创建和管理 EMR Studio 所需的管理员权限 - Amazon EMR

创建和管理 EMR Studio 所需的管理员权限

本页所描述的 IAM 权限允许您创建和管理 EMR Studio。有关每个所需权限的详细信息,请参阅管理 EMR Studio 所需的权限

管理 EMR Studio 所需的权限

下表列出了与创建和管理 EMR Studio 相关的运营。该表还显示了每个运营所需的权限。

注意

您在使用 IAM Identity Center 身份验证模式时只需要 IAM Identity Center 和 Studio SessionMapping 操作。

创建和管理 EMR Studio 所需的管理员权限
运算 权限
创建 Studio
"elasticmapreduce:CreateStudio", "sso:CreateManagedApplicationInstance", "iam:PassRole"
描述 Studio
"elasticmapreduce:DescribeStudio", "sso:GetManagedApplicationInstance"
列出 Studios
"elasticmapreduce:ListStudios"
删除 Studio
"elasticmapreduce:DeleteStudio", "sso:DeleteManagedApplicationInstance"
Additional permissions required when you use IAM Identity Center mode

将用户或组分配给 Studio

"elasticmapreduce:CreateStudioSessionMapping", "sso:GetProfile", "sso:ListDirectoryAssociations", "sso:ListProfiles", "sso:AssociateProfile" "sso-directory:SearchUsers", "sso-directory:SearchGroups", "sso-directory:DescribeUser", "sso-directory:DescribeGroup"

请检索特定用户或组的 Studio 分配详细信息

"sso-directory:SearchUsers", "sso-directory:SearchGroups", "sso-directory:DescribeUser", "sso-directory:DescribeGroup", "sso:GetManagedApplicationInstance", "elasticmapreduce:GetStudioSessionMapping"
列出分配给 Studio 的所有用户和组
"elasticmapreduce:ListStudioSessionMappings"
更新附加到分配给 Studio 的用户或组的会话策略
"sso-directory:SearchUsers", "sso-directory:SearchGroups", "sso-directory:DescribeUser", "sso-directory:DescribeGroup", "sso:GetManagedApplicationInstance", "elasticmapreduce:UpdateStudioSessionMapping"
从 Studio 中删除用户或组
"elasticmapreduce:DeleteStudioSessionMapping", "sso-directory:SearchUsers", "sso-directory:SearchGroups", "sso-directory:DescribeUser", "sso-directory:DescribeGroup", "sso:ListDirectoryAssociations", "sso:GetProfile", "sso:GetManagedApplicationInstance" "sso:ListProfiles", "sso:DisassociateProfile"

创建具有 EMR Studio 管理员权限的策略

  1. 按照创建 IAM policy中的说明使用以下任一示例创建策略。您需要的权限取决于您的 EMR Studio 身份验证模式

    为这些项插入您自己的值:

    • 替换 <your-resource-ARN> 以指定该语句针对您的使用案例涵盖的一个或多个对象的 Amazon Resource Name(ARN)。

    • <region> 替换为您计划在其中创建 Studio 的 AWS 区域 的代码。

    • <aws-account-id> 替换为 Studio 的 AWS 账户 ID。

    • <EMRStudio_Service_Role><EMRStudio_User_Role> 替换为您的 EMR Studio 服务角色EMR Studio 用户角色的名称。

    例 示例策略:您使用 IAM 身份验证模式时的管理员权限

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Resource": "arn:aws:elasticmapreduce:<region>:<aws-account-id>:studio/*", "Action": [ "elasticmapreduce:CreateStudio", "elasticmapreduce:DescribeStudio", "elasticmapreduce:DeleteStudio" ] }, { "Effect": "Allow", "Resource": "<your-resource-ARN>", "Action": [ "elasticmapreduce:ListStudios" ] }, { "Effect": "Allow", "Resource": [ "arn:aws:iam::<aws-account-id>:role/<EMRStudio-Service-Role>" ], "Action": "iam:PassRole" } ] }

    例 示例策略:您使用 IAM Identity Center 身份验证模式时的管理员权限

    注意

    IAM Identity Center 和 IAM Identity Center Directory API 不支持在 IAM policy 语句的资源元素中指定 ARN。要允许访问 IAM Identity Center 和 IAM Identity Center 目录,以下权限为 IAM Identity Center 操作指定所有资源 "Resource":"*"。有关更多信息,请参阅 IAM Identity Center 目录的操作、资源和条件键

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Resource": "arn:aws:elasticmapreduce:<region>:<aws-account-id>:studio/*", "Action": [ "elasticmapreduce:CreateStudio", "elasticmapreduce:DescribeStudio", "elasticmapreduce:DeleteStudio", "elasticmapreduce:CreateStudioSessionMapping", "elasticmapreduce:GetStudioSessionMapping", "elasticmapreduce:UpdateStudioSessionMapping", "elasticmapreduce:DeleteStudioSessionMapping" ] }, { "Effect": "Allow", "Resource": "<your-resource-ARN>", "Action": [ "elasticmapreduce:ListStudios", "elasticmapreduce:ListStudioSessionMappings" ] }, { "Effect": "Allow", "Resource": [ "arn:aws:iam::<aws-account-id>:role/<EMRStudio-Service-Role>", "arn:aws:iam::<aws-account-id>:role/<EMRStudio-User-Role>" ], "Action": "iam:PassRole" }, { "Effect": "Allow", "Resource": "*", "Action": [ "sso:CreateManagedApplicationInstance", "sso:GetManagedApplicationInstance", "sso:DeleteManagedApplicationInstance", "sso:AssociateProfile", "sso:DisassociateProfile", "sso:GetProfile", "sso:ListDirectoryAssociations", "sso:ListProfiles", "sso-directory:SearchUsers", "sso-directory:SearchGroups", "sso-directory:DescribeUser", "sso-directory:DescribeGroup" ] } ] }
  2. 将该策略附加到您的 IAM 身份(用户、角色或组)。有关说明,请参阅添加和删除 IAM 身份权限