Actions, resources, and condition keys for Amazon Elastic MapReduce
Amazon Elastic MapReduce (service prefix: elasticmapreduce) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
Topics
Actions defined by Amazon Elastic MapReduce
You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.
The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.
The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.
Note
Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.
For details about the columns in the following table, see Actions table.
Note
The DescribeJobFlows API is deprecated and will eventually be removed. We recommend you use ListClusters, DescribeCluster, ListSteps, ListInstanceGroups and ListBootstrapActions instead
| Actions | Description | Access level | Resource types (*required) | Condition keys | Dependent actions |
|---|---|---|---|---|---|
| AddInstanceFleet | Grants permission to add an instance fleet to a running cluster | Write | |||
| AddInstanceGroups | Grants permission to add instance groups to a running cluster | Write | |||
| AddJobFlowSteps | Grants permission to add new steps to a running cluster | Write | |||
| AddTags | Grants permission to add tags to an Amazon EMR resource | Tagging | |||
| AttachEditor [permission only] | Grants permission to attach an EMR notebook to a compute engine | Write | |||
| CancelSteps | Grants permission to cancel a pending step or steps in a running cluster | Write | |||
| CreateEditor [permission only] | Grants permission to create an EMR notebook | Write | |||
| CreatePersistentAppUI | Grants permission to create a persistent application history server | Write | |||
| CreateRepository [permission only] | Grants permission to create an EMR notebook repository | Write | |||
| CreateSecurityConfiguration | Grants permission to create a security configuration | Write | |||
| CreateStudio | Grants permission to create an EMR Studio | Write | |||
| CreateStudioPresignedUrl | Grants permission to launch an EMR Studio using IAM authentication mode | Write | |||
| CreateStudioSessionMapping | Grants permission to create an EMR Studio session mapping | Write | |||
| DeleteEditor [permission only] | Grants permission to delete an EMR notebook | Write | |||
| DeleteRepository [permission only] | Grants permission to delete an EMR notebook repository | Write | |||
| DeleteSecurityConfiguration | Grants permission to delete a security configuration | Write | |||
| DeleteStudio | Grants permission to delete an EMR Studio | Write | |||
| DeleteStudioSessionMapping | Grants permission to delete an EMR Studio session mapping | Write | |||
| DeleteWorkspaceAccess [permission only] | Grants permission to block an identity from opening a collaborative workspace | Permissions management | |||
| DescribeCluster | Grants permission to get details about a cluster, including status, hardware and software configuration, VPC settings, and so on | Read | |||
| DescribeEditor [permission only] | Grants permission to view information about a notebook, including status, user, role, tags, location, and more | Read | |||
| DescribeJobFlows | Grants permission to describe details of clusters (job flows). This API is deprecated and will eventually be removed. We recommend you use ListClusters, DescribeCluster, ListSteps, ListInstanceGroups and ListBootstrapActions instead | Read | |||
| DescribeNotebookExecution | Grants permission to view information about a notebook execution | Read | |||
| DescribePersistentAppUI | Grants permission to describe a persistent application history server | Read | |||
| DescribeReleaseLabel | Grants permission to view information about an EMR release, such as which applications are supported | Read | |||
| DescribeRepository [permission only] | Grants permission to describe an EMR notebook repository | Read | |||
| DescribeSecurityConfiguration | Grants permission to get details of a security configuration | Read | |||
| DescribeStep | Grants permission to get details about a cluster step | Read | |||
| DescribeStudio | Grants permission to view information about an EMR Studio | Read | |||
| DetachEditor [permission only] | Grants permission to detach an EMR notebook from a compute engine | Write | |||
| GetAutoTerminationPolicy | Grants permission to retrieve the auto-termination policy associated with a cluster | Read | |||
| GetBlockPublicAccessConfiguration | Grants permission to retrieve the EMR block public access configuration for the AWS account in the Region | Read | |||
| GetClusterSessionCredentials | Grants permission to retrieve HTTP basic credentials associated with a given execution IAM Role for a fine-grained access control enabled EMR Cluster | Write | |||
| GetManagedScalingPolicy | Grants permission to retrieve the managed scaling policy associated with a cluster | Read | |||
| GetOnClusterAppUIPresignedURL | Grants permission to get a presigned URL for an application history server running on the cluster | Write | |||
| GetPersistentAppUIPresignedURL | Grants permission to get a presigned URL for a persistent application history server | Write | |||
| GetStudioSessionMapping | Grants permission to view information about an EMR Studio session mapping | Read | |||
| LinkRepository [permission only] | Grants permission to link an EMR notebook repository to EMR notebooks | Write | |||
| ListBootstrapActions | Grants permission to get details about the bootstrap actions associated with a cluster | Read | |||
| ListClusters | Grants permission to get the status of accessible clusters | List | |||
| ListEditors [permission only] | Grants permission to list summary information for accessible EMR notebooks | List | |||
| ListInstanceFleets | Grants permission to get details of instance fleets in a cluster | Read | |||
| ListInstanceGroups | Grants permission to get details of instance groups in a cluster | Read | |||
| ListInstances | Grants permission to get details about the Amazon EC2 instances in a cluster | Read | |||
| ListNotebookExecutions | Grants permission to list summary information for notebook executions | List | |||
| ListReleaseLabels | Grants permission to list and filter the available EMR releases in the current region | List | |||
