Glue
Grant access to your Glue Catalog so Catalog can read metadata. You need permission to create IAM roles and policies in AWS, and to create a user for Catalog with the roles and policies defined below.
1. If Needed, Whitelist Catalog IP
Here are the fixed IPs:
- For instances on app.us.castordoc.com:
34.42.92.72 - For instances on app.castordoc.com:
35.246.176.138
2. Create Relevant IAM Policies
Create the policy below, granting only metadata access.
warning
Make sure to replace <regions> and <account_id> with your own.
{
"Version": "2022-08-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"glue:GetDatabase",
"glue:GetDatabases",
"glue:GetTable",
"glue:GetTables",
"glue:GetPartition",
"glue:GetPartitions",
"glue:BatchGetPartition",
"glue:SearchTables",
"glue:GetTableVersions",
"glue:GetTableVersion",
"glue:GetUserDefinedFunctions",
"glue:GetUserDefinedFunction"
],
"Resource": [
"arn:aws:glue:<region>:<account_id>:tableVersion/*/*/*",
"arn:aws:glue:<region>:<account_id>:table/*/*",
"arn:aws:glue:<region>:<account_id>:catalog",
"arn:aws:glue:<region>:<account_id>:database/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": [
"*"
]
}
]
}
3. Create a Catalog User
- Create a user following the AWS IAM user creation instructions.
- Add the policy created above to this user.
4. Add User Connection Info on Catalog
On Catalog's Glue integration page, add your credentials in the following format:
{
"aws_region": "<your_region>",
"aws_account_id": "<your_account>",
"access_key_id": "<your_key_id>",
"access_key_secret": "<your_secret>"
}