In EMR, you can specify that operations that read/write S3 will assume a different IAM role depending on the S3 URL through EMRFS role mappings. This is especially useful for a use case of reading from a bucket in the same account, and writing to a bucket in another account -- EMRFS lets you specify to use different roles for read and write operations, and the role can be in a different account. This simplifies handling permissions when you're writing objects in another account, by avoiding this scenario
What's the equivalent for Glue jobs? It looks like I can only grant a role to the job overall, and I don't see a way to assume different roles for different S3 buckets/prefixes. There are Security Configurations in Glue, as with EMR, but it looks like these only support encryption options.
There is no such thing in Glue.
However, EMRFS role mappings are less important now that S3 supports assuming object ownership.
The main use for EMRFS was to assume a role in the same account as the bucket owner on write operations, to ensure the objects created are owned by the bucket owner.
Now, you can simply grant cross-account permissions to read/write buckets, with S3 "Object Ownership" configuration set to "bucket owner preferred" and the client setting the "bucket-owner-full-control" ACL for new objects. The latter can be done through Spark session.