@@ -165,64 +165,16 @@ data "aws_iam_policy_document" "read_only_glue_access" {
165165 ]
166166 }
167167
168- // Glue Access - Catalog level operations
168+ // Glue Access
169169 statement {
170- sid = " GlueCatalogAccess "
170+ sid = " AwsGlue "
171171 actions =
172- " glue:GetCatalogImportStatus"
173- " glue:GetDataCatalogEncryptionSettings"
174- ]
175- resources =
176- " arn:aws:glue:${ data . aws_region . current . name } :${ data . aws_caller_identity . current . account_id } :catalog"
177- ]
178- }
179-
180- // Glue Access - Department database and table operations
181- statement {
182- sid = " GlueDepartmentDatabaseAccess"
183- actions =
184- " glue:GetDatabase"
185- " glue:GetTable"
186- " glue:GetTables"
187- " glue:GetTableVersion"
188- " glue:GetTableVersions"
189- " glue:GetPartition"
190- " glue:GetPartitions"
191- " glue:BatchGetPartition"
192- " glue:GetPartitionIndexes"
193- " glue:SearchTables"
194- " glue:QuerySchemaVersionMetadata"
195- ]
196- resources =
197- " arn:aws:glue:${ data . aws_region . current . name } :${ data . aws_caller_identity . current . account_id } :catalog"
198- aws_glue_catalog_database . raw_zone_catalog_database . arn ,
199- aws_glue_catalog_database . refined_zone_catalog_database . arn ,
200- aws_glue_catalog_database . trusted_zone_catalog_database . arn ,
201- " arn:aws:glue:${ data . aws_region . current . name } :${ data . aws_caller_identity . current . account_id } :table/${ aws_glue_catalog_database . raw_zone_catalog_database . name } /*"
202- " arn:aws:glue:${ data . aws_region . current . name } :${ data . aws_caller_identity . current . account_id } :table/${ aws_glue_catalog_database . refined_zone_catalog_database . name } /*"
203- " arn:aws:glue:${ data . aws_region . current . name } :${ data . aws_caller_identity . current . account_id } :table/${ aws_glue_catalog_database . trusted_zone_catalog_database . name } /*"
204- ]
205- }
206-
207- // Glue Access - Job and crawler read-only operations (unrestricted)
208- statement {
209- sid = " GlueJobAndCrawlerReadAccess"
210- actions =
211- " glue:GetJob"
212- " glue:GetJobs"
213- " glue:GetJobRun"
214- " glue:GetJobRuns"
215- " glue:BatchGetJobs"
216- " glue:ListJobs"
217- " glue:GetCrawler"
218- " glue:GetCrawlers"
219- " glue:ListCrawlers"
220- " glue:GetCrawlerMetrics"
221- " glue:GetWorkflow"
222- " glue:GetWorkflowRun"
223- " glue:GetWorkflowRuns"
224- " glue:ListWorkflows"
172+ " glue:Batch*"
225173 " glue:CheckSchemaVersionValidity"
174+ " glue:Get*"
175+ " glue:List*"
176+ " glue:SearchTables"
177+ " glue:Query*"
226178 ]
227179 resources = " *"
228180 }
@@ -528,77 +480,24 @@ data "aws_iam_policy_document" "glue_access" {
528480 }
529481 }
530482
531- // Glue Access - Catalog level operations
532- statement {
533- sid = " GlueCatalogAccess"
534- actions =
535- " glue:GetCatalogImportStatus"
536- " glue:GetDataCatalogEncryptionSettings"
537- ]
538- resources =
539- " arn:aws:glue:${ data . aws_region . current . name } :${ data . aws_caller_identity . current . account_id } :catalog"
540- ]
541- }
542-
543- // Glue Access - Department database and table operations (read, write, delete)
544- statement {
545- sid = " GlueDepartmentDatabaseAccess"
546- actions =
547- " glue:GetDatabase"
548- " glue:GetTable"
549- " glue:GetTables"
550- " glue:GetTableVersion"
551- " glue:GetTableVersions"
552- " glue:GetPartition"
553- " glue:GetPartitions"
554- " glue:BatchGetPartition"
555- " glue:GetPartitionIndexes"
556- " glue:CreateTable"
557- " glue:UpdateTable"
558- " glue:DeleteTable"
559- " glue:CreatePartition"
560- " glue:UpdatePartition"
561- " glue:DeletePartition"
562- " glue:BatchCreatePartition"
563- " glue:BatchDeletePartition"
564- " glue:BatchUpdatePartition"
565- " glue:SearchTables"
566- " glue:QuerySchemaVersionMetadata"
567- ]
568- resources =
569- " arn:aws:glue:${ data . aws_region . current . name } :${ data . aws_caller_identity . current . account_id } :catalog"
570- aws_glue_catalog_database . raw_zone_catalog_database . arn ,
571- aws_glue_catalog_database . refined_zone_catalog_database . arn ,
572- aws_glue_catalog_database . trusted_zone_catalog_database . arn ,
573- " arn:aws:glue:${ data . aws_region . current . name } :${ data . aws_caller_identity . current . account_id } :table/${ aws_glue_catalog_database . raw_zone_catalog_database . name } /*"
574- " arn:aws:glue:${ data . aws_region . current . name } :${ data . aws_caller_identity . current . account_id } :table/${ aws_glue_catalog_database . refined_zone_catalog_database . name } /*"
575- " arn:aws:glue:${ data . aws_region . current . name } :${ data . aws_caller_identity . current . account_id } :table/${ aws_glue_catalog_database . trusted_zone_catalog_database . name } /*"
576- ]
577- }
578-
579- // Glue Access - Job and crawler operations
483+ // Glue Access
580484 statement {
581- sid = " GlueJobAndCrawlerAccess "
485+ sid = " AwsGlue "
582486 actions =
487+ " glue:Batch*"
583488 " glue:CheckSchemaVersionValidity"
584489 " glue:CreateDevEndpoint"
585490 " glue:CreateJob"
586491 " glue:CreateScript"
587492 " glue:CreateSession"
493+ " glue:CreatePartition"
588494 " glue:DeleteDevEndpoint"
589495 " glue:DeleteJob"
590496 " glue:DeleteTrigger"
591- " glue:GetJob"
592- " glue:GetJobs"
593- " glue:GetJobRun"
594- " glue:GetJobRuns"
595- " glue:BatchGetJobs"
596- " glue:ListJobs"
597- " glue:GetCrawler"
598- " glue:GetCrawlers"
599- " glue:ListCrawlers"
600- " glue:GetCrawlerMetrics"
497+ " glue:Get*"
498+ " glue:List*"
601499 " glue:ResetJobBookmark"
500+ " glue:SearchTables"
602501 " glue:StartCrawler"
603502 " glue:StartCrawlerSchedule"
604503 " glue:StartExportLabelsTaskRun"
@@ -612,10 +511,15 @@ data "aws_iam_policy_document" "glue_access" {
612511 " glue:TagResource"
613512 " glue:UpdateDevEndpoint"
614513 " glue:UpdateJob"
615- " glue:GetWorkflow"
616- " glue:GetWorkflowRun"
617- " glue:GetWorkflowRuns"
618- " glue:ListWorkflows"
514+ " glue:UpdateTable"
515+ " glue:CreateTable"
516+ " glue:DeleteTable"
517+ " glue:GetTableVersions"
518+ " glue:GetTable"
519+ " glue:GetTables"
520+ " glue:GetDatabase"
521+ " glue:GetDatabases"
522+ " glue:Query*"
619523 ]
620524 resources = " *"
621525 }
0 commit comments