> ## Documentation Index
> Fetch the complete documentation index at: https://docs.ryft.io/llms.txt
> Use this file to discover all available pages before exploring further.

# AWS Glue Data Catalog

> Connect AWS Glue Data Catalog to Ryft for Iceberg table management and optimization. Requires Glue and S3 access - set up via CloudFormation, Terraform, or manually.

**The AWS Glue Data Catalog integration requires both AWS Glue access and S3 metadata access.**

<Note>
  The best way to set up the AWS Glue integration is by running CloudFormation/Terraform directly from the
  [AWS Role Setup](/integrations/aws-role-setup#option-a%3A-create-iam-role-with-policies-attached-with-cloudformation-%2F-terraform).

  For manual setup, proceed below.
</Note>

### Manual Setup

Follow the manual steps to create a role and attach Glue and S3 policies, as described [here](/integrations/aws-role-setup#aws-policies):

1. Create the "**Ryft-ControlPlaneRole**" (or reuse if already exists)
2. Create and attach the Glue access policy
3. Create and attach the S3 access policy

<Check>
  You are done! Locate the ARN of the role you have just created ("**Ryft-ControlPlaneRole**") and provide it to Ryft.
  The ARN should look similar to: `arn:aws:iam::<account>:role/Ryft-ControlPlaneRole`
</Check>

## Glue Metadata Encryption

If you are using Glue Metadata Encryption, ensure that the role you created above has the necessary KMS permissions to the encryption key as well.

```json {11} theme={null}
{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": [
            "kms:Decrypt",
            "kms:Encrypt",
            "kms:GenerateDataKey"
        ],
        "Resource": "arn:aws:kms:us-east-1:111122223333:key/key-id"
      }
    ]
}
```

## AWS Lake Formation

If you are using AWS Lake Formation to manage access to your Glue Catalog, ensure that the role you created above has the necessary Lake Formation permissions as well.
Follow the AWS documentation [here](https://docs.aws.amazon.com/lake-formation/latest/dg/granting-database-permissions.html) to grant the required permissions to the role.

## Amazon S3 Access Points

If you are using Amazon S3 Access Points as the storage location for your tables, ensure that the role you created above has the necessary permissions for the access point.
The policy for access points should include the same S3 actions mentioned above, with the resource in the format of `arn:aws:s3:<region>:<account_id>::accesspoint/<access_point_name>`.
For more details, see AWS documentation [here](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-points-policies.html).