# Granting dynamically scoped policies for job execution
<a name="dynamically-scoped-policies"></a>

AWS Glue offers a powerful new capability: dynamic session policies for job executions. This feature allows you to specify custom, fine-grained permissions for each job run without creating multiple IAM roles.

When you start a Glue job using the `StartJobRun` API, you can include an inline session policy. This policy temporarily modifies the permissions of the job's execution role for the duration of that specific job run. It's similar to using temporary credentials with the `AssumeRole` API in other AWS services.
+ **Enhanced security**: You can limit job permissions to the minimum necessary for each run.
+ **Simplified management**: Eliminates the need to create and maintain numerous IAM roles for different scenarios.
+ **Flexibility**: You can be adjust permissions dynamically based on runtime parameters or tenant-specific needs.
+ **Scalability**: This method excels in multi-tenant environments where you need to isolate resources between tenants.

**Examples for granting dynamically scoped policies usage:**

The following examples demonstrate granting jobs *read* and *write* access only to a specific Amazon S3 bucket path, where the path is dynamically determined by the job run ID. This illustrates how to implement granular, execution-specific permissions for each job run.

**From CLI**

```
aws glue start-job-run \
    --job-name "your-job-name" \
    --execution-role-session-policy '{
        "Version": "2012-10-17",		 	 	 
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "s3:GetObject",
                    "s3:PutObject"
                ],
                "Resource": [
                    "arn:aws:s3:::specific-bucket/${JobRunId}/*"
                ]
            }
        ]
    }'
```