创建和管理 EMR Studio 所需的管理员权限

本页所描述的 IAM 权限允许您创建和管理 EMR Studio。有关每个所需权限的详细信息，请参阅管理 EMR Studio 所需的权限。

管理 EMR Studio 所需的权限

下表列出了与创建和管理 EMR Studio 相关的运营。该表还显示了每个运营所需的权限。

注意

您在使用 IAM Identity Center 身份验证模式时只需要 IAM Identity Center 和 Studio SessionMapping 操作。

创建和管理 EMR Studio 所需的管理员权限
操作	权限
创建 Studio	"elasticmapreduce:CreateStudio", "sso:CreateManagedApplicationInstance", "iam:PassRole"
描述 Studio	"elasticmapreduce:DescribeStudio", "sso:GetManagedApplicationInstance"
列出 Studios	"elasticmapreduce:ListStudios"
删除 Studio	"elasticmapreduce:DeleteStudio", "sso:DeleteManagedApplicationInstance"
Additional permissions required when you use IAM Identity Center mode
将用户或组分配给 Studio	"elasticmapreduce:CreateStudioSessionMapping", "sso:GetProfile", "sso:ListDirectoryAssociations", "sso:ListProfiles", "sso:AssociateProfile" "sso-directory:SearchUsers", "sso-directory:SearchGroups", "sso-directory:DescribeUser", "sso-directory:DescribeGroup"
请检索特定用户或组的 Studio 分配详细信息	"sso-directory:SearchUsers", "sso-directory:SearchGroups", "sso-directory:DescribeUser", "sso-directory:DescribeGroup", "sso:GetManagedApplicationInstance", "elasticmapreduce:GetStudioSessionMapping"
列出分配给 Studio 的所有用户和组	"elasticmapreduce:ListStudioSessionMappings"
更新附加到分配给 Studio 的用户或组的会话策略	"sso-directory:SearchUsers", "sso-directory:SearchGroups", "sso-directory:DescribeUser", "sso-directory:DescribeGroup", "sso:GetManagedApplicationInstance", "elasticmapreduce:UpdateStudioSessionMapping"
从 Studio 中删除用户或组	"elasticmapreduce:DeleteStudioSessionMapping", "sso-directory:SearchUsers", "sso-directory:SearchGroups", "sso-directory:DescribeUser", "sso-directory:DescribeGroup", "sso:ListDirectoryAssociations", "sso:GetProfile", "sso:GetManagedApplicationInstance" "sso:ListProfiles", "sso:DisassociateProfile"

创建具有 EMR Studio 管理员权限的策略

1. 按照创建 IAM policy中的说明使用以下任一示例创建策略。您需要的权限取决于您的 EMR Studio 身份验证模式。

   为这些项插入您自己的值：

   • 替换 <your-resource-ARN> 以指定该语句针对您的使用案例涵盖的一个或多个对象的 Amazon Resource Name（ARN）。

   • 将 <region> 替换为您计划在其中创建 Studio 的 AWS 区域 的代码。

   • 将 <aws-account-id> 替换为 Studio 的 AWS 账户 ID。

   • 将 <EMRStudio_Service_Role> 和 <EMRStudio_User_Role> 替换为您的 EMR Studio 服务角色和 EMR Studio 用户角色的名称。

   例 示例策略：您使用 IAM 身份验证模式时的管理员权限

   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Effect": "Allow",
               "Resource": "arn:aws:elasticmapreduce:<region>:<aws-account-id>:studio/*",
               "Action": [
                   "elasticmapreduce:CreateStudio",
                   "elasticmapreduce:DescribeStudio",
                   "elasticmapreduce:DeleteStudio"
               ]
           },
           {
               "Effect": "Allow",
               "Resource": "<your-resource-ARN>",
               "Action": [
                   "elasticmapreduce:ListStudios"
               ]
           },
           {
               "Effect": "Allow",
               "Resource": [
                   "arn:aws:iam::<aws-account-id>:role/<EMRStudio-Service-Role>"
               ],
               "Action": "iam:PassRole"
           }
       ]
   }

   例 示例策略：您使用 IAM Identity Center 身份验证模式时的管理员权限

   注意

   IAM Identity Center 和 IAM Identity Center Directory API 不支持在 IAM policy 语句的资源元素中指定 ARN。要允许访问 IAM Identity Center 和 IAM Identity Center 目录，以下权限为 IAM Identity Center 操作指定所有资源 "Resource":"*"。有关更多信息，请参阅 IAM Identity Center 目录的操作、资源和条件键。

   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Effect": "Allow",
               "Resource": "arn:aws:elasticmapreduce:<region>:<aws-account-id>:studio/*",
               "Action": [
                   "elasticmapreduce:CreateStudio",
                   "elasticmapreduce:DescribeStudio",
                   "elasticmapreduce:DeleteStudio",
                   "elasticmapreduce:CreateStudioSessionMapping",
                   "elasticmapreduce:GetStudioSessionMapping",
                   "elasticmapreduce:UpdateStudioSessionMapping",
                   "elasticmapreduce:DeleteStudioSessionMapping"
               ]
           },
           {
               "Effect": "Allow",
               "Resource": "<your-resource-ARN>",
               "Action": [
                   "elasticmapreduce:ListStudios",
                   "elasticmapreduce:ListStudioSessionMappings"
               ]
           },
           {
               "Effect": "Allow",
               "Resource": [
                   "arn:aws:iam::<aws-account-id>:role/<EMRStudio-Service-Role>",
                   "arn:aws:iam::<aws-account-id>:role/<EMRStudio-User-Role>"
               ],
               "Action": "iam:PassRole"
           },
           {
               "Effect": "Allow",
               "Resource": "*",
               "Action": [
                   "sso:CreateManagedApplicationInstance",
                   "sso:GetManagedApplicationInstance",
                   "sso:DeleteManagedApplicationInstance",
                   "sso:AssociateProfile",
                   "sso:DisassociateProfile",
                   "sso:GetProfile",
                   "sso:ListDirectoryAssociations",
                   "sso:ListProfiles",
                   "sso-directory:SearchUsers",
                   "sso-directory:SearchGroups",
                   "sso-directory:DescribeUser",
                   "sso-directory:DescribeGroup"
               ]
           }
       ]
   }

2. 将该策略附加到您的 IAM 身份（用户、角色或组）。有关说明，请参阅添加和删除 IAM 身份权限。