Skip to main content
The AWS Glue Data Catalog integration requires both AWS Glue access and S3 metadata access.
The best way to set up the AWS Glue integration is by running CloudFormation/Terraform directly from the AWS Role Setup.For manual setup, proceed below.

Manual Setup

Follow the manual steps to create a role and attach Glue and S3 policies, as described here:
  1. Create the “Ryft-ControlPlaneRole” (or reuse if already exists)
  2. Create and attach the Glue access policy
  3. Create and attach the S3 access policy
You are done! Locate the ARN of the role you have just created (“Ryft-ControlPlaneRole”) and provide it to Ryft. The ARN should look similar to: arn:aws:iam::<account>:role/Ryft-ControlPlaneRole

Glue Metadata Encryption

If you are using Glue Metadata Encryption, ensure that the role you created above has the necessary KMS permissions to the encryption key as well. 
{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": [
            "kms:Decrypt",
            "kms:Encrypt",
            "kms:GenerateDataKey"
        ],
        "Resource": "arn:aws:kms:us-east-1:111122223333:key/key-id"
      }
    ]
}

AWS Lake Formation

If you are using AWS Lake Formation to manage access to your Glue Catalog, ensure that the role you created above has the necessary Lake Formation permissions as well. Follow the AWS documentation here to grant the required permissions to the role.

Amazon S3 Access Points

If you are using Amazon S3 Access Points as the storage location for your tables, ensure that the role you created above has the necessary permissions for the access point. The policy for access points should include the same S3 actions mentioned above, with the resource in the format of arn:aws:s3:<region>:<account_id>::accesspoint/<access_point_name>. For more details, see AWS documentation here.