# Specifying AWS Glue resource ARNs
In AWS Glue, you can control access to resources using an AWS Identity and Access Management (IAM) policy. In a policy, you use an Amazon Resource Name (ARN) to identify the resource that the policy applies to. Not all resources in AWS Glue support ARNs.
**Topics**
+ [Data Catalog ARNs](#data-catalog-resource-arns)
+ [ARNs for non-catalog objects in AWS Glue](#non-catalog-resource-arns)
+ [Access control for AWS Glue non-catalog singular API operations](#non-catalog-singular-apis)
+ [Access control for AWS Glue non-catalog API operations that retrieve multiple items](#non-catalog-plural-apis)
+ [Access control for AWS Glue non-catalog BatchGet API operations](#non-catalog-batch-get-apis)
## Data Catalog ARNs
Data Catalog resources have a hierarchical structure, with `catalog` as the root.
```
arn:aws:glue:region:account-id:catalog
```
Each AWS account has a single Data Catalog in an AWS Region with the 12-digit account ID as the catalog ID. Resources have unique ARNs associated with them, as shown in the following table.
| **Resource type** | **ARN format** |
| --- | --- |
| Catalog | `arn:aws:glue:region:account-id:catalog` For example: `arn:aws:glue:us-east-1:123456789012:catalog` |
| Database | `arn:aws:glue:region:account-id:database/database name` For example: `arn:aws:glue:us-east-1:123456789012:database/db1` |
| Table | `arn:aws:glue:region:account-id:table/database name/table name` For example: `arn:aws:glue:us-east-1:123456789012:table/db1/tbl1` |
| Federated S3 tables catalog (All table buckets) | `arn:aws:glue:region:account-id:catalog/s3tablescatalog` For example: `arn:aws:glue:us-east-1:123456789012:catalog/s3tablescatalog` |
| Federated S3 table bucket catalog (child catalog) | `arn:aws:glue:region:account-id:catalog/s3tablescatalog/bucket name` For example: `arn:aws:glue:us-east-1:123456789012:catalog/s3tablescatalog/amzn-s3-demo-bucket1` |
| Federated S3 tables database | `arn:aws:glue:region:account-id:database/s3tablescatalog/child catalog name/database name` For example: `arn:aws:glue:us-east-1:123456789012:database/s3tablescatalog/amzn-s3-demo-bucket1/nsdb1` |
| Federated S3 table | `arn:aws:glue:region:account-id:table/s3tablescatalog/child catalog name/database name/table name` For example: `arn:aws:glue:us-east-1:123456789012:table/s3tablescatalog/amzn-s3-demo-bucket1/nsdb1/s3tbl1` |
| Federated S3 tables catalog (A single table bucket registered with Lake Formation) | `arn:aws:glue:region:account-id:catalog`/*catalog name* For example: `arn:aws:glue:us-east-1:123456789012:catalog/amzn-s3-demo-bucket1` |
| Federated S3 tables database | `arn:aws:glue:region:account-id:catalog`/*catalog name*/*database name* For example: `arn:aws:glue:us-east-1:123456789012:database/amzn-s3-demo-bucket1/nsdb1` |
| Federated S3 table | `arn:aws:glue:region:account-id:catalog`/*catalog name*/*database name*/*table name* For example: `arn:aws:glue:us-east-1:123456789012:table/amzn-s3-demo-bucket1/nsdb1/s3tbl1` |
| Federated or managed catalog (top-level catalog in a multi-catalog) | `arn:aws:glue:region:account-id:catalog/top-level catalog name` For example: `arn:aws:glue:us-east-1:123456789012:catalog/nscatalog` ARN format for a managed catalog follows the same structure. |
| Federated multi-level catalog (child catalog in a multi-level catalog) | `arn:aws:glue:region:account-id:catalog/top-level catalog name/child catalog name` For example: `arn:aws:glue:us-east-1:123456789012:catalog/nscatalog/dbcatalog` |
| Federated database | `arn:aws:glue:region:account-id:database/name space catalog name/child catalog name/database name` For example: `arn:aws:glue:us-east-1:123456789012:database/nscatalog/dbcatalog/schemadb` |
