Administrator permissions to create and manage an EMR Studio - Amazon EMR

Administrator permissions to create and manage an EMR Studio

The IAM permissions described on this page permit you to create and manage an EMR Studio. For detailed information about each required permission, see Permissions required to manage an EMR Studio.

Permissions required to manage an EMR Studio

The following table lists the operations related to creating and managing an EMR Studio. The table also displays the permissions needed for each operation.

Note

You only need AWS SSO and Studio SessionMapping actions when you use AWS SSO authentication mode.

Permissions to create and manage an EMR Studio
Operation Permissions
Create a Studio
"elasticmapreduce:CreateStudio", "sso:CreateManagedApplicationInstance", "iam:PassRole"
Describe a Studio
"elasticmapreduce:DescribeStudio", "sso:GetManagedApplicationInstance"
List Studios
"elasticmapreduce:ListStudios"
Delete a Studio
"elasticmapreduce:DeleteStudio", "sso:DeleteManagedApplicationInstance"
Additional permissions required when you use AWS SSO mode

Assign users or groups to a Studio

"elasticmapreduce:CreateStudioSessionMapping", "sso:GetProfile", "sso:ListDirectoryAssociations", "sso:ListProfiles", "sso:AssociateProfile" "sso-directory:SearchUsers", "sso-directory:SearchGroups", "sso-directory:DescribeUser", "sso-directory:DescribeGroup"

Retrieve Studio assignment details for a specific user or group

"sso-directory:SearchUsers", "sso-directory:SearchGroups", "sso-directory:DescribeUser", "sso-directory:DescribeGroup", "sso:GetManagedApplicationInstance", "elasticmapreduce:GetStudioSessionMapping"
List all users and groups assigned to a Studio
"elasticmapreduce:ListStudioSessionMappings"
Update the session policy attached to a user or group assigned to a Studio
"sso-directory:SearchUsers", "sso-directory:SearchGroups", "sso-directory:DescribeUser", "sso-directory:DescribeGroup", "sso:GetManagedApplicationInstance", "elasticmapreduce:UpdateStudioSessionMapping"
Remove a user or group from a Studio
"elasticmapreduce:DeleteStudioSessionMapping", "sso-directory:SearchUsers", "sso-directory:SearchGroups", "sso-directory:DescribeUser", "sso-directory:DescribeGroup", "sso:ListDirectoryAssociations", "sso:GetProfile", "sso:GetManagedApplicationInstance" "sso:ListProfiles", "sso:DisassociateProfile"

To create a policy with admin permissions for EMR Studio

  1. Follow the instructions in Creating IAM policies to create a policy using one of the following examples. The permissions you need depend on your authentication mode for Amazon EMR Studio.

    Insert your own values for these items:

    • Replace <your-resource-ARN> to specify the Amazon Resource Name (ARN) of the object or objects that the statement covers for your use cases.

    • Replace <region> with the code of the AWS Region where you plan to create the Studio.

    • Replace <aws-account_id> with the ID of the AWS account for the Studio.

    • Replace <EMRStudio-Service-Role> and <EMRStudio-User-Role> with the names of your EMR Studio service role and EMR Studio user role.

    Example policy: Admin permissions when you use IAM authentication mode

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Resource": "arn:aws:elasticmapreduce:<region>:<aws-account-id>:studio/*", "Action": [ "elasticmapreduce:CreateStudio", "elasticmapreduce:DescribeStudio", "elasticmapreduce:DeleteStudio" ] }, { "Effect": "Allow", "Resource": "<your-resource-ARN>", "Action": [ "elasticmapreduce:ListStudios" ] }, { "Effect": "Allow", "Resource": [ "arn:aws:iam::<aws-account-id>:role/<EMRStudio-Service-Role>" ], "Action": "iam:PassRole" } ] }

    Example policy: Admin permissions when you use AWS SSO authentication mode

    Note

    AWS SSO and AWS SSO Directory APIs don't support specifying an ARN in the resource element of an IAM policy statement. To allow access to AWS SSO and AWS SSO Directory, the following permissions specify all resources, "Resource":"*", for AWS SSO actions. For more information, see Actions, resources, and condition keys for AWS SSO Directory.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Resource": "arn:aws:elasticmapreduce:<region>:<aws-account-id>:studio/*", "Action": [ "elasticmapreduce:CreateStudio", "elasticmapreduce:DescribeStudio", "elasticmapreduce:DeleteStudio", "elasticmapreduce:CreateStudioSessionMapping", "elasticmapreduce:GetStudioSessionMapping", "elasticmapreduce:UpdateStudioSessionMapping", "elasticmapreduce:DeleteStudioSessionMapping" ] }, { "Effect": "Allow", "Resource": "<your-resource-ARN>", "Action": [ "elasticmapreduce:ListStudios", "elasticmapreduce:ListStudioSessionMappings" ] }, { "Effect": "Allow", "Resource": [ "arn:aws:iam::<aws-account-id>:role/<EMRStudio-Service-Role>", "arn:aws:iam::<aws-account-id>:role/<EMRStudio-User-Role>" ], "Action": "iam:PassRole" }, { "Effect": "Allow", "Resource": "*", "Action": [ "sso:CreateManagedApplicationInstance", "sso:GetManagedApplicationInstance", "sso:DeleteManagedApplicationInstance", "sso:AssociateProfile", "sso:DisassociateProfile", "sso:GetProfile", "sso:ListDirectoryAssociations", "sso:ListProfiles", "sso-directory:SearchUsers", "sso-directory:SearchGroups", "sso-directory:DescribeUser", "sso-directory:DescribeGroup" ] } ] }
  2. Attach the policy to your IAM identity (user, role, or group). For instructions, see Adding and removing IAM identity permissions.