Getting started with AWS IAM Identity Center integration for Amazon EMR
This section helps you configure Amazon EMR to integrate with AWS IAM Identity Center.
Topics
- Create an Identity Center instance
- Create an IAM role for Identity Center
- Create an Identity Center enabled security configuration
- Create and launch an Identity Center enabled cluster
- Configure Lake Formation for an IAM Identity Center enabled EMR cluster
- Working with S3 Access Grants on an IAM Identity Center enabled EMR cluster
Create an Identity Center instance
If you don't already have one, create an Identity Center instance in the AWS Region where you want to launch your EMR cluster. An Identity Center instance can only exist in a single Region for an AWS account.
Use the following AWS CLI command to create a new instance named
:MyInstance
aws sso-admin create-instance --name
MyInstance
Create an IAM role for Identity Center
To integrate Amazon EMR with AWS IAM Identity Center, create an IAM role that authenticates with Identity Center from the EMR cluster. Under the hood, Amazon EMR uses SigV4 credentials to relay the Identity Center identity to downstream services such as AWS Lake Formation. Your role should also have the respective permissions to invoke the downstream services.
When you create the role, use the following permissions policy:
{ "Statement": [ { "Sid": "IdCPermissions", "Effect": "Allow", "Action": [ "sso-oauth:*" ], "Resource": "*" }, { "Sid": "GlueandLakePermissions", "Effect": "Allow", "Action": [ "glue:*", "lakeformation:GetDataAccess" ], "Resource": "*" }, { "Sid": "AccessGrantsPermissions", "Effect": "Allow", "Action": [ "s3:GetDataAccess", "s3:GetAccessGrantsInstanceForPrefix" ], "Resource": "*" } ] }
The trust policy for this role allows the InstanceProfile role to let it assume the role.
{ "Sid": "AssumeRole", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::12345678912:role/EMR_EC2_DefaultRole" }, "Action": [ "sts:AssumeRole", "sts:SetContext" ] }
Create an Identity Center enabled security configuration
To launch an EMR cluster with IAM Identity Center integration, use the following example command to create an Amazon EMR security configuration that has Identity Center enabled. Each configuration is explained below.
aws emr create-security-configuration --name "IdentityCenterConfiguration-with-lf-accessgrants" --region "us-west-2" --security-configuration '{ "AuthenticationConfiguration":{ "IdentityCenterConfiguration":{ "EnableIdentityCenter":true, "IdentityCenterApplicationAssigmentRequired":false, "IdentityCenterInstanceARN": "arn:aws:sso:::instance/ssoins-123xxxxxxxxxx789", "IAMRoleForEMRIdentityCenterApplicationARN": "arn:aws:iam::123456789012:role/tip-role" } }, "AuthorizationConfiguration": { "LakeFormationConfiguration": { "EnableLakeFormation": true } }, "EncryptionConfiguration": { "EnableInTransitEncryption": true, "EnableAtRestEncryption": false, "InTransitEncryptionConfiguration": { "TLSCertificateConfiguration": { "CertificateProviderType": "PEM", "S3Object": "s3://my-bucket/cert/my-certs.zip" } } } }'
-
EnableIdentityCenter
– (required) Enables Identity Center integration. -
IdentityCenterApplicationARN
– (required) The Identity Center instance ARN. -
IAMRoleForEMRIdentityCenterApplicationARN
– (required) The IAM role that procures Identity Center tokens from the cluster. -
IdentityCenterApplicationAssignmentRequired
– (boolean) Governs if an assignment will be required to use the Identity Center application. The default value istrue
. -
AuthorizationConfiguration
/LakeFormationConfiguration
– Optionally, configure authorization:-
EnableLakeFormation
– Enable Lake Formation authorization on the cluster.
-
To enable Identity Center integration with Amazon EMR, you must specify
EncryptionConfiguration
and
IntransitEncryptionConfiguration
.
Create and launch an Identity Center enabled cluster
Now that you've set up the IAM role that authenticates with Identity Center, and created an Amazon EMR security configuration that has Identity Center enabled, you can create and launch your identity-aware cluster. For steps to launch your cluster with the required security configuration, see Specify a security configuration for a cluster.
Optionally, refer to the following section if you want to use your Identity Center enabled cluster with other security options that Amazon EMR supports: