Amazon EMR
Management Guide

Use IAM Roles with Applications That Call AWS Services Directly

Applications running on the EC2 instances of a cluster can use the instance profile to obtain temporary security credentials when calling AWS services.

The version of Hadoop available on AMI 2.3.0 and later has already been updated to make use of IAM roles. If your application runs strictly on top of the Hadoop architecture, and does not directly call any service in AWS, it should work with IAM roles with no modification.

If your application calls services in AWS directly, you need to update it to take advantage of IAM roles. This means that instead of obtaining account credentials from /etc/hadoop/conf/core-site.xml on the EC2 instances in the cluster, your application now uses an SDK to access the resources using IAM roles, or calls the EC2 instance metadata to obtain the temporary credentials.

To access AWS resources with IAM roles using an SDK

To obtain temporary credentials from EC2 instance metadata

  • Call the following URL from an EC2 instance that is running with the specified IAM role, which returns the associated temporary security credentials (AccessKeyId, SecretAccessKey, SessionToken, and Expiration). The example that follows uses the default instance profile for Amazon EMR, EMR_EC2_DefaultRole.


For more information about writing applications that use IAM roles, see Granting Applications that Run on Amazon EC2 Instances Access to AWS Resources.

For more information about temporary security credentials, see Using Temporary Security Credentials in the Using Temporary Security Credentials guide.