IAM policies for Amazon EMR on EKS
The following example templates show how AWS Step Functions generates IAM policies based on the resources in your
state machine definition. For more information, see IAM Policies for integrated
services and Service integration patterns.
CreateVirtualCluster
Resources
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"emr-containers:CreateVirtualCluster"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::{{accountId}}:role/aws-service-role/emr-containers.amazonaws.com/AnAWSServiceRoleForAmazonEMRContainers",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "emr-containers.amazonaws.com"
}
}
}
]
}
DeleteVirtualCluster
Static resources
- Run a Job (.sync)
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"emr-containers:DeleteVirtualCluster",
"emr-containers:DescribeVirtualCluster"
],
"Resource": [
"arn:aws:emr-containers:{{region}}:{{accountId}}:/virtualclusters/[[virtualClusterId]]"
]
}
]
}
- Request Response
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"emr-containers:DeleteVirtualCluster"
],
"Resource": [
"arn:aws:emr-containers:{{region}}:{{accountId}}:/virtualclusters/[[virtualClusterId]]"
]
}
]
}
Dynamic resources
- Run a Job (.sync)
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"emr-containers:DeleteVirtualCluster",
"emr-containers:DescribeVirtualCluster"
],
"Resource": [
"arn:aws:emr-containers:{{region}}:{{accountId}}:/virtualclusters/*"
]
}
]
}
- Request Response
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"emr-containers:DeleteVirtualCluster"
],
"Resource": [
"arn:aws:emr-containers:{{region}}:{{accountId}}:/virtualclusters/*"
]
}
]
}
StartJobRun
Static resources
- Run a Job (.sync)
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "emr-containers:StartJobRun",
"Resource": [
"arn:aws:emr-containers:{{region}}:{{accountId}}:/virtualclusters/[[virtualClusterId]]"
],
"Condition": {
"StringEquals": {
"emr-containers:ExecutionRoleArn": [
"[[executionRoleArn]]"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"emr-containers:DescribeJobRun",
"emr-containers:CancelJobRun"
],
"Resource": [
"arn:aws:emr-containers:{{region}}:{{accountId}}:/virtualclusters/[[virtualClusterId]]/jobruns/*"
]
}
]
}
- Request Response
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "emr-containers:StartJobRun",
"Resource": [
"arn:aws:emr-containers:{{region}}:{{accountId}}:/virtualclusters/[[virtualClusterId]]"
],
"Condition": {
"StringEquals": {
"emr-containers:ExecutionRoleArn": [
"[[executionRoleArn]]"
]
}
}
}
]
}
Dynamic resources
- Run a Job (.sync)
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "emr-containers:StartJobRun",
"Resource": [
"arn:aws:emr-containers:{{region}}:{{accountId}}:/virtualclusters/*"
],
"Condition": {
"StringEquals": {
"emr-containers:ExecutionRoleArn": [
"[[executionRoleArn]]"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"emr-containers:DescribeJobRun",
"emr-containers:CancelJobRun"
],
"Resource": [
"arn:aws:emr-containers:{{region}}:{{accountId}}:/virtualclusters/*"
]
}
]
}
- Request Response
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "emr-containers:StartJobRun",
"Resource": [
"arn:aws:emr-containers:{{region}}:{{accountId}}:/virtualclusters/*"
],
"Condition": {
"StringEquals": {
"emr-containers:ExecutionRoleArn": [
"[[executionRoleArn]]"
]
}
}
}
]
}
