Create a job execution role
To run workloads on Amazon EMR on EKS, you need to create an IAM role. We refer to this role as the job execution role in this documentation. For more information about how to create IAM roles, see Creating IAM roles in the IAM user Guide.
You must also create an IAM policy that specifies the permissions for the job execution role and then attach the IAM policy to the job execution role.
The following policy for the job execution role allows access to resource targets, Amazon S3,
and CloudWatch. These permissions are necessary to monitor jobs and access logs. To follow the same
process using the AWS CLI, you can also set up your role using the steps in the Create IAM Role for job execution
Note
Access should be appropriately scoped, not granted to all S3 objects in the job execution role.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:ListBucket" ], "Resource": "arn:aws:s3:::amzn-s3-demo-bucket" }, { "Effect": "Allow", "Action": [ "logs:PutLogEvents", "logs:CreateLogStream", "logs:DescribeLogGroups", "logs:DescribeLogStreams" ], "Resource": [ "arn:aws:logs:*:*:*" ] } ] }
For more information, see Using job execution roles, Configure a job run to use S3 logs, and Configure a job run to use CloudWatch Logs.