IAM policy for restricting Glue resources

Question

I want to limit a user to a specific database. User should be able to do all the actions to that database and its tables.

All the examples I found in the documentations limit the Action, but never Resource.

The example below gives user access to all the databases and tables. What should be put in Resource field to restrict access to a single database?

{
    "Version": "2012-10-17",
    "Statement": [
        {
        "Action": [
          "glue:*"
        ],
        "Effect": "Allow",
        "Resource": [
            "*"
        ]
    },
    ]
}

score 0 · Accepted Answer · answered Sep 18 '18 at 02:48

The answer is Glue doesn't support resource-level permissions.

You can control access to data by restricting underlying S3 buckets. However, if you give glue:GetTable access to a user, it can list all the tables in all the databases. Or glue:DeleteTable...

Same goes for Athena.

IAM policy for restricting Glue resources

1 Answers1