | |
| glue:StartJobRun | Operator | |
| glue:StartMLEvaluationTaskRun | Operator | |
| glue:StartMLLabelingSetGenerationTaskRun | Operator | |
| glue:StartTrigger | Operator | |
| glue:StartWorkflowRun | Operator | |
| glue:StopCrawler | Operator | |
| glue:StopCrawlerSchedule | Operator | |
| glue:StopSession | Operator | |
| glue:StopTrigger | Operator | |
| glue:StopWorkflowRun | Operator | |
| glue:TagResource | Operator | |
| glue:UntagResource | Operator | |
| glue:UpdateBlueprint | Admin | |
| glue:UpdateClassifier | Admin | |
| glue:UpdateColumnStatisticsForPartition | Admin | |
| glue:UpdateColumnStatisticsForTable | Admin | |
| glue:UpdateConnection | Admin | |
| glue:UpdateCrawler | Admin | |
| glue:UpdateCrawlerSchedule | Operator | |
| glue:UpdateDatabase | Admin | |
| glue:UpdateDevEndpoint | Admin | |
| glue:UpdateJob | Admin | |
| glue:UpdateMLTransform | Admin | |
| glue:UpdatePartition | Admin | |
| glue:UpdateRegistry | Admin | |
| glue:UpdateSchema | Admin | |
| glue:UpdateTable | Admin | |
| glue:UpdateTrigger | Admin | |
| glue:UpdateUserDefinedFunction | Admin | |
| glue:UpdateWorkflow | Admin | |
| glue:UseMLTransforms | Operator | |
| iam:GetRole | Metadata | |
| iam:GetRolePolicy | Metadata | |
| iam:ListRolePolicies | Metadata | |
| iam:ListRoles | Metadata | |
| iam:PassRole | Admin | Required to create clusters. |
| kms:DescribeKey | Metadata | |
| rds:DescribeDBInstances | Metadata | |
| redshift:DescribeClusterSubnetGroups | Metadata | |
| redshift:DescribeClusters | Metadata | |
| s3:GetBucketAcl | Metadata | |
| s3:ListAllMyBuckets | Metadata | |
| s3:ListBucket | Metadata | |
| sagemaker:DescribeNotebookInstance | Metadata | AWS Glue now supports connecting Amazon SageMaker notebooks to development endpoint. |
| sagemaker:ListNotebookInstances | Metadata | AWS Glue now supports connecting Amazon SageMaker notebooks to development endpoint. |