Configuring IAM Roles for Amazon EMR and Applications
Amazon EMR and applications such as Hadoop need permission to access other AWS resources when running jobs on behalf of users. Two IAM roles, a service role and an Amazon EC2 instance profile, are required to grant those permissions. In most cases, default policies are adequate, but you can modify the policies to tailor access to specific requirements. A user must specify the service role and Amazon EC2 instance profile in the cluster definition when a cluster is created. The permissions determine which AWS resources a service can access, and what the service is allowed to do with those resources. The permissions granted to the service role and Amazon EC2 instance profile are separate from the permissions granted to the IAM user so that an AWS administrator can manage them separately and tailor a permissions policy that closely fits the usage patterns of the cluster.
The service role defines the allowable actions for Amazon EMR based on granted permissions. When the user accesses the cluster, Amazon EMR assumes this IAM role, gets the permissions of the assumed role, and then tries to execute requests with those permissions. A similar process occurs for applications using the Amazon EC2 instance profile, which determines permissions for applications that run on EC2 instances. For example, when Hive, an application on the cluster, needs to write output to an Amazon S3 bucket, the Amazon EC2 instance profile determines whether Hive has permissions to do that.
An Amazon EMR service role and an Amazon EC2 instance profile are required for all clusters in all regions. For more information about service and Amazon EC2 roles, see Use Cases: Roles for Users, Applications, and Services and Use roles for applications that run on Amazon EC2 instances in the IAM User Guide.
The user who sets up the roles for use with Amazon EMR should be an IAM user with administrative permissions. We recommend that all administrators use AWS MFA (multi-factor authentication).