Add policy for cross-account access to AWS Glue data catalog in documentation?

Question

Add policy for cross-account access to AWS Glue data catalog in documentation?

Closed this issue 5 months ago · 5 comments

Could the Overture documentation include the policy one has to create to grant permission for cross-account access to AWS Glue data catalogs (specifically the Overture one), as described under step 1a in the AWS documentation here, instead of just linking to that page?

Otherwise, the great webinar here cannot be followed for new AWS users.

Could you post the policy here as well?

Thanks!

Answer 1 · 2024-04-30T20:01:33.000Z

The cross-account Glue catalog policy (AWS Glue → Catalog settings → Permissions) looks like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": [
        "glue:GetTable*",
        "glue:GetDatabase*",
        "glue:GetPartition*"
      ],
      "Resource": [
        "arn:aws:glue:<region>:<account id>:catalog",
        "arn:aws:glue:<region>:<account id>:database/release",
        "arn:aws:glue:<region>:<account id>:table/*"
      ]
    }
  ]
}

release is the name of the database containing Overture tables.

@danabauer mind adding this to the docs?

Answer 2 · 2024-04-30T21:01:56.000Z

I just realized that OP was asking about the permissions that need to be added to a role in order to access the shared catalog. The policy is actually the same, supporting access in the opposite direction, just without the Principal, since that's implied by the Role it's ultimately attached to:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "glue:GetTable*",
        "glue:GetDatabase*",
        "glue:GetPartition*"
      ],
      "Resource": [
        "arn:aws:glue:us-west-2:913550007193:catalog",
        "arn:aws:glue:us-west-2:913550007193:database/release",
        "arn:aws:glue:us-west-2:913550007193:table/*"
      ]
    }
  ]
}

Answer 3 · 2024-05-01T00:56:29.000Z

We added the policy to the docs! https://docs.overturemaps.org/getting-data/cloud-services/

Answer 4 · 2024-05-23T13:30:21.000Z

Thanks a lot for adding this! Works like a charm. Just one more thing: Could you still fix the broken link to the webinar_queries.md which you link to in the description of the webinar video and the accompanying blog post? Thanks!

Answer 5 · 2024-05-24T16:00:01.000Z

Thanks for catching that @gregorhd — At this point, I think those queries might be outdated with improvements to the schema since then. I recommend referring to docs.overturemaps.org/ for the latest queries — if you have any specific types of examples you'd like to see, please let me know and we can try to put together some more examples.