AWS Identity and Access Management
User Guide

The AWS Documentation website is getting a new look!
Try it now and let us know what you think. Switch to the new look >>

You can return to the original look by selecting English in the language selector above.

Actions, Resources, and Condition Keys for Amazon Elastic MapReduce

Amazon Elastic MapReduce (service prefix: elasticmapreduce) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by Amazon Elastic MapReduce

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
AddInstanceFleet Grants permission to add an instance fleet to a running cluster. Write

cluster*

AddInstanceGroups Grants permission to add instance groups to a running cluster. Write

cluster*

AddJobFlowSteps Grants permission to add new steps to a running cluster. Write

cluster*

AddTags Grants permission to add tags to an Amazon EMR resource. Tagging

cluster

editor

aws:RequestTag/${TagKey}

aws:TagKeys

elasticmapreduce:RequestTag/${TagKey}

CancelSteps Grants permission to cancel a pending step or steps in a running cluster. Write

cluster*

CreateEditor [permission only] Grants permission to create an EMR notebook. Tagging

cluster*

aws:RequestTag/${TagKey}

aws:TagKeys

elasticmapreduce:RequestTag/${TagKey}

CreateSecurityConfiguration Grants permission to create a security configuration. Write
DeleteEditor [permission only] Grants permission to delete an EMR notebook. Write

editor*

DeleteSecurityConfiguration Grants permission to delete a security configuration. Write
DescribeCluster Grants permission to get details about a cluster, including status, hardware and software configuration, VPC settings, and so on. Read

cluster*

DescribeEditor [permission only] Grants permission to view information about a notebook, including status, user, role, tags, location, and more. Read

editor*

DescribeSecurityConfiguration Grants permission to get details of a security configuration. Read
DescribeStep Grants permission to get details about a cluster step. Read

cluster*

GetBlockPublicAccessConfiguration Grants permission to retrieve the EMR block public access configuration for the AWS account in the Region. Read
ListBootstrapActions Grants permission to get details about the bootstrap actions associated with a cluster. List

cluster*

ListClusters Grants permission to get the status of accessible clusters. List
ListEditors [permission only] Grants permission to list summary information for accessible EMR notebooks. List
ListInstanceFleets Grants permission to get details of instance fleets in a cluster. Read

cluster*

ListInstanceGroups Grants permission to get details of instance groups in a cluster. List

cluster*

ListInstances Grants permission to get details about the Amazon EC2 instances in a cluster. List

cluster*

ListSecurityConfigurations Grants permission to list available security configurations in this account by name, along with creation dates and times. List
ListSteps Grants permission to list steps associated with a cluster. List

cluster*

ModifyInstanceFleet Grants permission to change the target On-Demand and target Spot capacities for a instance fleet. Write

cluster*

ModifyInstanceGroups Grants permission to change the number and configuration of EC2 instances for an instance group. Write

cluster*

OpenEditorInConsole [permission only] Grants permission to launch the Jupyter notebook editor for an EMR notebook from within the console. Write

cluster*

editor*

PutAutoScalingPolicy Grants permission to create or update an automatic scaling policy for a core instance group or task instance group. Write

cluster*

PutBlockPublicAccessConfiguration Grants permission to create or update the EMR block public access configuration for the AWS account in the Region. Permissions management
RemoveAutoScalingPolicy Grants permission to remove an automatic scaling policy from an instance group. Write

cluster*

RemoveTags Grants permission to remove tags from an Amazon EMR resource. Tagging

cluster

editor

aws:TagKeys

RunJobFlow Grants permission to create and launch a cluster (job flow). Tagging

aws:RequestTag/${TagKey}

aws:TagKeys

elasticmapreduce:RequestTag/${TagKey}

SetTerminationProtection Grants permission to add and remove termination protection for a cluster. Write

cluster*

StartEditor [permission only] Grants permission to start an EMR notebook. Write

cluster*

editor*

StopEditor [permission only] Grants permission to shut down an EMR notebook. Write

editor*

TerminateJobFlows Grants permission to terminate a cluster (job flow). Write

cluster*

ViewEventsFromAllClustersInConsole [permission only] Grants permission to use the EMR management console to view events from all clusters. List

Resources Defined by Amazon Elastic MapReduce

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The Resource Types Table.

Resource Types ARN Condition Keys
cluster arn:${Partition}:elasticmapreduce:${Region}:${Account}:cluster/${ClusterId}

aws:ResourceTag/${TagKey}

elasticmapreduce:ResourceTag/${TagKey}

editor arn:${Partition}:elasticmapreduce:${Region}:${Account}:editor/${EditorId}

aws:ResourceTag/${TagKey}

elasticmapreduce:ResourceTag/${TagKey}

Condition Keys for Amazon Elastic MapReduce

Amazon Elastic MapReduce defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The Condition Keys Table.

To view the global condition keys that are available to all services, see Available Global Condition Keys in the IAM Policy Reference.

Condition Keys Description Type
aws:RequestTag/${TagKey} Filters access based on whether the tag and value pair is provided with the action String
aws:ResourceTag/${TagKey} Filters access based on the tag and value pair associated with an Amazon EMR resource String
aws:TagKeys Filters access based on whether the tag keys are provided with the action regardless of tag value String
elasticmapreduce:RequestTag/${TagKey} Filters actions based on whether the tag and value pair is provided with the action String
elasticmapreduce:ResourceTag/${TagKey} Filters actions based on the tag and value pair associated with an Amazon EMR resource String