创建和管理 EMR Studio 所需的权限 - Amazon EMR
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 Amazon Web Services 服务入门

创建和管理 EMR Studio 所需的权限

关于所需的 EMR Studio 权限

本页所描述的这些权限允许您创建并管理 EMR Studios。在您创建 Amazon EMR Studio 之前,确保您具有这些权限。有关每个所需权限的详细信息,请参阅管理 EMR Studio 所需的权限

Prerequisites

要为 EMR Studio 添加所需的管理权限,您需要具备以下各项:

  • 为 EMR Studio 指定的 Amazon 账户。

  • 您要向其授予 EMR Studio 管理权限的指定 Amazon 账户中的 IAM 身份(用户、角色或组)。

Instructions

  1. 按照创建 IAM 策略中的说明使用以下任一示例创建策略。您需要的权限取决于您的Amazon EMR Studio 身份验证模式

    为这些项插入您自己的值:

    • 替换 <your-resource-ARN> 以指定该语句针对您的使用案例涵盖的一个或多个对象的 Amazon Resource Name (ARN)。

    • <region> 替换为您计划在其中创建 Studio 的Amazon区域的代码。

    • <aws-account-id> 替换为 Studio 的 Amazon 账户 ID。

    • <EMRStudio_Service_Role><EMRStudio_User_Role> 替换为您的 EMR Studio 服务角色EMR Studio 用户角色的名称。

    例 您使用 IAM 身份验证模式时的管理员权限

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Resource": "arn:aws:elasticmapreduce:<region>:<aws-account-id>:studio/*", "Action": [ "elasticmapreduce:CreateStudio", "elasticmapreduce:DescribeStudio", "elasticmapreduce:DeleteStudio" ] }, { "Effect": "Allow", "Resource": "<your-resource-ARN>", "Action": [ "elasticmapreduce:ListStudios" ] }, { "Effect": "Allow", "Resource": [ "arn:aws:iam::<aws-account-id>:role/<EMRStudio-Service-Role>" ], "Action": "iam:PassRole" } ] }

    例 您使用 Amazon Web Services SSO 身份验证模式时的管理员权限

    注意

    Amazon Web Services SSO 和 Amazon Web Services SSO Directory API 不支持在 IAM 策略语句的资源元素中指定 ARN。为了允许访问 Amazon Web Services SSO 和 Amazon Web Services SSO Directory,以下权限为 Amazon Web Services SSO 操作指定所有资源,"Resource":"*"。有关更多信息,请参阅Amazon Web Services SSO目录的操作、资源和条件键

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Resource": "arn:aws:elasticmapreduce:<region>:<aws-account-id>:studio/*", "Action": [ "elasticmapreduce:CreateStudio", "elasticmapreduce:DescribeStudio", "elasticmapreduce:DeleteStudio", "elasticmapreduce:CreateStudioSessionMapping", "elasticmapreduce:GetStudioSessionMapping", "elasticmapreduce:UpdateStudioSessionMapping", "elasticmapreduce:DeleteStudioSessionMapping" ] }, { "Effect": "Allow", "Resource": "<your-resource-ARN>", "Action": [ "elasticmapreduce:ListStudios", "elasticmapreduce:ListStudioSessionMappings" ] }, { "Effect": "Allow", "Resource": [ "arn:aws:iam::<aws-account-id>:role/<EMRStudio-Service-Role>", "arn:aws:iam::<aws-account-id>:role/<EMRStudio-User-Role>" ], "Action": "iam:PassRole" }, { "Effect": "Allow", "Resource": "*", "Action": [ "sso:CreateManagedApplicationInstance", "sso:GetManagedApplicationInstance", "sso:DeleteManagedApplicationInstance", "sso:AssociateProfile", "sso:DisassociateProfile", "sso:GetProfile", "sso:ListDirectoryAssociations", "sso:ListProfiles", "sso-directory:SearchUsers", "sso-directory:SearchGroups", "sso-directory:DescribeUser", "sso-directory:DescribeGroup" ] } ] }
  2. 将策略附加到您指定的 IAM 身份(用户、角色或组)。有关说明,请参阅添加和删除 IAM 身份权限

管理 EMR Studio 所需的权限

下表列出了与创建和管理 EMR Studio 相关的运营。该表还显示了每个运营所需的权限。

注意

您在使用 Amazon Web Services SSO 身份验证模式时只需要 Amazon Web Services SSO 和 Studio SessionMapping 操作。

运算 权限
创建 Studio
"elasticmapreduce:CreateStudio", "sso:CreateManagedApplicationInstance", "iam:PassRole"
描述 Studio
"elasticmapreduce:DescribeStudio", "sso:GetManagedApplicationInstance"
列出 Studios
"elasticmapreduce:ListStudios"
删除 Studio
"elasticmapreduce:DeleteStudio", "sso:DeleteManagedApplicationInstance"
Additional permissions required when you use Amazon Web Services SSO mode

将用户或组分配给 Studio

"elasticmapreduce:CreateStudioSessionMapping", "sso:GetProfile", "sso:ListDirectoryAssociations", "sso:ListProfiles", "sso:AssociateProfile" "sso-directory:SearchUsers", "sso-directory:SearchGroups", "sso-directory:DescribeUser", "sso-directory:DescribeGroup"

请检索特定用户或组的 Studio 分配详细信息

"sso-directory:SearchUsers", "sso-directory:SearchGroups", "sso-directory:DescribeUser", "sso-directory:DescribeGroup", "sso:GetManagedApplicationInstance", "elasticmapreduce:GetStudioSessionMapping"
列出分配给 Studio 的所有用户和组
"elasticmapreduce:ListStudioSessionMappings"
更新附加到分配给 Studio 的用户或组的会话策略
"sso-directory:SearchUsers", "sso-directory:SearchGroups", "sso-directory:DescribeUser", "sso-directory:DescribeGroup", "sso:GetManagedApplicationInstance", "elasticmapreduce:UpdateStudioSessionMapping"
从 Studio 中删除用户或组
"elasticmapreduce:DeleteStudioSessionMapping", "sso-directory:SearchUsers", "sso-directory:SearchGroups", "sso-directory:DescribeUser", "sso-directory:DescribeGroup", "sso:ListDirectoryAssociations", "sso:GetProfile", "sso:GetManagedApplicationInstance" "sso:ListProfiles", "sso:DisassociateProfile"