Setting up cross-account access
To set up cross-account access for EMR Serverless, complete the following steps.
In the example, AccountA is the account where you created your
Amazon EMR Serverless application, and AccountB is the account where your
Amazon DynamoDB is located.
-
Create a DynamoDB table in
AccountB. For more information, see Step 1: Create a table. -
Create a
Cross-Account-Role-BIAM role inAccountBthat can access the DynamoDB table.Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
. -
Choose Roles, and create a new role called
Cross-Account-Role-B. For more information on how to create IAM roles, see Creating IAM roles in the a user Guide. -
Create an IAM policy that grants permissions to access the cross-account DynamoDB table. Then attach the IAM policy to
Cross-Account-Role-B.The following is a policy that grants access to a DynamoDB table
CrossAccountTable. -
Edit the trust relationship for the
Cross-Account-Role-Brole.To configure the trust relationship for the role, choose the Trust Relationships tab in the IAM console for the role that you created in Step 2: Cross-Account-Role-B.
Select Edit Trust Relationship and then add the following policy document. This document allows
Job-Execution-Role-AinAccountAto assume thisCross-Account-Role-Brole. -
Grant
Job-Execution-Role-AinAccountAwith- STS Assume rolepermissions to assumeCross-Account-Role-B.In the IAM console for AWS account
AccountA, selectJob-Execution-Role-A. Add the following policy statement to theJob-Execution-Role-Ato allow theAssumeRoleaction on theCross-Account-Role-Brole. -
Set the
dynamodb.customAWSCredentialsProviderproperty with value ascom.amazonaws.emr.AssumeRoleAWSCredentialsProviderin core-site classification. Set the environment variableASSUME_ROLE_CREDENTIALS_ROLE_ARNwith the ARN value ofCross-Account-Role-B.
-
Run Spark or Hive job using
Job-Execution-Role-A.
