AWS Documentation » Amazon Elastic MapReduce Documentation » Developer Guide » Plan an Amazon EMR Cluster » Configure Access to the Cluster (Optional) » Configure IAM User Permissions	« Previous Next »
	Did this page help you? Yes \| No \| Tell us about it...

Configure IAM User Permissions

Amazon Elastic MapReduce (Amazon EMR) supports AWS Identity and Access Management (IAM) policies. IAM is a web service that enables AWS customers to manage users and user permissions. For more information on IAM, go to Using IAM in the Using AWS Identity and Access Management guide.

AWS Identity and Access Management (IAM) enables you to create users under your Amazon Web Services (AWS) account. You can define policies that limit the actions those users can take with your AWS resources. For example, you can choose to give an IAM user the ability to view, but not to create or terminate, Amazon Simple Storage Service (Amazon S3) buckets in your AWS account. IAM is available at no charge to all AWS account holders; you do not need to sign up for IAM. You can use IAM through the Amazon EMR console, the Amazon EMR CLI, and programmatically through the Amazon EMR API and the AWS SDKs.

Hidden Clusters

By default, if an IAM user launches a cluster, that cluster is hidden from other IAM users on the AWS account. For example, if an IAM user uses the CLI to run the --list command, the CLI will only list hidden clusters launched by that IAM user, not hidden clusters launched by other IAM users on the AWS account. This filtering occurs on all Amazon EMR interfaces—the console, CLI, API, and SDKs—and prevents IAM users from accessing and inadvertently changing clusters created by other IAM users. It is useful for clusters that are intended to be viewed by only a single IAM user and the main AWS account.

Note

This filtering does not prevent IAM users from viewing the underlying resources of the cluster, such as EC2 instances, by using AWS interfaces outside of Amazon EMR.

Visible Clusters

You also have the option to make a cluster visible and accessible to all IAM users under a single AWS account. This visibility can be set when you launch the cluster, or it can be added to a cluster that is already running.

Using this feature, you can make it possible for all IAM users on your account to access the cluster and, by configuring the policies of the IAM groups they belong to, control how those users interact with the cluster. For example, Devlin, a developer, belongs to a group that has an IAM policy that grants full access to all Amazon EMR functionality. He could launch a cluster that is visible to all other IAM users on his company's AWS account. A second IAM user, Ann, a data analyst with the same company, could then run queries on that cluster. Because Ann does not launch or terminate clusters, the IAM policy for the group she is in would only contain the permissions necessary for her to run her queries.

To make a cluster visible to all IAM users using the Amazon EMR console

On the ADVANCED OPTIONS pane of the Create Job Flow Wizard, select the Visible to All IAM Users checkbox. Using the console, IAM user visibility can only be set when the cluster is created. To add IAM user visibility to a running cluster, use the Amazon EMR CLI or the Amazon EMR API, as described in the following procedures.

To make a cluster visible to all IAM users using the Amazon EMR CLI

If you are adding IAM user visibility to a new cluster, add the --visible-to-all-users flag to the cluster call as shown in the following example.
In the directory where you installed the Amazon EMR CLI, run the following from the command line. For more information, see the Command Line Interface Reference for Amazon EMR.
- Linux, UNIX, and Mac OS X users:
```
./elastic-mapreduce --create --alive /
--instance-type m1.xlarge --num-instances 2 /
--visible-to-all-users 
```
- Windows users:
```
ruby elastic-mapreduce --create --alive --instance-type m1.xlarge --num-instances 2 --visible-to-all-users 
```
If you are adding IAM user visibility to an existing cluster, you can use the --set-visible-to-all-users option of the Amazon EMR CLI, and specify identifier of the cluster to modify. This is shown in the following example, where job-flow-identifier would be replaced by the cluster identifier of your cluster. The visibility of a running cluster can be changed only by the IAM user that created the cluster or the AWS account that owns the cluster.
In the directory where you installed the Amazon EMR CLI, run the following from the command line. For more information, see the Command Line Interface Reference for Amazon EMR.
- Linux, UNIX, and Mac OS X users:
```
./elastic-mapreduce --set-visible-to-all-users true --jobflow job-flow-identifier
```
- Windows users:
```
ruby elastic-mapreduce --set-visible-to-all-users true --jobflow job-flow-identifier
```
The Amazon EMR CLI is available for download at Amazon Elastic MapReduce Ruby Client.

