generatePolicies: GlueJobPolicy: policyDocument: Statement: - SID: GlueCloudwatch Effect: Allow Resource: - "arn:{{partition}}:logs:{{region}}:{{account}}:log-group:/aws-glue/*" Action: - logs:CreateLogStream - logs:AssociateKmsKey - logs:CreateLogGroup - logs:PutLogEvents # This statement allows the usage of LakeFormation, but does not itself grant any access to data. # For data access, an explicit LF Grant is required. - SID: LakeFormationGetDataAccess Effect: Allow Action: - lakeformation:GetDataAccess Resource: "*" suppressions: - id: "AwsSolutions-IAM5" reason: "These actions do not accept a resource or resource name not known at deployment time." DataAdminPolicy: policyDocument: Statement: - Sid: GlueCloudwatchAccess Effect: Allow Action: - logs:DescribeLogStreams - logs:DescribeLogGroups Resource: - "arn:{{partition}}:logs:{{region}}:{{account}}:log-group:/aws-glue/*" - "arn:{{partition}}:logs:{{region}}:{{account}}:log-group:/aws-glue/*:log-stream:*" - "arn:{{partition}}:logs:{{region}}:{{account}}:log-group::log-stream:" - Sid: BasicS3Access Effect: Allow Action: - s3:ListAllMyBuckets - s3:GetAccountPublicAccessBlock - s3:GetBucketPublicAccessBlock - s3:GetBucketPolicyStatus - s3:GetBucketAcl - s3:ListAccessPoints - s3:GetBucketLocation Resource: "*" # Allows basic listing of KMS keys (required for up) - Sid: BasicKMSAccess Effect: Allow Action: - kms:ListAliases Resource: "*" - SID: RedshiftAdminAccess Effect: Allow Action: - redshift:GetClusterCredentials Resource: - arn:{{partition}}:redshift:{{region}}:{{account}}:dbuser:*/admin - arn:{{partition}}:redshift:{{region}}:{{account}}:dbname:*/default_db - SID: RedshiftAdminDataStatementAccess Effect: Allow Action: - redshift-data:ListStatements - redshift-data:DescribeStatement - redshift-data:CancelStatement - redshift-data:GetStatementResult Resource: "*" suppressions: - id: "AwsSolutions-IAM5" reason: "These actions do not accept a resource or resource name not known at deployment time." DataUserPolicy: policyDocument: Statement: # This statement allows coarse-grained access to Glue catalog resources, but does not itself grant any access to data. # Effective permissions are the intersection between IAM Glue Permissions and LF Grants. By establishing broad, coarse-grained permissions here, # we are effectively concentrating effective permissions management in LF Grants. - SID: GlueCoarseGrainedAccess Effect: Allow Resource: - arn:{{partition}}:glue:{{region}}:{{account}}:catalog - arn:{{partition}}:glue:{{region}}:{{account}}:database/* - arn:{{partition}}:glue:{{region}}:{{account}}:table/* Action: - glue:GetDatabase - glue:GetDatabases - glue:GetCatalogImportStatus - glue:GetTable - glue:GetTables - glue:GetPartition - glue:GetPartitions - glue:SearchTables # This statement allows the usage of LakeFormation, but does not itself grant any access to data. # For data access, an explicit LF Grant is required. - SID: LakeFormationGetDataAccess Effect: Allow Action: - lakeformation:GetDataAccess Resource: "*" # This statement allows the basic listing of Athena workgroups # Specific Athena accesses are granted by the Athena Workgroup module itself. - SID: BasicAthenaAccess Effect: Allow Action: - athena:ListWorkGroups Resource: "*" # This statement allows the basic access to the Redshift console # as well as Query editory v1 - SID: BasicRedshiftAccess Effect: Allow Action: - redshift:DescribeClusters - redshift:DescribeClusterSnapshots - redshift:DescribeEvents Resource: - arn:{{partition}}:redshift:{{region}}:{{account}}:cluster:* - arn:{{partition}}:redshift:{{region}}:{{account}}:snapshot:*/* - arn:{{partition}}:redshift:{{region}}:{{account}}:event:* - SID: RedshiftUserAccess Effect: Allow Action: - redshift:GetClusterCredentials - redshift:CreateClusterUser Resource: - arn:{{partition}}:redshift:{{region}}:{{account}}:dbuser:*/${redshift:DbUser} - arn:{{partition}}:redshift:{{region}}:{{account}}:dbname:*/default_db Condition: StringLike: "aws:userid": "*:${redshift:DbUser}" - SID: RedshiftDataAccess Effect: Allow Action: - redshift-data:ExecuteStatement - redshift-data:ListDatabases - redshift-data:ListSchemas - redshift-data:ListTables - redshift-data:DescribeTable Resource: - arn:{{partition}}:redshift:{{region}}:{{account}}:cluster:* - SID: RedshiftDataStatementAccess Effect: Allow Action: - redshift-data:ListStatements - redshift-data:DescribeStatement - redshift-data:CancelStatement - redshift-data:GetStatementResult Resource: "*" Condition: StringEquals: "redshift-data:statement-owner-iam-userid": "${aws:userid}" suppressions: - id: "AwsSolutions-IAM5" reason: "These actions do not accept a resource or resource name not known at deployment time." # The list of roles which will be generated generateRoles: # This role will be used by all Glue processes (Jobs and Crawlers). # Additionally, it will be assumed by the RedShift cluster while loading # data. glue-etl: trustedPrincipal: service:glue.amazonaws.com additionalTrustedPrincipals: - trustedPrincipal: service:redshift.amazonaws.com # A list of AWS managed policies which will be added to the role awsManagedPolicies: - service-role/AWSGlueServiceRole generatedPolicies: - GlueJobPolicy suppressions: - id: "AwsSolutions-IAM4" reason: "AWSGlueServiceRole approved for usage" data-admin: trustedPrincipal: this_account awsManagedPolicies: - AWSGlueConsoleFullAccess - AWSLakeFormationDataAdmin - AWSLakeFormationCrossAccountManager generatedPolicies: - DataUserPolicy - DataAdminPolicy suppressions: - id: "AwsSolutions-IAM4" reason: "AWSGlueConsoleFullAccess, AWSLakeFormationDataAdmin, AWSLakeFormationCrossAccountManager approved for usage" data-user: trustedPrincipal: this_account generatedPolicies: - DataUserPolicy