What permission am I missing for AWS Glue and Development Endpoint?
Solution 1
I was tripped up by this as well; the problem is that when you use the console to create a default glue service role it ends up creating the IAM role like this:
arn:aws:iam:::role/service-role/AWSGlueServiceRole-DefaultRole
Make note of the "service-role" in the path.
But then when choosing that role as the role you want to use in the console wizard for setting up a new dev endpoint it doesn't include the "service-role" in the path and looks for a role named like this:
arn:aws:iam:::role/AWSGlueServiceRole-DefaultRole
I think this is just a bug in the console wizard for creating dev endpoints. I got around it by creating a new role that doesn't have "service-role" in the path and then chose that role in the console wizard and was able to successfully create a dev endpoint.
Solution 2
In your trust relationship, the trust should be established with glue.amazonaws.com
. Your role (AWSGlueServiceRole-DefaultRole) may not have this. To confirm, go to the IAM roles console, select the IAM role: AWSGlueServiceRole-DefaultRole and click on the Trust Relationship
tab.
The json for this should look like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "glue.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Example screenshot for the Trust relationship:
jonathanglima
Updated on July 08, 2022Comments
-
jonathanglima almost 2 years
I'm getting the following error when I try to create a development endpoint for AWS Glue.
{ "service":"AWSGlue", "statusCode":400, "errorCode":"ValidationException", "requestId":"<here goes an UUID>", "errorMessage":"Role arn:aws:iam::<IAM ID>:role/AWSGlueServiceRole-DefaultRole should be given assume role permissions for Glue Service.\n", "type":"AwsServiceError" }
And my role has the following permissions.
- AmazonS3FullAccess
- AWSGlueServiceNotebookRole
- AmazonAthenaFullAccess
- AWSGlueServiceRole
- CloudWatchLogsReadOnlyAccess
- AWSGlueConsoleFullAccess
- AWSCloudFormationReadOnlyAccess
Any clues on what am I missing?
-
krishna_mee2004 about 6 yearsHave you looked at this AWS document: docs.aws.amazon.com/glue/latest/dg/…. The user (using which you have logged in to the AWS console) should have
iam:PassRole
permission; not just the IAM role (AWSGlueServiceRole-DefaultRole). -
jonathanglima about 6 yearsI'll try to add that. But says here docs.aws.amazon.com/glue/latest/dg/attach-policy-iam-user.html that I can skip this if my role has full access
-
krishna_mee2004 about 6 yearsThat statement indicates that - the user you are logging into the AWS console should have that policy attached. Because
AWSGlueConsoleFullAccess
hasiam:PassRole
. -
jonathanglima about 6 yearsAdded AWSGlueConsoleFullAccess to the user logged in and the iam:PassRole as inline. Still does not work
-
jonathanglima about 6 yearsDo I need to have one role for the job and another role for development endpoint?
-
byamabe about 6 yearsIf you follow the data lake QuickStart, don't reuse the role it creates. It creates the "/service-role" version of the role and fails when used to create a development endpoint.