Configure IAM Service Roles for Amazon EMR Permissions to AWS Services and Resources - Amazon EMR

Configure IAM Service Roles for Amazon EMR Permissions to AWS Services and Resources

Amazon EMR and applications such as Hadoop and Spark need permissions to access other AWS resources and perform actions when they run. Each cluster in Amazon EMR must have a service role and a role for the Amazon EC2 instance profile. For more information, see IAM Roles and Using Instance Profiles in the IAM User Guide. The IAM policies attached to these roles provide permissions for the cluster to interoperate with other AWS services on behalf of a user.

An additional role, the Auto Scaling role, is required if your cluster uses automatic scaling in Amazon EMR. The AWS service role for EMR Notebooks is required if you use EMR Notebooks.

Amazon EMR provides default roles and default managed policies that determine permissions for each role. Managed policies are created and maintained by AWS, so they are updated automatically if service requirements change. See AWS Managed Policies in the IAM User Guide.

If you are creating a cluster or notebook for the first time in an account, roles for Amazon EMR do not yet exist. After you create them, you can view the roles, the policies attached to them, and the permissions allowed or denied by the policies in the IAM console (https://console.aws.amazon.com/iam/). You can specify default roles for Amazon EMR to create and use, you can create your own roles and specify them individually when you create a cluster to customize permissions, and you can specify default roles to be used when you create a cluster using the AWS CLI. For more information, see Customize IAM Roles.

Modifying Identity-Based Policies for Permissions to Pass Service Roles for Amazon EMR

The Amazon EMR full permissions default managed policy (AmazonEMRFullAccessPolicy_v2) and Amazon EMR service policy (AmazonEMRServicePolicy_v2) are available to replace the soon-to-be-deprecated policy. The v2 policies incorporate new iam:PassRole security configurations, including the following:

  • iam:PassRole permissions only for specific default Amazon EMR roles.

  • iam:PassedToService conditions that allow you to use the policy with only specified AWS services, such as elasticmapreduce.amazonaws.com and ec2.amazonaws.com.

You can view the JSON version of the AmazonEMRFullAccessPolicy_v2 and AmazonEMRServicePolicy_v2 policies in the IAM console.

We recommend that you create new clusters using v2 managed policies.

Service Role Summary

The following table lists the IAM service roles associated with Amazon EMR for quick reference.

Function Default Role Description Default Managed Policy

Service Role for Amazon EMR (EMR Role)

EMR_DefaultRole

Allows Amazon EMR to call other AWS services on your behalf when provisioning resources and performing service-level actions. This role is required for all clusters.

AmazonElasticMapReduceRole

Important

Requesting Spot Instances requires a service-linked role. If this role doesn't exist, the EMR role must have permissions to create it or a permission error occurs. The managed policy includes a statement to allow this action. If you customize this role or policy, be sure to include a statement that allows the creation of this service-linked role. For more information, see Service Role for Amazon EMR (EMR Role) and Service-Linked Role for Spot Instance Requests in the Amazon EC2 User Guide for Linux Instances.

Service Role for Cluster EC2 Instances (EC2 Instance Profile)

EMR_EC2_DefaultRole

Application processes that run on top of the Hadoop ecosystem on cluster instances use this role when they call other AWS services. For accessing data in Amazon S3 using EMRFS, you can specify different roles to be assumed based on the location of data in Amazon S3. For example, multiple teams can access a single Amazon S3 data "storage account." For more information, see Configure IAM Roles for EMRFS Requests to Amazon S3. This role is required for all clusters.

AmazonElasticMapReduceforEC2Role. For more information, see Service Role for Cluster EC2 Instances (EC2 Instance Profile).

Service Role for Automatic Scaling in EMR (Auto Scaling Role)

EMR_AutoScaling_DefaultRole

Allows additional actions for dynamically scaling environments. Required only for clusters that use automatic scaling in Amazon EMR. For more information, see Using Automatic Scaling with a Custom Policy for Instance Groups .

AmazonElasticMapReduceforAutoScalingRole. For more information, see Service Role for Automatic Scaling in EMR (Auto Scaling Role).

Service Role for EMR Notebooks

EMR_Notebooks_DefaultRole

Provides permissions that an EMR notebook needs to access other AWS resources and perform actions. Required only if EMR Notebooks is used.

AmazonElasticMapReduceEditorsRole. For more information, see Service Role for EMR Notebooks.

S3FullAccessPolicy is also attached by default. Following is the contents of this policy.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:*", "Resource": "*" } ] }

Service-Linked Role

AWSServiceRoleForEMRCleanup

Amazon EMR automatically creates a service-linked role. If the service for Amazon EMR has lost the ability to clean up Amazon EC2 resources, Amazon EMR can use this role to clean up. If a cluster uses Spot Instances, the permissions policy attached to the Service Role for Amazon EMR (EMR Role) must allow the creation of a service-linked role. For more information, see Service-Linked Role Permissions for Amazon EMR.

AmazonEMRCleanupPolicy