To make a cluster visible to all IAM users using the Amazon EMR API

If you are adding IAM user visibility to a new cluster, call RunJobFlow and set VisibleToAllUsers=true, as shown in the following example.

https://elasticmapreduce.amazonaws.com?Operation=RunJobFlow
&Name=MyJobFlowName
&VisibleToAllUsers=true
&LogUri=s3n%3A%2F%2Fmybucket%2Fsubdir
&Instances.MasterInstanceType=m1.small
&Instances.SlaveInstanceType=m1.small
&Instances.InstanceCount=4
&Instances.Ec2KeyName=myec2keyname
&Instances.Placement.AvailabilityZone=us-east-1a
&Instances.KeepJobFlowAliveWhenNoSteps=true
&Instances.TerminationProtected=true
&Steps.member.1.Name=MyStepName
&Steps.member.1.ActionOnFailure=CONTINUE
&Steps.member.1.HadoopJarStep.Jar=MyJarFile
&Steps.member.1.HadoopJarStep.MainClass=MyMainClass
&Steps.member.1.HadoopJarStep.Args.member.1=arg1
&Steps.member.1.HadoopJarStep.Args.member.2=arg2
&AuthParams

If you are adding IAM user visibility to an existing cluster, call SetVisibleToAllUsers and set VisibleToAllUsers to true, as shown in the following example. The visibility of a running cluster can be changed only by the IAM user that created the cluster or the AWS account that owns the cluster.

https://elasticmapreduce.amazonaws.com?Operation=SetVisibleToAllUsers
&VisibleToAllUsers=true
&JobFlowIds.member.1=j-3UN6WX5RRO2AG 
&AuthParams

Example Policies for Amazon EMR

This section shows several sample policies for controlling user access to Amazon EMR. For information about attaching policies to users, go to Managing IAM Policies in the Using AWS Identity and Access Management Guide.

Example 1: Deny a group use of Amazon EMR

The following policy denies permissions to run any Amazon EMR API .

{
   "Statement":[{
      "Action":["elasticmapreduce:*"],
      "Effect":"Deny",
      "Resource":"*"
      }]
}

Example 2: Allow full access to Amazon EMR

The following policy gives permissions for all actions required to use Amazon EMR. This policy includes actions for Amazon EC2, Amazon S3, Amazon CloudWatch, and Amazon SimpleDB, as well as for all Amazon EMR actions. Amazon EMR relies on these additional services to perform such actions as launching instances, writing log files, or managing Hadoop jobs and tasks.

Note

In the following policy, access to Amazon S3 is limited to the buckets matching the pattern *elasticmapreduce/*, which includes buckets that store resources such as Amazon EMR sample applications and bootstrap actions. If you want IAM users to access other Amazon S3 buckets, such as buckets that contain data to load into a cluster, those buckets must be explictly added to the list of resources.

Access to Amazon SimpleDB in the following policy is limited to the resources used by Amazon EMR for debugging.

{
  "Statement": [
    {
      "Action": [
        "elasticmapreduce:*",
        "ec2:AuthorizeSecurityGroupIngress",
        "ec2:CancelSpotInstanceRequests",
        "ec2:CreateSecurityGroup",
        "ec2:CreateTags",
        "ec2:DescribeAvailabilityZones",
        "ec2:DescribeInstances",
        "ec2:DescribeKeyPairs",
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeSpotInstanceRequests",
        "ec2:DescribeSubnets",
        "ec2:DescribeRouteTables",
        "ec2:ModifyImageAttribute",
        "ec2:ModifyInstanceAttribute",
        "ec2:RequestSpotInstances",
        "ec2:RunInstances",
        "ec2:TerminateInstances",
        "cloudwatch:GetMetricStatistics",
        "cloudwatch:ListMetrics",
        "cloudwatch:PutMetricData"
      ],
      "Effect": "Allow",
      "Resource": ["*"]
    },
{
      "Action": [
        "s3:GetObject",
        "s3:ListBucket",
        "sdb:CreateDomain",
        "sdb:Select",
        "sdb:GetAttributes",
        "sdb:PutAttributes",
        "sdb:BatchPutAttributes"
      ],
      "Effect": "Allow",
      "Resource": [
                "arn:aws:s3:::*elasticmapreduce/*",
                "arn:aws:sdb:*:*:*ElasticMapReduce*/*"
      ]
    }
  ]
}

Note

The ec2:TerminateInstances action enables the IAM user to terminate any of the EC2 instances associated with the IAM account, even those that are not part of an Amazon EMR cluster.

Example 3: Allow requests from a certain IP address or range

The following policy denies any traffic using the AWS account that does not come from the named IP address ranges.

{
   "Statement":[{
      "Effect":"Deny",
      "Action":"*",
      "Resource":"*",
      "Condition":{
         "NotIpAddress":{
            "aws:SourceIp":["10.1.2.0/24","10.1.3.0/24"]
            }
         }
      }]
}

This policy uses the AWS-wide key called aws:SourceIp to specify the range of valid IP addresses. For information about AWS-wide policy keys, go to Element Descriptions in the Using AWS Identity and Access Management Guide.

Related Topics

How to Write a Policy (Using AWS Identity and Access Management Guide)

Document Conventions	« Previous Next »
Terms of Use	Did this page help you? Yes \| No \| Tell us about it...