| ListRepositories [permission only] | Grants permission to list existing EMR notebook repositories | List | |||
| ListSecurityConfigurations | Grants permission to list available security configurations in this account by name, along with creation dates and times | List | |||
| ListSteps | Grants permission to list steps associated with a cluster | Read | |||
| ListStudioSessionMappings | Grants permission to list summary information about EMR Studio session mappings | List | |||
| ListStudios | Grants permission to list summary information about EMR Studios | List | |||
| ListSupportedInstanceTypes | Grants permission to list the Amazon EC2 instance types that an Amazon EMR release supports | List | |||
| ListWorkspaceAccessIdentities [permission only] | Grants permission to list identities that are granted access to a workspace | List | |||
| ModifyCluster | Grants permission to change cluster settings such as number of steps that can be executed concurrently for a cluster | Write | |||
| ModifyInstanceFleet | Grants permission to change the target On-Demand and target Spot capacities for a instance fleet | Write | |||
| ModifyInstanceGroups | Grants permission to change the number and configuration of EC2 instances for an instance group | Write | |||
| OpenEditorInConsole [permission only] | Grants permission to launch the Jupyter notebook editor for an EMR notebook from within the console | Write | |||
| PutAutoScalingPolicy | Grants permission to create or update an automatic scaling policy for a core instance group or task instance group | Write | |||
| PutAutoTerminationPolicy | Grants permission to create or update the auto-termination policy associated with a cluster | Write | |||
| PutBlockPublicAccessConfiguration | Grants permission to create or update the EMR block public access configuration for the AWS account in the Region | Permissions management | |||
| PutManagedScalingPolicy | Grants permission to create or update the managed scaling policy associated with a cluster | Write | |||
| PutWorkspaceAccess [permission only] | Grants permission to allow an identity to open a collaborative workspace | Permissions management | |||
| RemoveAutoScalingPolicy | Grants permission to remove an automatic scaling policy from an instance group | Write | |||
| RemoveAutoTerminationPolicy | Grants permission to remove the auto-termination policy associated with a cluster | Write | |||
| RemoveManagedScalingPolicy | Grants permission to remove the managed scaling policy associated with a cluster | Write | |||
| RemoveTags | Grants permission to remove tags from an Amazon EMR resource | Tagging | |||
| RunJobFlow | Grants permission to create and launch a cluster (job flow) | Write |
iam:PassRole |
||
| SetKeepJobFlowAliveWhenNoSteps | Grants permission to add and remove auto terminate after step execution for a cluster | Write | |||
| SetTerminationProtection | Grants permission to add and remove termination protection for a cluster | Write | |||
| SetUnhealthyNodeReplacement | Grants permission to enable or disable unhealthy node replacement for a cluster | Write | |||
| SetVisibleToAllUsers | Grants permission to set whether all AWS Identity and Access Management (IAM) users in the AWS account can view a cluster. This API is deprecated and your cluster may be visible to all users in your account. To restrict cluster access using an IAM policy, see AWS Identity and Access Management for Amazon EMR (https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-plan-access-iam.html) | Write | |||
| StartEditor [permission only] | Grants permission to start an EMR notebook | Write | |||
| StartNotebookExecution | Grants permission to start an EMR notebook execution | Write | |||
| StopEditor [permission only] | Grants permission to shut down an EMR notebook | Write | |||
| StopNotebookExecution | Grants permission to stop notebook execution | Write | |||
| TerminateJobFlows | Grants permission to terminate a cluster (job flow) | Write | |||
| UnlinkRepository [permission only] | Grants permission to unlink an EMR notebook repository from EMR notebooks | Write | |||
| UpdateEditor [permission only] | Grants permission to update an EMR notebook | Write | |||
| UpdateRepository [permission only] | Grants permission to update an EMR notebook repository | Write | |||
| UpdateStudio | Grants permission to update information about an EMR Studio | Write | |||
| UpdateStudioSessionMapping | Grants permission to update an EMR Studio session mapping | Write | |||
| ViewEventsFromAllClustersInConsole [permission only] | Grants permission to use the EMR console to view events from all clusters | List |
Resource types defined by Amazon Elastic MapReduce
The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.
| Resource types | ARN | Condition keys |
|---|---|---|
| cluster |
arn:${Partition}:elasticmapreduce:${Region}:${Account}:cluster/${ClusterId}
|
|
| editor |
arn:${Partition}:elasticmapreduce:${Region}:${Account}:editor/${EditorId}
|
|
| notebook-execution |
arn:${Partition}:elasticmapreduce:${Region}:${Account}:notebook-execution/${NotebookExecutionId}
|
|
| studio |
arn:${Partition}:elasticmapreduce:${Region}:${Account}:studio/${StudioId}
|
Condition keys for Amazon Elastic MapReduce
Amazon Elastic MapReduce defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.
To view the global condition keys that are available to all services, see Available global condition keys.
| Condition keys | Description | Type |
|---|---|---|
| aws:RequestTag/${TagKey} | Filters access by whether the tag and value pair is provided with the action | String |
| aws:ResourceTag/${TagKey} | Filters access by the tag and value pair associated with an Amazon EMR resource | String |
| aws:TagKeys | Filters access by whether the tag keys are provided with the action regardless of tag value | ArrayOfString |
| elasticmapreduce:ExecutionRoleArn | Filters access by whether the execution role ARN is provided with the action | ARN |
| elasticmapreduce:RequestTag/${TagKey} | Filters access by whether the tag and value pair is provided with the action | String |
| elasticmapreduce:ResourceTag/${TagKey} | Filters access by the tag and value pair associated with an Amazon EMR resource | String |
