Setting up - Amazon EMR
Sign up for an Amazon Web Services accountSecure IAM usersGrant permissionsSet up the Amazon CLIOpen the console
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Setting up

Sign up for an Amazon Web Services account

If you do not have an Amazon Web Services account, use the following procedure to create one.

To sign up for Amazon Web Services

  1. Open http://www.amazonaws.cn/ and choose Sign Up.

  2. Follow the on-screen instructions.

Amazon sends you a confirmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to http://www.amazonaws.cn/ and choosing My Account.

Secure IAM users

After you sign up for an Amazon Web Services account, safeguard your administrative user by turning on multi-factor authentication (MFA). For instructions, see Enable a virtual MFA device for an IAM user (console) in the IAM User Guide.

To give other users access to your Amazon Web Services account resources, create IAM users. To secure your IAM users, turn on MFA and only give the IAM users the permissions needed to perform their tasks.

For more information about creating and securing IAM users, see the following topics in the IAM User Guide:

Grant permissions

In production environments, we recommend that you use finer-grained policies. For examples of such policies, see User access policy examples for EMR Serverless. To learn more about access management, see Access management for Amazon resources in the IAM User Guide.

For users who need to get started with EMR Serverless in a sandbox environment, use a policy similar to the following:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "EMRStudioCreate",
            "Effect": "Allow",
            "Action": [
                "elasticmapreduce:CreateStudioPresignedUrl",
                "elasticmapreduce:DescribeStudio",
                "elasticmapreduce:CreateStudio",
                "elasticmapreduce:ListStudios"
            ],
            "Resource": "*"
        },
        {
            "Sid": "EMRServerlessFullAccess",
            "Effect": "Allow",
            "Action": [
                "emr-serverless:*"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowEC2ENICreationWithEMRTags",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateNetworkInterface"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:network-interface/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:CalledViaLast": "ops.emr-serverless.amazonaws.com"
                }
            }
        },
        {    
            "Sid": "AllowEMRServerlessServiceLinkedRoleCreation",
            "Effect": "Allow",
            "Action": "iam:CreateServiceLinkedRole",
            "Resource": "arn:aws:iam::*:role/aws-service-role/*"
        }
    ]
}

To provide access, add permissions to your users, groups, or roles:

Grant programmatic access

Users need programmatic access if they want to interact with Amazon outside of the Amazon Web Services Management Console. The Amazon APIs and the Amazon Command Line Interface require access keys. Whenever possible, create temporary credentials that consist of an access key ID, a secret access key, and a security token that indicates when the credentials expire.

To grant users programmatic access, choose one of the following options.

Which user needs programmatic access? To By
IAM Use short-term credentials to sign programmatic requests to the Amazon CLI or Amazon APIs (directly or by using the Amazon SDKs). Following the instructions in Using temporary credentials with Amazon resources in the IAM User Guide.
IAM

(Not recommended)

Use long-term credentials to sign programmatic requests to the Amazon CLI or Amazon APIs (directly or by using the Amazon SDKs).		 Following the instructions in Managing access keys for IAM users in the IAM User Guide.

Install and configure the Amazon CLI

If you want to use EMR Serverless APIs, you must install the latest version of the Amazon Command Line Interface (Amazon CLI). You don't need the Amazon CLI to use EMR Serverless from the EMR Studio console, and you can get started without the CLI by following the steps in Getting started with EMR Serverless from the console.

To set up the Amazon CLI

  1. To install the latest version of the Amazon CLI for macOS, Linux, or Windows, see Installing or updating the latest version of the Amazon CLI.

  2. To configure the Amazon CLI and secure setup of your access to Amazon Web Services, including EMR Serverless, see Quick configuration with aws configure.

  3. To verify the setup, enter the following DataBrew command at the command prompt.

    aws emr-serverless help

    Amazon CLI commands use the default Amazon Web Services Region from your configuration, unless you set it with a parameter or a profile. To set your Amazon Web Services Region with a parameter, you can add the --region parameter to each command.

    To set your Amazon Web Services Region with a profile, first add a named profile in the ~/.aws/config file or the %UserProfile%/.aws/config file (for Microsoft Windows). Follow the steps in Named profiles for the Amazon CLI. Next, set your Amazon Web Services Region and other settings with a command similar to the one in the following example.

    [profile emr-serverless]
aws_access_key_id = ACCESS-KEY-ID-OF-IAM-USER
aws_secret_access_key = SECRET-ACCESS-KEY-ID-OF-IAM-USER
region = us-east-1
output = text

Open the console

Most of the console-oriented topics in this section start from the Amazon EMR console. If you aren't already signed in to your Amazon Web Services account, sign in, then open the Amazon EMR console and continue to the next section to continue getting started with Amazon EMR.