AWS glue medium security documentation change
Summary
Added documentation for ExecutionRoleSessionPolicy parameter in StartJobRun API, explaining inline session policies for dynamically restricting execution role permissions
Security assessment
The change introduces documentation for a security feature that allows temporary permission restriction of execution roles via inline policies. This directly relates to security by enabling least-privilege access patterns without requiring permanent role changes.
Diff
diff --git a/glue/latest/dg/aws-glue-api-jobs-runs.md b/glue/latest/dg/aws-glue-api-jobs-runs.md index a21d94eb9..57e1d53aa 100644 --- a//glue/latest/dg/aws-glue-api-jobs-runs.md +++ b//glue/latest/dg/aws-glue-api-jobs-runs.md @@ -219,0 +220,4 @@ For example, when a job run is in a WAITING state as a result of job run queuing + * `ExecutionRoleSessionPolicy` – UTF-8 string, not less than 2 or more than 2048 bytes long. + +This inline session policy to the StartJobRun API allows you to dynamically restrict the permissions of the specified execution role for the scope of the job, without requiring the creation of additional IAM roles. + @@ -456,0 +461,4 @@ The name of an AWS Glue usage profile associated with the job run. + * `ExecutionRoleSessionPolicy` – UTF-8 string, not less than 2 or more than 2048 bytes long. + +This inline session policy to the StartJobRun API allows you to dynamically restrict the permissions of the specified execution role for the scope of the job, without requiring the creation of additional IAM roles. +