When you create the AWS Glue job, you specify an AWS Identity and Access Management (IAM) role for the job to use. The role must grant access to all resources used by the job, including Amazon S3 for any sources, targets, scripts, driver files, and temporary directories, as well as any AWS Glue Data Catalog objects. For more information, refer to Setting up IAM Permissions for AWS Glue.

Depending on your use case, the following permissions may be required for your IAM role.

  • SecretsManagerReadWrite
  • AmazonS3FullAccess
  • AmazonEC2ContainerRegistryReadOnly
  • AWSGlueServiceRole
Note: The IAM role for the AWS Glue job must also have access to the secret created in Storing your credentials in AWS Secrets Manager. By default, the AWS managed role AWSGlueServiceRole does not have access to the secret. Therefore, the IAM role must be granted access to the secret used for AWS Glue ETL job. Refer to Authentication and Access Control for AWS Secrets Manager and Limiting Access to Specific Secrets in the AWS Secrets Manager User Guide to setup access control for your secrets.
Note: For more information about granting access to the Amazon S3 buckets, refer to Identity and access management in the Amazon Simple Storage Service Developer Guide.