7 thoughts on “Cross-account AWS Glue Data Catalog access with Glue ETL

  1. Very nice details steps – made it super easy to understand. Thank you for the nice documentation.

  2. In both policies, you are granting “Action”: “s3:*”.

    Why do we need all Write permissions on the source catalog, DBs and S3? The Glue jobs in account A only needs to read the data from the relevant S3 buckets of account B. So granting all Write permissions might lead to accidentally modifying the data in account B which is undesirable if the job is reading from prod accounts/buckets. Just reflecting based on a real scenario I’m facing!

    I guess only List and Read permissions would be enough.

    1. Hi Avishek,

      Thank you for visiting the blog.
      Yes, list and get permission should be enough to read the data for this purpose.


  3. Hi Anand, This is really helpful to access data catalog of croos account. I have to assume a role of to access cross account. Was trying to provide assumerole in additional options but it isn’t working and failing with below error. Any reference on this?

    An error occurred while calling o65.getCatalogSource. User: arn:aws:sts::Acount-A:assumed-role/ETLRole/GlueJobRunnerSession is not authorized to perform: glue:GetTable on resource: arn:aws:glue:us-west-2:AccountB:catalog (Service: AWSGlue; Status Code: 400; Error Code: AccessDeniedException;
    datasource = glueContext.create_dynamic_frame.from_catalog(
    database=”accountb database”,
    additional_options = {“aws_iam_role”: “arn:aws:iam::ACCOUNTB:role/Glue-ReadOnly”}

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s