@@ -55,7 +55,7 @@ def __init__(
5555 self .workbench_glue_role = self .create_glue_role ()
5656
5757 ####################
58- # S3 Section #
58+ # S3 Buckets #
5959 ####################
6060 def _bucket_names_to_arns (self , bucket_list : list [str ]) -> list [str ]:
6161 """Convert a list of dynamic bucket names to ARNs."""
@@ -108,25 +108,23 @@ def s3_public() -> iam.PolicyStatement:
108108 resources = ["arn:aws:s3:::*" ],
109109 )
110110
111- ##############################
112- # Glue Data Catalog #
113- ##############################
111+ ######################
112+ # Glue Catalog #
113+ ######################
114114 def glue_catalog_read (self ) -> iam .PolicyStatement :
115- """Read-only access to the entire Glue Data Catalog."""
115+ """Read-only discovery across the entire Glue Data Catalog."""
116116 return iam .PolicyStatement (
117117 actions = [
118118 "glue:GetDatabases" ,
119119 "glue:GetTable" ,
120120 "glue:GetTables" ,
121121 "glue:SearchTables" ,
122- "glue:GetPartition" ,
123- "glue:GetPartitions" ,
124122 ],
125123 resources = [f"arn:aws:glue:{ self .region } { self .account } ],
126124 )
127125
128126 def glue_catalog_full (self ) -> iam .PolicyStatement :
129- """Full access to the Glue Data Catalog including CRUD operations ."""
127+ """Full catalog access including database creation ."""
130128 read_statement = self .glue_catalog_read ()
131129 return iam .PolicyStatement (
132130 actions = read_statement .actions + [
@@ -138,6 +136,49 @@ def glue_catalog_full(self) -> iam.PolicyStatement:
138136 resources = [f"arn:aws:glue:{ self .region } { self .account } ],
139137 )
140138
139+ #######################
140+ # Glue Database #
141+ #######################
142+ def glue_databases_read (self ) -> iam .PolicyStatement :
143+ """Read-only access to Workbench-managed databases and tables."""
144+ return iam .PolicyStatement (
145+ actions = [
146+ "glue:GetDatabase" ,
147+ "glue:GetTable" ,
148+ "glue:GetTables" ,
149+ "glue:GetPartition" ,
150+ "glue:GetPartitions" ,
151+ ],
152+ resources = self ._workbench_database_arns (),
153+ )
154+
155+ def glue_databases_full (self ) -> iam .PolicyStatement :
156+ """Full access to Workbench-managed databases and tables."""
157+ return iam .PolicyStatement (
158+ actions = [
159+ "glue:GetDatabase" ,
160+ "glue:GetTable" ,
161+ "glue:GetTables" ,
162+ "glue:CreateTable" ,
163+ "glue:UpdateTable" ,
164+ "glue:DeleteTable" ,
165+ "glue:GetPartition" ,
166+ "glue:GetPartitions" ,
167+ ],
168+ resources = self ._workbench_database_arns (),
169+ )
170+
171+ def _workbench_database_arns (self ) -> list [str ]:
172+ """Helper to get all Workbench-managed database/table ARNs."""
173+ return [
174+ f"arn:aws:glue:{ self .region } { self .account } ,
175+ f"arn:aws:glue:{ self .region } { self .account } ,
176+ f"arn:aws:glue:{ self .region } { self .account } ,
177+ f"arn:aws:glue:{ self .region } { self .account } ,
178+ f"arn:aws:glue:{ self .region } { self .account } ,
179+ f"arn:aws:glue:{ self .region } { self .account } ,
180+ ]
181+
141182 def glue_pass_role (self ) -> iam .PolicyStatement :
142183 """Allows us to specify the Workbench-Glue role when creating a Glue Job"""
143184 return iam .PolicyStatement (
@@ -663,6 +704,7 @@ def workbench_datasource_policy(self) -> iam.ManagedPolicy:
663704 self .s3_full (),
664705 self .s3_public (),
665706 self .glue_catalog_full (),
707+ self .glue_databases_full (),
666708 self .glue_job_read_policy (),
667709 self .glue_job_create_policy (),
668710 self .glue_job_connections_policy_statement (),
@@ -684,6 +726,7 @@ def workbench_featureset_policy(self) -> iam.ManagedPolicy:
684726 policy_statements = [
685727 self .s3_full (),
686728 self .glue_catalog_full (),
729+ self .glue_databases_full (),
687730 self .athena_policy_statement (),
688731 self .athena_workgroup_policy_statement (),
689732 self .featurestore_list_policy_statement (),
0 commit comments