Create an Identity Center instance Create an IAM role Create a security configuration Launch a cluster

Getting started with AWS IAM Identity Center integration for Amazon EMR

This section helps you configure Amazon EMR to integrate with AWS IAM Identity Center.

Topics

Create an Identity Center instance

If you don't already have one, create an Identity Center instance in the AWS Region where you want to launch your EMR cluster. An Identity Center instance can only exist in a single Region for an AWS account.

Use the following AWS CLI command to create a new instance named MyInstance:


aws sso-admin create-instance --name MyInstance

Create an IAM role for Identity Center

To integrate Amazon EMR with AWS IAM Identity Center, create an IAM role that authenticates with Identity Center from the EMR cluster. Under the hood, Amazon EMR uses SigV4 credentials to relay the Identity Center identity to downstream services such as AWS Lake Formation. Your role should also have the respective permissions to invoke the downstream services.

When you create the role, use the following permissions policy:


{
  "Statement": [
    {
      "Sid": "IdCPermissions",
      "Effect": "Allow",
      "Action": [
        "sso-oauth:*"
      ],
      "Resource": "*"
    },
    {
      "Sid": "GlueandLakePermissions",
      "Effect": "Allow",
      "Action": [
        "glue:*",
        "lakeformation:GetDataAccess"
      ],
      "Resource": "*"
    },
    {
      "Sid": "AccessGrantsPermissions",
      "Effect": "Allow",
      "Action": [
        "s3:GetDataAccess",
        "s3:GetAccessGrantsInstanceForPrefix"
      ],
      "Resource": "*"
    }
  ]
}

The trust policy for this role allows the InstanceProfile role to let it assume the role.


{
   "Sid": "AssumeRole",
   "Effect": "Allow",
   "Principal": {
        "AWS": "arn:aws:iam::12345678912:role/EMR_EC2_DefaultRole"
    },
    "Action": [
               "sts:AssumeRole",
               "sts:SetContext"
    ]
 }

Create an Identity Center enabled security configuration

To launch an EMR cluster with IAM Identity Center integration, use the following example command to create an Amazon EMR security configuration that has Identity Center enabled. Each configuration is explained below.


aws emr create-security-configuration --name "IdentityCenterConfiguration-with-lf-accessgrants" --region "us-west-2" --security-configuration '{
	"AuthenticationConfiguration":{
		"IdentityCenterConfiguration":{
			"EnableIdentityCenter":true,
			"IdentityCenterApplicationAssigmentRequired":false,
			"IdentityCenterInstanceARN": "arn:aws:sso:::instance/ssoins-123xxxxxxxxxx789",
			"IAMRoleForEMRIdentityCenterApplicationARN": "arn:aws:iam::123456789012:role/tip-role"
	    }
	},
	"AuthorizationConfiguration": {
		"LakeFormationConfiguration": {
			"EnableLakeFormation": true
		}
	},
	"EncryptionConfiguration": {
		"EnableInTransitEncryption": true,
		"EnableAtRestEncryption": false,
		"InTransitEncryptionConfiguration": {
			"TLSCertificateConfiguration": {
				"CertificateProviderType": "PEM",
				"S3Object": "s3://my-bucket/cert/my-certs.zip"
			}
		}
	}
}'

EnableIdentityCenter – (required) Enables Identity Center integration.
IdentityCenterApplicationARN – (required) The Identity Center instance ARN.
IAMRoleForEMRIdentityCenterApplicationARN – (required) The IAM role that procures Identity Center tokens from the cluster.
IdentityCenterApplicationAssignmentRequired – (boolean) Governs if an assignment will be required to use the Identity Center application. The default value is true.
AuthorizationConfiguration / LakeFormationConfiguration – Optionally, configure authorization:
- EnableLakeFormation – Enable Lake Formation authorization on the cluster.

To enable Identity Center integration with Amazon EMR, you must specify EncryptionConfiguration and IntransitEncryptionConfiguration.

Create and launch an Identity Center enabled cluster

Now that you've set up the IAM role that authenticates with Identity Center, and created an Amazon EMR security configuration that has Identity Center enabled, you can create and launch your identity-aware cluster. For steps to launch your cluster with the required security configuration, see Specify a security configuration for a cluster.

Optionally, refer to the following section if you want to use your Identity Center enabled cluster with other security options that Amazon EMR supports:

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Integrate Amazon EMR with Identity Center

Use Lake Formation