0

I am trying to create a Glue job in an account that has full access to all resources

The script gets generated but when I try and save it I get the following error

[gluestudio-service.us-east-1.amazonaws.com] createJob: AccessDeniedException: Account XXXXX is denied access.

The role I am using has nothing fancy in it and has full access to glue and all S3 resources.

Its not an organisational account

Any insight would be greatly appreciated

I am using the managed AWSGlueServiceRole as well as the AmazonS3FullAccess roles

I have added the follwoing

    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "glue:UseGlueStudio",
                "iam:ListRoles",
                "iam:ListUsers",
                "iam:ListGroups",
                "iam:ListRolePolicies",
                "iam:GetRole",
                "iam:GetRolePolicy",
                "glue:SearchTables",
                "glue:GetConnections",
                "glue:GetJobs",
                "glue:GetTables",
                "glue:BatchStopJobRun",
                "glue:GetSecurityConfigurations",
                "glue:DeleteJob",
                "glue:GetDatabases",
                "glue:CreateConnection",
                "glue:GetSchema",
                "glue:GetTable",
                "glue:GetMapping",
                "glue:CreateJob",
                "glue:DeleteConnection",
                "glue:CreateScript",
                "glue:UpdateConnection",
                "glue:GetConnection",
                "glue:StartJobRun",
                "glue:GetJobRun",
                "glue:UpdateJob",
                "glue:GetPlan",
                "glue:GetJobRuns",
                "glue:GetTags",
                "glue:GetJob"
            ],
            "Resource": "*"
        },
        {
            "Action": [
                "iam:PassRole"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:iam::*:role/AWSGlueServiceRole*",
            "Condition": {
                "StringLike": {
                    "iam:PassedToService": [
                        "glue.amazonaws.com"
                    ]
                }
            }
        }
    ]
}```
Maxui
  • 210
  • 1
  • 3
  • 15
  • can you post your IAM Policy, have you added glue:UseGlueStudio? – furydrive Sep 02 '22 at 07:02
  • Hi there I've got "glue:*" in the policy When adding the switch you siggested glue:UseGlueStudio the policy errors – Maxui Sep 02 '22 at 07:18
  • I've followed this https://docs.aws.amazon.com/glue/latest/ug/setting-up.html#getting-started-min-privs and getting the same error – Maxui Sep 02 '22 at 07:27
  • Please update your question with IAM policy used. – Prabhakar Reddy Sep 02 '22 at 07:32
  • Seems like a few people having the same issues https://stackoverflow.com/questions/73233710/awsglue-accessdeniedexception-status-code-400 – Maxui Sep 02 '22 at 07:55
  • According to the [docs](https://docs.aws.amazon.com/glue/latest/ug/setting-up.html#getting-started-iam-permissions), for glue studio, you need to use `AWSGlueConsoleFullAccess`. Have ou tried that? – Marcin Sep 02 '22 at 08:27
  • I have - same error – Maxui Sep 02 '22 at 09:21
  • Is there an explicit deny policy set for your user that assumes the role? If so it preceeds the explicit allow in the roles policy. Can you share the policies attached to the User that assumes the role. – furydrive Sep 02 '22 at 10:30
  • There are no explicit denies - the policies attached are as detailed in the post - its also a root user – Maxui Sep 02 '22 at 10:33

1 Answers1

0

Add Trusted Policy like the following in the Role.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "glue.amazonaws.com",
                "AWS": "arn:aws:iam::123456789:root"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
furydrive
  • 372
  • 2
  • 5
  • Like this? No difference ```{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "glue.amazonaws.com", "AWS": "arn:aws:iam:::root" }, "Action": "sts:AssumeRole" } ] }``` – Maxui Sep 02 '22 at 11:02
  • have you attached a resource based policy on your Data Catalog resource? – furydrive Sep 02 '22 at 11:27
  • No data catalog in use – Maxui Sep 05 '22 at 05:59