Service role for EMR Notebooks - Amazon EMR

Service role for EMR Notebooks

Each EMR notebook needs permissions to access other AWS resources and perform actions. The IAM policies attached to this service role provide permissions for the notebook to interoperate with other AWS services. When you create a notebook using the AWS Management Console, you specify an AWS service role. You can use the default role, EMR_Notebooks_DefaultRole, or specify a role that you create. If a notebook has not been created before, you can choose to create the default role.

  • The default role name is EMR_Notebooks_DefaultRole.

  • The default managed policies attached to EMR_Notebooks_DefaultRole are AmazonElasticMapReduceEditorsRole and S3FullAccessPolicy.

The contents of version 1 of AmazonElasticMapReduceEditorsRole are as follows.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:DescribeSecurityGroups", "ec2:RevokeSecurityGroupEgress", "ec2:CreateNetworkInterface", "ec2:CreateNetworkInterfacePermission", "ec2:DeleteNetworkInterface", "ec2:DeleteNetworkInterfacePermission", "ec2:DescribeNetworkInterfaces", "ec2:ModifyNetworkInterfaceAttribute", "ec2:DescribeTags", "ec2:DescribeInstances", "ec2:DescribeSubnets", "elasticmapreduce:ListInstances", "elasticmapreduce:DescribeCluster" ], "Resource": "*" }, { "Effect": "Allow", "Action": "ec2:CreateTags", "Resource": "arn:aws:ec2:*:*:network-interface/*", "Condition": { "ForAllValues:StringEquals": { "aws:TagKeys": [ "aws:elasticmapreduce:editor-id", "aws:elasticmapreduce:job-flow-id" ] } } } ] }

Following is the contents of the S3FullAccessPolicy. The S3FullAccessPolicy allows your service role for EMR Notebooks to perform all Amazon S3 actions on objects in your AWS account. When you create a custom service role for EMR Notebooks, you must give your service role Amazon S3 permissions.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:*", "Resource": "*" } ] }

You can scope down read and write access for your service role to the Amazon S3 location where you want to save your notebook files. Use the following minimum set of Amazon S3 permissions.

"s3:PutObject", "s3:GetObject", "s3:GetEncryptionConfiguration", "s3:ListBucket", "s3:DeleteObject"

If your Amazon S3 bucket is encrypted, you must include the following permissions for AWS Key Management Service.

"kms:Decrypt", "kms:GenerateDataKey", "kms:ReEncrypt", "kms:DescribeKey"

When you link Git repositories to your notebook and need to create a secret for the repository, you must add the secretsmanager:GetSecretValue permission in the IAM policy attached to the service role for EMR notebooks. An example policy is demonstrated below:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "secretsmanager:GetSecretValue", "Resource": "*" } ] }

EMR Notebooks service role permissions

This table lists the actions that EMR Notebooks takes using the service role, along with the permissions needed for each action.

Action Permissions
Establish a secure network channel between a notebook and an Amazon EMR cluster, and perform necessary cleanup actions.
"ec2:CreateNetworkInterface", "ec2:CreateNetworkInterfacePermission", "ec2:DeleteNetworkInterface", "ec2:DeleteNetworkInterfacePermission", "ec2:DescribeNetworkInterfaces", "ec2:ModifyNetworkInterfaceAttribute", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:DescribeSecurityGroups", "ec2:RevokeSecurityGroupEgress", "ec2:DescribeTags", "ec2:DescribeInstances", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "elasticmapreduce:ListInstances", "elasticmapreduce:DescribeCluster", "elasticmapreduce:ListSteps"
Use Git credentials stored in AWS Secrets Manager to link Git repositories to a notebook.
"secretsmanager:GetSecretValue"
Apply AWS tags to the network interface and default security groups that EMR Notebooks creates while setting up the secure network channel. For more information, see Tagging AWS resources.
"ec2:CreateTags"
Access or upload notebook files and metadata to Amazon S3.
"s3:PutObject", "s3:GetObject", "s3:GetEncryptionConfiguration", "s3:ListBucket", "s3:DeleteObject"

The following permissions are only required if you use an encrypted Amazon S3 bucket.

"kms:Decrypt", "kms:GenerateDataKey", "kms:ReEncrypt", "kms:DescribeKey"