Recently, I noticed a change in behavior while creating AWS Glue Crawlers. A few days ago, I was able to add tags while creating a crawler, even though my IAM policy did not explicitly grant glue:TagResource. However, now when I try to create a crawler with tags, I get an error stating that the user does not have permission for glue:TagResource.

My requirement is:

Users should be able to add tags only while creating a resource ( glue crawler)

Is there a way to allow tagging only at resource creation. Has AWS changed how permissions work for tagging Glue Crawlers?

Would appreciate any insights or workarounds. Thanks!

Recently, I noticed a change in behavior while creating AWS Glue Crawlers. A few days ago, I was able to add tags while creating a crawler, even though my IAM policy did not explicitly grant glue:TagResource. However, now when I try to create a crawler with tags, I get an error stating that the user does not have permission for glue:TagResource.

My requirement is:

Users should be able to add tags only while creating a resource ( glue crawler)

Is there a way to allow tagging only at resource creation. Has AWS changed how permissions work for tagging Glue Crawlers?

Would appreciate any insights or workarounds. Thanks!

• amazon-web-services
• aws-glue
• aws-iam-policy

1 Answer 1

AWS notified on January 2024 that an issue was detected with policies calling the Glue Create*, allowing the creation of resources with tags regardless of wether they have an “Allow” or “Deny” for the glue:TagResource IAM action.

They have fixed the issue on April 30, 2024.

This was notified and was able to see in the scheduled changes in AWS health dashboard, unfortunately the changes in the health dashboard has a 3 months range from start date.

If you has found a similar issue, I recommend opening a support ticket through the AWS console.