| Federated table | `arn:aws:glue:region:account-id:table/name space catalog name/child catalog name/database name/table name` For example: `arn:aws:glue:us-east-1:123456789012:table/nscatalog/dbcatalog/schemadb/rstbl1` |
| Catalog link container | `arn:aws:glue:region:account-id:catalog`/*link container name* For example: `arn:aws:glue:glue:us-east-1:123456789012:catalog`/linkcontainer-example |
| Database | `arn:aws:glue:region:account-id:catalog`/*link container name*/*database name* For example: `arn:aws:glue:glue:us-east-1:123456789012:database`/linkcontainer-example/link-db |
| User-defined function | `arn:aws:glue:region:account-id:userDefinedFunction/database name/user-defined function name` For example: `arn:aws:glue:us-east-1:123456789012:userDefinedFunction/db1/func1` |
| Connection | `arn:aws:glue:region:account-id:connection/connection name` For example: `arn:aws:glue:us-east-1:123456789012:connection/connection1` |
| Interactive Session | `arn:aws:glue:region:account-id:session/interactive session id` For example: `arn:aws:glue:us-east-1:123456789012:session/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111` |
To enable fine-grained access control, you can use these ARNs in your IAM policies and resource policies to grant and deny access to specific resources. Wildcards are allowed in the policies. For example, the following ARN matches all tables in database `default`.
```
arn:aws:glue:us-east-1:123456789012:table/default/*
```
**Important**
All operations performed on a Data Catalog resource require permission on the resource and all the ancestors of that resource. For example, to create a partition for a table requires permission on the table, database, and catalog where the table is located. The following example shows the permission required to create partitions on table `PrivateTable` in database `PrivateDatabase` in the Data Catalog.
```
{
"Sid": "GrantCreatePartitions",
"Effect": "Allow",
"Action": [
"glue:BatchCreatePartitions"
],
"Resource": [
"arn:aws:glue:us-east-1:123456789012:table/PrivateDatabase/PrivateTable",
"arn:aws:glue:us-east-1:123456789012:database/PrivateDatabase",
"arn:aws:glue:us-east-1:123456789012:catalog"
]
}
```
In addition to permission on the resource and all its ancestors, all delete operations require permission on all children of that resource. For example, deleting a database requires permission on all the tables and user-defined functions in the database, in addition to the database and the catalog where the database is located. The following example shows the permission required to delete database `PrivateDatabase` in the Data Catalog.
```
{
"Sid": "GrantDeleteDatabase",
"Effect": "Allow",
"Action": [
"glue:DeleteDatabase"
],
"Resource": [
"arn:aws:glue:us-east-1:123456789012:table/PrivateDatabase/*",
"arn:aws:glue:us-east-1:123456789012:userDefinedFunction/PrivateDatabase/*",
"arn:aws:glue:us-east-1:123456789012:database/PrivateDatabase",
"arn:aws:glue:us-east-1:123456789012:catalog"
]
}
```
In summary, actions on Data Catalog resources follow these permission rules:
Actions on the catalog require permission on the catalog only.
Actions on a database require permission on the database and catalog.
Delete actions on a database require permission on the database and catalog plus all tables and user-defined functions in the database.
Actions on a table, partition, or table version require permission on the table, database, and catalog.
Actions on a user-defined function require permission on the user-defined function, database, and catalog.
Actions on a connection require permission on the connection and catalog.
## ARNs for non-catalog objects in AWS Glue
Some AWS Glue resources allow resource-level permissions to control access using an ARN. You can use these ARNs in your IAM policies to enable fine-grained access control. The following table lists the resources that can contain resource ARNs.
