Create AWS IAM Role for Glue Job

Cohesity uses AWS Glue jobs to process and sort Amazon S3 inventory reports during full and baseline incremental backups of AWS S3 buckets.

For these Glue jobs to run successfully, an AWS IAM role named AWSGlueServiceRole must exist in the customer’s AWS account with the required permissions and trust relationship.

Before You Begin

Before creating a new IAM role:

  • Verify whether the AWSGlueServiceRole already exists in your AWS account.

  • If the role exists, ensure it has:

    • The required managed policies

    • The correct trust relationship

  • If the role does not exist, create it using one of the supported methods described below.

Verify Whether the IAM Role Exists

Perform the following steps to verify whether the AWSGlueServiceRole already exists

  1. Log in to the AWS Management Console.

  2. Navigate to IAM > Roles.

  3. Search for AWSGlueServiceRole.

If the role exists, verify the following.

  • Required Permissions

  • Required Trust Relationship

Required Permissions

The AWSGlueServiceRole must have the following policies attached:

  • AWSGlueServiceRole

    (AWS-managed policy for Glue service execution)

  • AmazonS3FullAccess

    Required to:

    • Read S3 inventory reports

    • Write processed objects to the destination S3 path

    Required Trust Relationship

    The role must allow AWS Glue to assume it. Verify that the trust relationship includes the following:

    Copy 


        "Version": "2012-10-17", 
        "Statement": [ 
            { 
                "Effect": "Allow", 

                "Principal": { 

                    "Service": "glue.amazonaws.com" 
                }, 

                "Action": "sts:AssumeRole" 
            } 
        ] 

Create the IAM Role

If AWSGlueServiceRole does not exist, create it using one of the following methods, depending on whether the required managed policy already exists in your AWS account.

Create the IAM Role Using AWS Glue Getting Started Wizard

This method is recommended when the customer managed policy AWSGlueServiceRole-EZCRC-s3Policy does not already exist in your AWS account.

Creating the role from the AWS Glue Getting Started Wizard may fail if a role or policy with the same name already exists. In such cases, we recommend you create the IAM Role using the CloudFormation Template.

Perform the following steps to create the IAM role and attach the required policy:

  1. Log in to the AWS Management Console.

  2. Navigate to AWS Glue.

  3. Click Set up roles and users.

  4. On the Choose IAM users and roles for AWS Glue page, retain the default selections and click Next.

  5. On the Grant Amazon S3 access page, retain the default settings and click Next.

  6. On the Choose a default service role page:

    1. Ensure the role name is AWSGlueServiceRole.

    2. Click Next.

  7. On the Review and confirm page, click Apply changes.

    The IAM role is created.

  8. Navigate to the IAM service and confirm that the role, AWSGlueServiceRole exists.

  9. Confirm the AWSGlueServiceRole managed policy is attached to the role.

  10. Confirm that the trust relationship attached to the role allows the AWS Glue service to assume the role:

    Copy 


        "Version": "2012-10-17", 

        "Statement": [ 

            { 

                "Effect": "Allow", 

                "Principal": { 

                    "Service": "glue.amazonaws.com" 

                }, 

                "Action": "sts:AssumeRole" 

            } 
        ] 

  11. Add AmazonS3FullAccess policy to this role to allow accessing the inventory report and to put the objects on the destination path, using the steps below.

  12. From the Permissions tab of the role, click Add permissions > Attach policies.

  13. Select AmazonS3FullAccess.

Create the IAM Role Using CloudFormation Template

Creating AWSGlueServiceRole using the CloudFormation template is recommended when the AWSGlueServiceRole managed policy already exists.

You can use the following CloudFormation Template for creating the IAM Role:

Copy 
AWSTemplateFormatVersion: "2010-09-09" 

Description: "Creates an IAM role for AWS Glue jobs to assume for Cohesity Backups" 

Resources: 

  AWSGlueServiceRole: 

    Type: AWS::IAM::Role 

    Properties: 

      RoleName: AWSGlueServiceRole 

      Path: /service-role/ 

      Description: Role for Glue jobs to assume for Cohesity Backups 

      ManagedPolicyArns: 

        - arn:aws:iam::aws:policy/service-role/AWSGlueServiceRole 

        - arn:aws:iam::aws:policy/AmazonS3FullAccess 

      AssumeRolePolicyDocument: 

        Version: "2012-10-17" 

        Statement: 

          - Effect: Allow 

            Principal: 

              Service: glue.amazonaws.com 

            Action: sts:AssumeRole 

      Tags: 

        - Key: UniqueTag 

          Value: cohesity 
Outputs: 

  RoleName: 

    Description: Name of the created IAM Role 

    Value: !Ref AWSGlueServiceRole 

  RoleArn: 

    Description: ARN of the created IAM Role 

    Value: !GetAtt AWSGlueServiceRole.Arn 

To run the CloudFormation Template:

  1. Log in to the AWS Management Console.

  2. Navigate to All services and select CloudFormation.

  3. Click Create stack > With new resources (standard) to create a stack using the downloaded CloudFormation Template.

  4. In the Prerequisite - Prepare template page, select Upload a template file.

  5. Click Choose File to browse the JSON CloudFormation Template.

  6. Click Next.

  7. Provide a Stack name. The stack name can include letters (A-Z and a-z), numbers (0-9), and dashes (-).

  8. Click Next.

  9. Retain all the default stack configuration options and click Next.

  10. On the Review page, select the checkboxes that need to be acknowledged and click Create stack.