Amazon EMR 的服务角色(EMR 角色)
Amazon EMR 角色定义了在预置资源,以及执行对于在集群中运行的特定 Amazon EC2 实例而言不会执行的服务级任务时,将允许 Amazon EMR 执行的操作。例如,服务角色用于在集群启动时配置 EC2 实例。
-
默认角色名为
EMR_DefaultRole_V2。 -
附加到
EMR_DefaultRole_V2的 Amazon EMR 范围的默认托管式策略是AmazonEMRServicePolicy_v2。此 v2 策略将取代弃用的默认托管式策略AmazonElasticMapReduceRole。
AmazonEMRServicePolicy_v2 取决于对 Amazon EMR 预调配或使用的资源的范围缩小访问权限。使用此策略时,您需要在预置集群时传递用户标签 for-use-with-amazon-emr-managed-policies = true。Amazon EMR 将自动传播这些标签。此外,您可能需要手动向特定类型的资源添加用户标签,例如不是由 Amazon EMR 创建的 EC2 安全组。请参阅标记资源以使用托管式策略。
重要
Amazon EMR 使用此 Amazon EMR 服务角色和 AWSServiceRoleForEMRCleanup 角色来清理账户中不再使用的集群资源,例如 Amazon EC2 实例。您必须在角色策略包含删除或终止资源所需的操作。否则,Amazon EMR 将无法执行这些清理操作,并且集群上剩余的未使用资源可能会产生费用。
下面显示的是当前 AmazonEMRServicePolicy_v2 策略的内容。您还可以在 IAM 控制台上查看 AmazonEMRServicePolicy_v2
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CreateInTaggedNetwork", "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface", "ec2:RunInstances", "ec2:CreateFleet", "ec2:CreateLaunchTemplate", "ec2:CreateLaunchTemplateVersion" ], "Resource": [ "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:security-group/*" ], "Condition": { "StringEquals": { "aws:ResourceTag/for-use-with-amazon-emr-managed-policies": "true" } } }, { "Sid": "CreateWithEMRTaggedLaunchTemplate", "Effect": "Allow", "Action": [ "ec2:CreateFleet", "ec2:RunInstances", "ec2:CreateLaunchTemplateVersion" ], "Resource": "arn:aws:ec2:*:*:launch-template/*", "Condition": { "StringEquals": { "aws:ResourceTag/for-use-with-amazon-emr-managed-policies": "true" } } }, { "Sid": "CreateEMRTaggedLaunchTemplate", "Effect": "Allow", "Action": "ec2:CreateLaunchTemplate", "Resource": "arn:aws:ec2:*:*:launch-template/*", "Condition": { "StringEquals": { "aws:RequestTag/for-use-with-amazon-emr-managed-policies": "true" } } }, { "Sid": "CreateEMRTaggedInstancesAndVolumes", "Effect": "Allow", "Action": [ "ec2:RunInstances", "ec2:CreateFleet" ], "Resource": [ "arn:aws:ec2:*:*:instance/*", "arn:aws:ec2:*:*:volume/*" ], "Condition": { "StringEquals": { "aws:RequestTag/for-use-with-amazon-emr-managed-policies": "true" } } }, { "Sid": "ResourcesToLaunchEC2", "Effect": "Allow", "Action": [ "ec2:RunInstances", "ec2:CreateFleet", "ec2:CreateLaunchTemplate", "ec2:CreateLaunchTemplateVersion" ], "Resource": [ "arn:aws:ec2:*:*:network-interface/*", "arn:aws:ec2:*::image/ami-*", "arn:aws:ec2:*:*:key-pair/*", "arn:aws:ec2:*:*:capacity-reservation/*", "arn:aws:ec2:*:*:placement-group/pg-*", "arn:aws:ec2:*:*:fleet/*", "arn:aws:ec2:*:*:dedicated-host/*", "arn:aws:resource-groups:*:*:group/*" ] }, { "Sid": "ManageEMRTaggedResources", "Effect": "Allow", "Action": [ "ec2:CreateLaunchTemplateVersion", "ec2:DeleteLaunchTemplate", "ec2:DeleteNetworkInterface", "ec2:ModifyInstanceAttribute", "ec2:TerminateInstances" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/for-use-with-amazon-emr-managed-policies": "true" } } }, { "Sid": "ManageTagsOnEMRTaggedResources", "Effect": "Allow", "Action": [ "ec2:CreateTags", "ec2:DeleteTags" ], "Resource": [ "arn:aws:ec2:*:*:instance/*", "arn:aws:ec2:*:*:volume/*", "arn:aws:ec2:*:*:network-interface/*", "arn:aws:ec2:*:*:launch-template/*" ], "Condition": { "StringEquals": { "aws:ResourceTag/for-use-with-amazon-emr-managed-policies": "true" } } }, { "Sid": "CreateNetworkInterfaceNeededForPrivateSubnet", "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface" ], "Resource": [ "arn:aws:ec2:*:*:network-interface/*" ], "Condition": { "StringEquals": { "aws:RequestTag/for-use-with-amazon-emr-managed-policies": "true" } } }, { "Sid": "TagOnCreateTaggedEMRResources", "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": [ "arn:aws:ec2:*:*:network-interface/*", "arn:aws:ec2:*:*:instance/*", "arn:aws:ec2:*:*:volume/*", "arn:aws:ec2:*:*:launch-template/*" ], "Condition": { "StringEquals": { "ec2:CreateAction": [ "RunInstances", "CreateFleet", "CreateLaunchTemplate", "CreateNetworkInterface" ] } } }, { "Sid": "TagPlacementGroups", "Effect": "Allow", "Action": [ "ec2:CreateTags", "ec2:DeleteTags" ], "Resource": [ "arn:aws:ec2:*:*:placement-group/pg-*" ] }, { "Sid": "ListActionsForEC2Resources", "Effect": "Allow", "Action": [ "ec2:DescribeAccountAttributes", "ec2:DescribeCapacityReservations", "ec2:DescribeDhcpOptions", "ec2:DescribeImages", "ec2:DescribeInstances", "ec2:DescribeLaunchTemplates", "ec2:DescribeNetworkAcls", "ec2:DescribeNetworkInterfaces", "ec2:DescribePlacementGroups", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVolumes", "ec2:DescribeVolumeStatus", "ec2:DescribeVpcAttribute", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcs" ], "Resource": "*" }, { "Sid": "CreateDefaultSecurityGroupWithEMRTags", "Effect": "Allow", "Action": [ "ec2:CreateSecurityGroup" ], "Resource": [ "arn:aws:ec2:*:*:security-group/*" ], "Condition": { "StringEquals": { "aws:RequestTag/for-use-with-amazon-emr-managed-policies": "true" } } }, { "Sid": "CreateDefaultSecurityGroupInVPCWithEMRTags", "Effect": "Allow", "Action": [ "ec2:CreateSecurityGroup" ], "Resource": [ "arn:aws:ec2:*:*:vpc/*" ], "Condition": { "StringEquals": { "aws:ResourceTag/for-use-with-amazon-emr-managed-policies": "true" } } }, { "Sid": "TagOnCreateDefaultSecurityGroupWithEMRTags", "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": "arn:aws:ec2:*:*:security-group/*", "Condition": { "StringEquals": { "aws:RequestTag/for-use-with-amazon-emr-managed-policies": "true", "ec2:CreateAction": "CreateSecurityGroup" } } }, { "Sid": "ManageSecurityGroups", "Effect": "Allow", "Action": [ "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/for-use-with-amazon-emr-managed-policies": "true" } } }, { "Sid": "CreateEMRPlacementGroups", "Effect": "Allow", "Action": [ "ec2:CreatePlacementGroup" ], "Resource": "arn:aws:ec2:*:*:placement-group/pg-*" }, { "Sid": "DeletePlacementGroups", "Effect": "Allow", "Action": [ "ec2:DeletePlacementGroup" ], "Resource": "*" }, { "Sid": "AutoScaling", "Effect": "Allow", "Action": [ "application-autoscaling:DeleteScalingPolicy", "application-autoscaling:DeregisterScalableTarget", "application-autoscaling:DescribeScalableTargets", "application-autoscaling:DescribeScalingPolicies", "application-autoscaling:PutScalingPolicy", "application-autoscaling:RegisterScalableTarget" ], "Resource": "*" }, { "Sid": "ResourceGroupsForCapacityReservations", "Effect": "Allow", "Action": [ "resource-groups:ListGroupResources" ], "Resource": "*" }, { "Sid": "AutoScalingCloudWatch", "Effect": "Allow", "Action": [ "cloudwatch:PutMetricAlarm", "cloudwatch:DeleteAlarms", "cloudwatch:DescribeAlarms" ], "Resource": "arn:aws:cloudwatch:*:*:alarm:*_EMR_Auto_Scaling" }, { "Sid": "PassRoleForAutoScaling", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/EMR_AutoScaling_DefaultRole", "Condition": { "StringLike": { "iam:PassedToService": "application-autoscaling.amazonaws.com*" } } }, { "Sid": "PassRoleForEC2", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/EMR_EC2_DefaultRole", "Condition": { "StringLike": { "iam:PassedToService": "ec2.amazonaws.com*" } } } ] }
您的服务角色应该使用下面的信任策略。
重要
下面的信任策略包括 aws:SourceArn 和 aws:SourceAccount 全局条件密钥,该密钥将限制您为 Amazon EMR 授予的、针对您账户中特定资源的权限。使用这些策略可以防止混淆代理问题。
{ "Version": "2008-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "elasticmapreduce.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "<account-id>" }, "ArnLike": { "aws:SourceArn": "arn:aws:elasticmapreduce:<region>:<account-id>:*" } } } ] }