Create a job execution role - Amazon EMR

Create a job execution role

To run workloads on Amazon EMR on EKS, you need to create an IAM role. We refer to this role as the job execution role in this documentation. For more information about how to create IAM roles, see Creating IAM roles in the IAM User Guide.

You must also create an IAM policy that specifies the permissions for the job execution role and then attach the IAM policy to the job execution role.

The following policy for the job execution role allows access to resource targets, Amazon S3, and CloudWatch. These permissions are necessary to monitor jobs and access logs. To follow the same process using the AWS CLI, you can also set up your role using the steps in the Create IAM Role for job execution section of the Amazon EMR on EKS Workshop.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:ListBucket" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "logs:PutLogEvents", "logs:CreateLogStream", "logs:DescribeLogGroups", "logs:DescribeLogStreams" ], "Resource": [ "arn:aws:logs:*:*:*" ] } ] }

For more information, see Using job execution roles, Configure a job run to use S3 logs, and Configure a job run to use CloudWatch Logs.