Amazon EMR
Management Guide

Configure IAM Roles and the Amazon EC2 Instance Profile to Access Other AWS Services

Amazon EMR and applications such as Hadoop need permission to access other AWS resources and perform actions when running jobs on behalf of users. Two IAM roles, a service role and an Amazon EC2 instance profile, are required to grant those permissions. In most cases, default policies are adequate, but you can modify the roles and their policies to tailor access to specific requirements.

When you create a cluster, you specify the service role and Amazon EC2 instance profile in the cluster. The permissions granted to the service role and Amazon EC2 instance profile are separate from the permissions granted to the IAM user so that an AWS administrator can manage them separately and tailor a permissions policy that closely fits the usage patterns of the cluster. An Amazon EMR service role and an Amazon EC2 instance profile are required for all clusters in all regions. For more information about service and Amazon EC2 roles, see Use Cases: Roles for Users, Applications, and Services and Use roles for applications that run on Amazon EC2 instances in the IAM User Guide.

The service role defines the allowable actions for Amazon EMR based on granted permissions. When the user accesses the cluster, Amazon EMR assumes this IAM role, gets the permissions of the assumed role, and then tries to execute requests with those permissions. A similar process occurs for applications using the Amazon EC2 instance profile, which determines permissions for applications that run on EC2 instances. For example, when Hive, an application on the cluster, needs to write output to an Amazon S3 bucket, the Amazon EC2 instance profile determines whether Hive has permissions to do that.


The user who sets up the roles for use with Amazon EMR should be an IAM user with administrative permissions. We recommend that all administrators use AWS MFA (multi-factor authentication).