创建和管理 EMR Studio 的管理员权限 - Amazon EMR
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

创建和管理 EMR Studio 的管理员权限

此页面上描述的IAM权限允许您创建和管理 EMR Studio。有关每个所需权限的详细信息,请参阅管理工作EMR室所需的权限

管理工作EMR室所需的权限

下表列出了与创建和管理 EMR Studio 相关的操作。该表还显示了每个运营所需的权限。

注意

使用IAM身份中心身份验证模式时,您只需要IAM身份中心和 Studio SessionMapping 操作。

创建和管理EMR工作室的权限
操作 权限
创建 Studio
"elasticmapreduce:CreateStudio", "sso:CreateApplication", "sso:PutApplicationAuthenticationMethod", "sso:PutApplicationGrant", "sso:PutApplicationAccessScope", "sso:PutApplicationAssignmentConfiguration", "iam:PassRole"
描述 Studio
"elasticmapreduce:DescribeStudio", "sso:GetManagedApplicationInstance"
列出 Studios
"elasticmapreduce:ListStudios"
删除 Studio
"elasticmapreduce:DeleteStudio", "sso:DeleteApplication", "sso:DeleteApplicationAuthenticationMethod", "sso:DeleteApplicationAccessScope", "sso:DeleteApplicationGrant"
Additional permissions required when you use IAM Identity Center mode

将用户或组分配给 Studio

"elasticmapreduce:CreateStudioSessionMapping", "sso:GetProfile", "sso:ListDirectoryAssociations", "sso:ListProfiles", "sso:AssociateProfile", "sso-directory:SearchUsers", "sso-directory:SearchGroups", "sso-directory:DescribeUser", "sso-directory:DescribeGroup", "sso:ListInstances", "sso:CreateApplicationAssignment", "sso:DescribeInstance", "organizations:DescribeOrganization", "organizations:ListDelegatedAdministrators", "sso:CreateInstance", "sso:DescribeRegisteredRegions", "sso:GetSharedSsoConfiguration", "iam:ListPolicies"

请检索特定用户或组的 Studio 分配详细信息

"sso-directory:SearchUsers", "sso-directory:SearchGroups", "sso-directory:DescribeUser", "sso-directory:DescribeGroup", "sso:DescribeApplication", "elasticmapreduce:GetStudioSessionMapping"
列出分配给 Studio 的所有用户和组
"elasticmapreduce:ListStudioSessionMappings"
更新附加到分配给 Studio 的用户或组的会话策略
"sso-directory:SearchUsers", "sso-directory:SearchGroups", "sso-directory:DescribeUser", "sso-directory:DescribeGroup", "sso:DescribeApplication", "sso:DescribeInstance", "elasticmapreduce:UpdateStudioSessionMapping"
从 Studio 中删除用户或组
"elasticmapreduce:DeleteStudioSessionMapping", "sso-directory:SearchUsers", "sso-directory:SearchGroups", "sso-directory:DescribeUser", "sso-directory:DescribeGroup", "sso:ListDirectoryAssociations", "sso:GetProfile", "sso:DescribeApplication", "sso:DescribeInstance", "sso:ListProfiles", "sso:DisassociateProfile", "sso:DeleteApplicationAssignment", "sso:ListApplicationAssignments"
为 EMR Studio 创建具有管理员权限的策略
  1. 按照创建IAM策略中的说明使用以下示例之一创建策略。您需要的权限取决于您的 EMRStudio 身份验证模式

    为这些项插入您自己的值:

    • 替换<your-resource-ARN> 以指定声明针对您的用例涵盖的一个或多个对象的 Amazon 资源名称 (ARN)。

    • <region>替换为你计划在 Amazon Web Services 区域 哪里创建 Studio 的代码。

    • <aws-account_id>替换为工作室 Amazon 账户的 ID。

    • <EMRStudio-Service-Role><EMRStudio-User-Role>替换为您的 EMRStudio 服务角色和 EMR Stu dio 用户角色的名称。

    例 示例策略:您使用 IAM 身份验证模式时的管理员权限
    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Resource": "arn:aws:elasticmapreduce:<region>:<aws-account-id>:studio/*", "Action": [ "elasticmapreduce:CreateStudio", "elasticmapreduce:DescribeStudio", "elasticmapreduce:DeleteStudio" ] }, { "Effect": "Allow", "Resource": "<your-resource-ARN>", "Action": [ "elasticmapreduce:ListStudios" ] }, { "Effect": "Allow", "Resource": [ "arn:aws:iam::<aws-account-id>:role/<EMRStudio-Service-Role>" ], "Action": "iam:PassRole" } ] }
    例 策略示例:使用IAM身份中心身份验证模式时的管理员权限
    注意

    Identity Center 和 Identity Center 目录APIs不支持ARN在IAM策略声明的资源元素中指定。为了允许访问IAM身份中心和IAM身份中心目录,以下权限为IAM身份中心操作指定了所有资源,即 “资源”: “*”。有关更多信息,请参阅 Identity C enter Director IAM y 的操作、资源和条件键

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Resource": "arn:aws:elasticmapreduce:<region>:<aws-account-id>:studio/*", "Action": [ "elasticmapreduce:CreateStudio", "elasticmapreduce:DescribeStudio", "elasticmapreduce:DeleteStudio", "elasticmapreduce:CreateStudioSessionMapping", "elasticmapreduce:GetStudioSessionMapping", "elasticmapreduce:UpdateStudioSessionMapping", "elasticmapreduce:DeleteStudioSessionMapping" ] }, { "Effect": "Allow", "Resource": "<your-resource-ARN>", "Action": [ "elasticmapreduce:ListStudios", "elasticmapreduce:ListStudioSessionMappings" ] }, { "Effect": "Allow", "Resource": [ "arn:aws:iam::<aws-account-id>:role/<EMRStudio-Service-Role>", "arn:aws:iam::<aws-account-id>:role/<EMRStudio-User-Role>" ], "Action": "iam:PassRole" }, { "Effect": "Allow", "Resource": "*", "Action": [ "sso:CreateApplication", "sso:PutApplicationAuthenticationMethod", "sso:PutApplicationGrant", "sso:PutApplicationAccessScope", "sso:PutApplicationAssignmentConfiguration", "sso:DescribeApplication", "sso:DeleteApplication", "sso:DeleteApplicationAuthenticationMethod", "sso:DeleteApplicationAccessScope", "sso:DeleteApplicationGrant", "sso:ListInstances", "sso:CreateApplicationAssignment", "sso:DeleteApplicationAssignment", "sso:ListApplicationAssignments", "sso:DescribeInstance", "sso:AssociateProfile", "sso:DisassociateProfile", "sso:GetProfile", "sso:ListDirectoryAssociations", "sso:ListProfiles", "sso-directory:SearchUsers", "sso-directory:SearchGroups", "sso-directory:DescribeUser", "sso-directory:DescribeGroup", "organizations:DescribeOrganization", "organizations:ListDelegatedAdministrators", "sso:CreateInstance", "sso:DescribeRegisteredRegions", "sso:GetSharedSsoConfiguration", "iam:ListPolicies" ] } ] }
  2. 将策略附加到您的IAM身份(用户、角色或群组)。有关说明,请参阅添加和删除 IAM 身份权限