Add required permissions to create and manage an EMR Studio - Amazon EMR

Add required permissions to create and manage an EMR Studio

About the required EMR Studio permissions

Before you can create an Amazon EMR Studio, you must create an IAM policy that defines EMR Studio administrative permissions and add it to an identity (user, group, or role) in the AWS account that you designate for your Studio. Doing so lets you assume an IAM principal that can take actions such as creating and managing a Studio, and assigning users and groups. For detailed information about each required permission, see Permissions required to manage an EMR Studio.


To add the required administrative permissions for EMR Studio, you need the following items:

  • A designated AWS account for your EMR Studio. If you use multiple accounts in your AWS organization, use a member account. To learn more about AWS terminology, see AWS Organizations terminology and concepts.

  • An IAM identity (user, role, or group) in your designated AWS account to which you want to grant EMR Studio administrative permissions.


  1. Follow the instructions in Creating IAM policies to create a policy using the following example. Insert your own values for these items:

    • Replace <your-resource-ARN> to specify the Amazon Resource Name (ARN) of the object or objects that the statement covers for your use cases.

    • Replace <region> with the code of the AWS Region where you plan to create your Studio.

    • Replace <aws_account_id> with the ID of the AWS account in which you plan to create the Studio.

    • Replace <EMRStudio_Service_Role> and <EMRStudio_User_Role> with the names of your EMR Studio service role and EMR Studio user role.


    AWS SSO and AWS SSO Directory APIs do not support specifying an ARN in the resource element of an IAM policy statement. To allow access to AWS SSO and AWS SSO Directory, the following permissions specify all resources, "Resource":"*", for AWS SSO actions. For more information, see Actions, resources, and condition keys for AWS SSO Directory.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Resource": "arn:aws:elasticmapreduce:<region>:<aws_account_id>:studio/*", "Action": [ "elasticmapreduce:CreateStudio", "elasticmapreduce:DescribeStudio", "elasticmapreduce:DeleteStudio", "elasticmapreduce:CreateStudioSessionMapping", "elasticmapreduce:GetStudioSessionMapping", "elasticmapreduce:UpdateStudioSessionMapping", "elasticmapreduce:DeleteStudioSessionMapping" ] }, { "Effect": "Allow", "Resource": "<your-resource-ARN>", "Action": [ "elasticmapreduce:ListStudios", "elasticmapreduce:ListStudioSessionMappings" ] }, { "Effect": "Allow", "Resource": [ "arn:aws:iam::<aws_account_id>:role/<EMRStudio_Service_Role>", "arn:aws:iam::<aws_account_id>:role/<EMRStudio_User_Role>" ], "Action": "iam:PassRole" }, { "Effect": "Allow", "Resource": "*", "Action": [ "sso:CreateManagedApplicationInstance", "sso:GetManagedApplicationInstance", "sso:DeleteManagedApplicationInstance", "sso:AssociateProfile", "sso:DisassociateProfile", "sso:GetProfile", "sso:ListDirectoryAssociations", "sso:ListProfiles", "sso-directory:SearchUsers", "sso-directory:SearchGroups", "sso-directory:DescribeUser", "sso-directory:DescribeGroup" ] } ] }
  2. Attach the policy to your designated IAM identity (user, role, or group). For instructions, see Adding and removing IAM identity permissions.

Permissions required to manage an EMR Studio

This table lists the actions related to creating and managing an EMR Studio, along with the permissions needed for each action.

Action Permissions
Create a Studio
"elasticmapreduce:CreateStudio", "sso:CreateManagedApplicationInstance", "iam:PassRole"
Describe a Studio
"elasticmapreduce:DescribeStudio", "sso:GetManagedApplicationInstance"
Delete a Studio
"elasticmapreduce:DeleteStudio", "sso:DeleteManagedApplicationInstance"
Assign users or groups to a Studio
"elasticmapreduce:CreateStudioSessionMapping", "sso:GetProfile", "sso:ListDirectoryAssociations", "sso:ListProfiles", "sso:AssociateProfile" "sso-directory:SearchUsers", "sso-directory:SearchGroups", "sso-directory:DescribeUser", "sso-directory:DescribeGroup"
Retrieve Studio assignment details for a specific user or group with the GetStudioSessionMapping API
"sso-directory:SearchUsers", "sso-directory:SearchGroups", "sso-directory:DescribeUser", "sso-directory:DescribeGroup", "sso:GetManagedApplicationInstance", "elasticmapreduce:GetStudioSessionMapping"
List all users and groups assigned to a Studio
Update the session policy attached to a user or group assigned to a Studio
"sso-directory:SearchUsers", "sso-directory:SearchGroups", "sso-directory:DescribeUser", "sso-directory:DescribeGroup", "sso:GetManagedApplicationInstance", "elasticmapreduce:UpdateStudioSessionMapping"
Remove a user or group from a Studio
"elasticmapreduce:DeleteStudioSessionMapping", "sso-directory:SearchUsers", "sso-directory:SearchGroups", "sso-directory:DescribeUser", "sso-directory:DescribeGroup", "sso:ListDirectoryAssociations", "sso:GetProfile", "sso:GetManagedApplicationInstance" "sso:ListProfiles", "sso:DisassociateProfile"