| **Resource type** | **ARN format** |
| --- | --- |
| Crawler | `arn:aws:glue:region:account-id:crawler/crawler-name` For example: `arn:aws:glue:us-east-1:123456789012:crawler/mycrawler` |
| Job | `arn:aws:glue:region:account-id:job/job-name` For example: `arn:aws:glue:us-east-1:123456789012:job/testjob` |
| Trigger | `arn:aws:glue:region:account-id:trigger/trigger-name` For example: `arn:aws:glue:us-east-1:123456789012:trigger/sampletrigger` |
| Development endpoint | `arn:aws:glue:region:account-id:devEndpoint/development-endpoint-name` For example: `arn:aws:glue:us-east-1:123456789012:devEndpoint/temporarydevendpoint` |
| Machine learning transform | `arn:aws:glue:region:account-id:mlTransform/transform-id` For example: `arn:aws:glue:us-east-1:123456789012:mlTransform/tfm-1234567890` |
## Access control for AWS Glue non-catalog singular API operations
AWS Glue non-catalog *singular* API operations act on a single item (development endpoint). Examples are `GetDevEndpoint`, `CreateUpdateDevEndpoint`, and `UpdateDevEndpoint`. For these operations, a policy must put the API name in the `"action"` block and the resource ARN in the `"resource"` block.
Suppose that you want to allow a user to call the `GetDevEndpoint` operation. The following policy grants the minimum necessary permissions to an endpoint named `myDevEndpoint-1`.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "MinimumPermissions",
"Effect": "Allow",
"Action": "glue:GetDevEndpoint",
"Resource": "arn:aws:glue:us-east-1:111122223333:devEndpoint/myDevEndpoint-1"
}
]
}
```
------
The following policy allows `UpdateDevEndpoint` access to resources that match `myDevEndpoint-` with a wildcard (\$1).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "PermissionWithWildcard",
"Effect": "Allow",
"Action": "glue:UpdateDevEndpoint",
"Resource": "arn:aws:glue:us-east-1:111122223333:devEndpoint/myDevEndpoint-*"
}
]
}
```
------
You can combine the two policies as in the following example. You might see `EntityNotFoundException` for any development endpoint whose name begins with `A`. However, an access denied error is returned when you try to access other development endpoints.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "CombinedPermissions",
"Effect": "Allow",
"Action": [
"glue:UpdateDevEndpoint",
"glue:GetDevEndpoint"
],
"Resource": "arn:aws:glue:us-east-1:111122223333:devEndpoint/A*"
}
]
}
```
------
## Access control for AWS Glue non-catalog API operations that retrieve multiple items
Some AWS Glue API operations retrieve multiple items (such as multiple development endpoints); for example, `GetDevEndpoints`. For this operation, you can specify only a wildcard (\$1) resource, and not specific ARNs.
For example, to include `GetDevEndpoints` in the policy, the resource must be scoped to the wildcard (\$1). The singular operations (`GetDevEndpoint`, `CreateDevEndpoint`, and `DeleteDevendpoint`) are also scoped to all (\$1) resources in the example.
```
{
"Sid": "PluralAPIIncluded",
"Effect": "Allow",
"Action": [
"glue:GetDevEndpoints",
"glue:GetDevEndpoint",
"glue:CreateDevEndpoint",
"glue:UpdateDevEndpoint"
],
"Resource": [
"*"
]
}
```
## Access control for AWS Glue non-catalog BatchGet API operations
Some AWS Glue API operations retrieve multiple items (such as multiple development endpoints); for example, `BatchGetDevEndpoints`. For this operation, you can specify an ARN to limit the scope of resources that can be accessed.
For example, to allow access to a specific development endpoint, include `BatchGetDevEndpoints` in the policy with its resource ARN.
```
{
"Sid": "BatchGetAPIIncluded",
"Effect": "Allow",
"Action": [
"glue:BatchGetDevEndpoints"
],
"Resource": [
"arn:aws:glue:us-east-1:123456789012:devEndpoint/de1"
]
}
```
With this policy, you can successfully access the development endpoint named `de1`. However, if you try to access the development endpoint named `de2`, an error is returned.
```
An error occurred (AccessDeniedException) when calling the BatchGetDevEndpoints operation: No access to any requested resource.
```
**Important**
For alternative approaches to setting up IAM policies, such as using `List` and `BatchGet` API operations, see [Identity-based policy examples for AWS Glue](security_iam_id-based-policy-examples.md).