AWS Identity and Access Management (IAM) roles provide a way to delegate access so that IAM users or AWS services have the specified permissions and can act on your AWS resources. Amazon EMR lets you specify two IAM roles for a cluster: a role for the Amazon EMR service (service role), and a role for the EC2 instances (instance profile) that Amazon EMR manages.
The service role defines the allowable actions for Amazon EMR based on the granted permissions. A user can specify the service role when a cluster is created. When the user accesses the cluster, Amazon EMR assumes the IAM role specified in the cluster definition, obtains the permissions of the assumed role, and then tries to execute requests using those permissions. The permissions determine which AWS resources a service can access, and what the service is allowed to do with those resources. Service role permissions are independent of the permissions granted to the IAM user who called the service, and they can therefore be managed separately by an AWS administrator.
The user who sets up the roles for use with Amazon EMR should be an IAM user with administrative permissions. We recommend that all administrators use AWS MFA (multi-factor authentication).
The EC2 instance profile determines the permissions for applications that run on EC2 instances. For example, when Hive, an application on the cluster, needs to write output to an Amazon S3 bucket, the instance profile determines whether Hive has permissions to write to Amazon S3.
Using IAM roles with Amazon EMR allows a user to tailor a permissions policy that closely fits the usage patterns of the cluster. For more information about instance profiles, see Granting Applications that Run on Amazon EC2 Instances Access to AWS Resources in the Using IAM guide.