Reputation: 18770
AWS Glue equivalent of EMRFS role mappings
In EMR, you can specify that operations that read/write S3 will assume a different IAM role depending on the S3 URL through EMRFS role mappings. This is especially useful for a use case of reading from a bucket in the same account, and writing to a bucket in another account -- EMRFS lets you specify to use different roles for read and write operations, and the role can be in a different account. This simplifies handling permissions when you're writing objects in another account, by avoiding this scenario
What's the equivalent for Glue jobs? It looks like I can only grant a role to the job overall, and I don't see a way to assume different roles for different S3 buckets/prefixes. There are Security Configurations in Glue, as with EMR, but it looks like these only support encryption options.
Upvotes: 1
Views: 318
Answers (1)
Reputation: 18770
There is no such thing in Glue.
However, EMRFS role mappings are less important now that S3 supports assuming object ownership.
The main use for EMRFS was to assume a role in the same account as the bucket owner on write operations, to ensure the objects created are owned by the bucket owner.
Now, you can simply grant cross-account permissions to read/write buckets, with S3 "Object Ownership" configuration set to "bucket owner preferred" and the client setting the "bucket-owner-full-control" ACL for new objects. The latter can be done through Spark session.
Upvotes: 1
Related Questions
- AWS Glue gives AccessDeniedException
- Is there any other policy need to be attached to create a role for aws glue databrew?
- AWS Glue and REST API
- AWS Glue connecting to RDS
- Can we consider AWS Glue as a replacement for EMR?
- Is there a way to execute a glue job via API Gateway?
- AWS Glue Column Level access Control
- AWS Glue joining
- Logging in AWS glue
- Cross account access to Athena/Glue