Adding an AWS Glue (Data Catalog) Connection

Technical Documentation : Connectors : Adding an AWS Glue (Data Catalog) Connection

Was this helpful?

Prerequisites

A user with sufficient permissions is required to establish a connection with AWS Glue.
Zeenea traffic flows towards the database must be open.

The Agent's host server must have sufficient credentials to connect to AWS Glue. The available authentication methods are:

Instance Role
Environment Variable
Configuration File

Target	Protocol	Usual Ports
AWS Glue	HTTP	443

Note: You can find a link to the configuration template in Zeenea Connector Downloads.

Supported Versions

The AWS Glue connector is compatible with the online application.

Installing the Plugin

You can download the AWS Glue plugin from Zeenea Connector Downloads.

For more information about how to install a plugin, see Installing and Configuring Connectors as a Plugin.

Declaring the Connection

Connectors are created and configured through a dedicated configuration file located in the /connections folder of the relevant scanner.

For more information about managing connections, see Managing Connections.

To establish a connection with an AWS Glue instance, fill in the following parameters in the dedicated configuration file:

Parameter	Expected value
name	Specifies the display name for the connection.
code	Specifies the unique identifier of the connection on the Zeenea platform. Once registered on the platform, this code must not be modified or the connection will be considered as new and the old one removed from the scanner.
connector_id	Specifies the type of connector to be used for the connection. The value must be aws.glue and must not be modified.
enabled	Specifies whether to enable or disable the connection (true or false). The default value is true.
catalog_code	Specifies the catalog code associated with the connection (default when empty).
alias	Specifies the list of aliases used by other connectors to generate lineage link. For example, ["localhost:1234/db","https://some-url.org"]
secret_manager.enabled	Specifies whether to enable or disable the secret manager for the connection. This configuration works only with Scanner 73 or later and requires a functional secret manager configured in the scanner configuration file. The default value is true.
secret_manager.key	Specifies the name of the secret.
connection.aws.profile	Specifies the AWS profile for authentication.
connection.aws.access_key_id	Specifies the AWS access key identifier.
connection.aws.secret_access_key	Specifies the AWS secret access key.
connection.aws.session_token	Specifies the AWS session token.
connection.aws.region	Specifies the AWS region.
connection.aws.multi_account.enabled	Specifies whether to allow a single connection to retrieve data from other AWS account data catalog. To connect to multiple accounts, configure AWS cross access between accounts. For more information, see AWS documentation. The default value is false. Since version 3.3.1
connection.aws.multi_account.list	Specifies which account or region to connected to. It must be a list of account:region entries, separated by a space. For example: 123456789012:eu-west-2 987654321098:eu-west-2 Since version 3.3.1
connection.fetch_page_size	(Advanced) Specifies the size of batch of items loaded by each request in inventory. Since version 1.0.3
filter	Specifies the filter based on specific characteristics. For more information, see Rich Filters. Since version 3.4.1

User Permissions

To collect metadata, the running user's permissions must allow them to access and read databases that need cataloging.

Roles

The user must be able to run the following actions on the target bucket and the objects it contains:

glue:GetTable
glue:GetTables
glue:GetDatabases

Example for cataloging a bucket (in JSON):

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SearchTables",
"Effect": "Allow",
"Action": [
"glue:GetTable",
"glue:GetTables",
"glue:GetDatabases"
],
"Resource": "*"
}
]
}

Rich Filters

Starting with version 3.4.1, the connector includes a rich filter mechanism that allows you to extract specific tables or databases based on defined criteria.

Criteria	Description
database	Database name
table	Table name

For example:

filter = """
database in ('production', 'qa')
and table ~ /(?:hr|it|market)_figures/
"""

Note: The filter attribute can contain either a raw value or a file URL to the content. (for example, file:///path/to/zeenea/connections/aws-glue-inventory-filter.json). When you use a side-file, any changes to the filter are applied without restarting the scanner.

For more information about filters, see Filters.

Data Extraction

To extract information, the connector requests AWS Glue to get tables and metadata.

Collected Metadata

Inventory

The inventory collects the list of tables and views accessible to the user.

Dataset

A dataset can be a table or a view.

Name
Source Description
Technical Data:
- AWS Region
- Database Name
- Location
- Owner
- CreateTime
- UpdateTime
- LastAccessTime
- LastAnalyzeTime
- TableType

Field

Dataset field.

Name
Source Description
Type
Can be null: Depends on field settings.
Multivalued: Depends on field settings.
Primary Key: Not supported. The default value is false.

Object Identification Keys

Each object in the catalog is associated with a unique identifier key. When the object is imported from an external system, the key is generated and provided by the connector.

For more information about identifier keys, see Identification Keys.

Object	Identification Key	Description
Dataset	code/aws region/dataset identifier	- code: Unique identifier of the connection noted in the configuration file - aws region: AWS region code - dataset identifier: Table name Database schema name S3 bucket key
Field	code/aws region/dataset identifier/field name	- code: Unique identifier of the connection noted in the configuration file - aws region: AWS region code - dataset identifier: Database schema name S3 bucket key - field name

Last modified date: 02/02/2026