How to restrict access to a single glue catalog database with IAM Role Policy?
In my glue data catalog, there are many glue data catalog databases. I'm trying to write an IAM Role policy that would deny access to every GDC database, except for one whitelisted database. How can this be done?
In my first attempt, I used the managed policy arn:aws:iam::aws:policy/AWSGlueConsoleFullAccess as a starting point, and added the statement shown below to deny all databases except the whitelisted one.
{
"Version": "2012-10-17",
"Statement": [
# same statements as in arn:aws:iam::aws:policy/AWSGlueConsoleFullAccess ...
{
"Sid": "DenyAccessToOtherGlueDatabases",
"Effect": "Deny",
"Action": [
"glue:GetDatabase"
],
"NotResource": [
"arn:aws:glue:${region}:${account_number}:database/${database_name}"
]
}
]
}
However, the Role is still able to access all the databases in the catalog despite this rule. What could be the issue?
I made a second attempt after finding this documentation, which reads:
To deny access to a table, requires that you create a policy to deny a user access to the table, or its parent database or catalog. This allows you to easily deny access to a specific resource that cannot be circumvented with a subsequent allow permission. For example, if you deny access to table
booksin databasedb1, then if you grant access to databasedb1, access to tablebooksis still denied. The following is an example identity-based policy that denies permissions for AWS Glue actions (glue:GetTablesandGetTable) to databasedb1and all of the tables within it.{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyGetTablesToDb1", "Effect": "Deny", "Action": [ "glue:GetTables", "glue:GetTable" ], "Resource": [ "arn:aws:glue:us-west-2:123456789012:database/db1" ] } ] }
I tried to deny glue:GetTables and glue:GetTable on the table:
{
"Version": "2012-10-17",
"Statement": [
# same statements as in arn:aws:iam::aws:policy/AWSGlueConsoleFullAccess ...
{
"Sid": "DenyAccessToOtherGlueDatabases",
"Effect": "Deny",
"Action": [
"glue:GetTables",
"glue:GetTable"
],
"NotResource": [
"arn:aws:glue:${region}:${account_number}:table/${landing_zone_name}_${env}"
]
}
]
}
I also tried to deny glue:GetTables and glue:GetTable on the database as shownin the example:
{
"Version": "2012-10-17",
"Statement": [
# same statements as in arn:aws:iam::aws:policy/AWSGlueConsoleFullAccess ...
{
"Sid": "DenyAccessToOtherGlueDatabases",
"Effect": "Deny",
"Action": [
"glue:GetTables",
"glue:GetTable"
],
"NotResource": [
"arn:aws:glue:${region}:${account_number}:database/${landing_zone_name}_${env}"
]
}
]
}
For either case, when I tried to access tables that I should have had permission to access, I was met with an infinite loading animation that said "fetching <table_name>"
To restrict access to a single glue data catalog database, you need to whitelist every resource in the glue data catalog hierarchy (Catalog -> DB -> Table) with NotResource as shown in DenyAccessToOtherGlueDatabases below. This will allow the role to access only those specified databases, and will forbid all others from being accessed.
Also, you should use these four actions (more info on each one in the docs):
glue:GetTable: Grants permission to retrieve a specific tableglue:GetTables: Grants permission to retrieve the tables for a specific databaseglue:GetDatabaseGrants permission to retrieve a specific databaseglue:GetDatabases: Grants permission to retrieve all databases (without this, the databse will not appear in the console.)
{
"Version": "2012-10-17",
"Statement": [
# same statements as in arn:aws:iam::aws:policy/AWSGlueConsoleFullAccess ...
{
"Sid": "",
"Effect": "Deny",
"Action": [
"glue:GetTable",
"glue:GetTables",
"glue:GetDatabase",
"glue:GetDatabases"
],
"NotResource": [
"arn:aws:glue:${region}:${account_number}:catalog",
"arn:aws:glue:${region}:${account_number}:database/${database_name}",
"arn:aws:glue:${region}:${account_number}:table/${database_name}/*",
]
}
]
}
- Generate S3 URL in "path-style" format
- Trying to find the ARN pattern for AWS WAF regional
- AWS cognito: What's the difference between Access and Identity tokens?
- virtually isolate the network in the same AWS Cloud Account
- Can I stop a spot instance in aws just like I can stop and start an on demand ec2 instance
- Get pdftotext Python module running on Lambda
- Kubernetes: how to set VolumeMount user group and file permissions
- Invalid arn error for terraform code with kms data resource
- Unable to import module 'src.main': No module named 'dependencies' when uploading FastAPI zipped project to AWS Lambda
- Unable to update AWS AppRunner VPC connector via CDK
- Exit early from CodeBuild
- qemu-x86_64: Could not open '/lib64/ld-linux-x86-64.so.2': No such file or directory in alpine linux on M1
- In AWS API Gateway, can method level limits for a specific end point exceed stage level limit?
- How to install postgresql-client to Amazon EC2 Linux machine?
- Why does API Gateway not pass through the request path parameters in proxy mode?
- Does AWS VPC Endpoint require subnets?
- Windows authentication does not work behind AWS Application Load Balancer
- Exporting data from dynamo db to a csv file
- Amazon Web Services : Setting S3 policy to allow putObject and getObject but deny listBucket
- How to set S3 path style in Clojure using Amazonica library?
- System Manager Parameter Store Input
- Issues Sending Kafka and Zookeeper Metrics to AWS CloudWatch Using JMX and CloudWatch Agent
- How to connect to AWS Redis cluster locally?
- HTTPS connections to cloudfront / S3 using godaddy domain
- Local Job unable to find Region
- Nginx Error 413 Entity too large on AWS ELB
- How to get the ARN of an SSM Document in CloudFormation?
- Login to chrome extension via website with AWS amplify
- In total how many aws command is available
- How to upgrade AWS CLI to the latest version?