How to: Allow Glue jobs to access databases across accounts
Closed this issue · 0 comments
SeanKilleen commented
Based on my SO question: https://stackoverflow.com/questions/68475901/glue-job-cross-account-secret-access-failing-despite-policies
- Networking must be in place
- How to test it (trying a given port between two EC2 instances in each account, for example)
- Create key
- Create CMK -- can't use default keys
- Encrypt key with CMK -- be sure you actually do this! (edit and save)
- Policy on Key
- Policy on CMK
- Policy on Glue service role in other account
- Glue service should assume the role
- Make sure boto3 uses the full ARN of the cross-account secret.