Integrate Amazon EMR with AWS IAM Identity Center

With Amazon EMR releases 6.15.0 and higher, you can use identities from AWS IAM Identity Center to authenticate with an Amazon EMR cluster. The following sections provides a conceptual overview, prerequisites, and steps required to launch an EMR cluster with Identity Center integration.

Topics

Overview

Trusted identity propagation through IAM Identity Center can help you securely create or connect your workforce identities, and centrally manage their access across AWS accounts and applications. With this capability, a user can sign in to the application that uses trusted identity propagation, and that application can pass the identity of the user in requests that it makes to access data in AWS services that also use trusted identity propagation. Because access is managed based on a user's identity, users don't need to use database local user credentials or assume an IAM role to access data.

Identity Center is the recommended approach for workforce authentication and authorization on AWS for organizations of any size and type. With Identity Center, you can create and manage user identities in AWS, or connect your existing identity source, including Microsoft Active Directory, Okta, Ping Identity, JumpCloud, Google Workspace, and Microsoft Entra ID (formerly Azure AD).

For more information, see What is AWS IAM Identity Center? and Trusted identity propagation across applications in the AWS IAM Identity Center User Guide.

Features and benefits

The Amazon EMR integration with IAM Identity Center provides the following benefits:

Amazon EMR provides credentials to relay your Identity Center Identity to an EMR cluster.
Amazon EMR configures all supported applications to authenticate with the cluster credentials.
Amazon EMR configures and maintains the supported application security with the Kerberos protocol and no commands or scripts required by you.
The ability to enforce Amazon S3 prefix-level authorization with Identity Center identities on S3 Access Grants-managed S3 prefixes.
The ability to enforce table-level authorization with Identity Center identities on AWS Lake Formation managed AWS Glue tables.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Examples

Getting started