本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# 创建和管理 EMR Studio 所需的管理员权限
创建 EMR Studio 所需的管理员权限
本页所描述的 IAM 权限允许您创建和管理 EMR Studio。有关每个所需权限的详细信息,请参阅[管理 EMR Studio 所需的权限](#emr-studio-admin-permissions-table)。
## 管理 EMR Studio 所需的权限
下表列出了与创建和管理 EMR Studio 相关的运营。该表还显示了每个运营所需的权限。
**注意**
您在使用 IAM Identity Center 身份验证模式时只需要 IAM Identity Center 和 Studio `SessionMapping` 操作。
**创建和管理 EMR Studio 所需的管理员权限**
| 操作 | Permissions |
| --- | --- |
| 创建 Studio | "elasticmapreduce:CreateStudio",
"sso:CreateApplication",
"sso:PutApplicationAuthenticationMethod",
"sso:PutApplicationGrant",
"sso:PutApplicationAccessScope",
"sso:PutApplicationAssignmentConfiguration",
"iam:PassRole"
|
| 描述 Studio | "elasticmapreduce:DescribeStudio",
"sso:GetManagedApplicationInstance"
|
| 列出 Studios | "elasticmapreduce:ListStudios"
|
| 删除 Studio | "elasticmapreduce:DeleteStudio",
"sso:DeleteApplication",
"sso:DeleteApplicationAuthenticationMethod",
"sso:DeleteApplicationAccessScope",
"sso:DeleteApplicationGrant"
|
| Additional permissions required when you use IAM Identity Center mode |
| 将用户或组分配给 Studio | "elasticmapreduce:CreateStudioSessionMapping",
"sso:GetProfile",
"sso:ListDirectoryAssociations",
"sso:ListProfiles",
"sso:AssociateProfile",
"sso-directory:SearchUsers",
"sso-directory:SearchGroups",
"sso-directory:DescribeUser",
"sso-directory:DescribeGroup",
"sso:ListInstances",
"sso:CreateApplicationAssignment",
"sso:DescribeInstance",
"organizations:DescribeOrganization",
"organizations:ListDelegatedAdministrators",
"sso:CreateInstance",
"sso:DescribeRegisteredRegions",
"sso:GetSharedSsoConfiguration",
"iam:ListPolicies"
|
| 请检索特定用户或组的 Studio 分配详细信息 | "sso-directory:SearchUsers",
"sso-directory:SearchGroups",
"sso-directory:DescribeUser",
"sso-directory:DescribeGroup",
"sso:DescribeApplication",
"elasticmapreduce:GetStudioSessionMapping"
|
| 列出分配给 Studio 的所有用户和组 | "elasticmapreduce:ListStudioSessionMappings"
|
| 更新附加到分配给 Studio 的用户或组的会话策略 | "sso-directory:SearchUsers",
"sso-directory:SearchGroups",
"sso-directory:DescribeUser",
"sso-directory:DescribeGroup",
"sso:DescribeApplication",
"sso:DescribeInstance",
"elasticmapreduce:UpdateStudioSessionMapping"
|
| 从 Studio 中删除用户或组 | "elasticmapreduce:DeleteStudioSessionMapping",
"sso-directory:SearchUsers",
"sso-directory:SearchGroups",
"sso-directory:DescribeUser",
"sso-directory:DescribeGroup",
"sso:ListDirectoryAssociations",
"sso:GetProfile",
"sso:DescribeApplication",
"sso:DescribeInstance",
"sso:ListProfiles",
"sso:DisassociateProfile",
"sso:DeleteApplicationAssignment",
"sso:ListApplicationAssignments"
|
**创建具有 EMR Studio 管理员权限的策略**
1. 按照[创建 IAM policy](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_create.html)中的说明使用以下任一示例创建策略。您需要的权限取决于您的 [EMR Studio 身份验证模式](emr-studio-authentication.md)。
为这些项插入您自己的值:
+ 替换*`` *以指定声明针对您的用例涵盖的一个或多个对象的 Amazon 资源名称 (ARN)。
+ **替换为你计划在 Amazon Web Services 区域 哪里创建 Studio 的代码。
+ **替换为工作室 Amazon 账户的 ID。
+ [将**和**替换为您的 EM [R Studio 服务角色和 EMR Studio 用户角色](emr-studio-service-role.md)的名称。](emr-studio-user-permissions.md#emr-studio-create-user-role)
**Example 示例策略:您使用 IAM 身份验证模式时的管理员权限**
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": [
"arn:aws:elasticmapreduce:*:123456789012:studio/*"
],
"Action": [
"elasticmapreduce:CreateStudio",
"elasticmapreduce:DescribeStudio",
"elasticmapreduce:DeleteStudio"
],
"Sid": "AllowELASTICMAPREDUCECreatestudio"
},
{
"Effect": "Allow",
"Resource": [
"*"
],
"Action": [
"elasticmapreduce:ListStudios"
],
"Sid": "AllowELASTICMAPREDUCEListstudios"
},
{
"Effect": "Allow",
"Resource": [
"arn:aws:iam::123456789012:role/EMRStudioServiceRole"
],
"Action": [
"iam:PassRole"
],
"Sid": "AllowIAMPassrole"
}
]
}
```
------
**Example 示例策略:您使用 IAM Identity Center 身份验证模式时的管理员权限**
**注意**
身份中心和身份中心目录 APIs 不支持在 IAM 策略声明的资源元素中指定 ARN。要允许访问 IAM Identity Center 和 IAM Identity Center 目录,以下权限为 IAM Identity Center 操作指定所有资源 "Resource":"\$1"。有关更多信息,请参阅 [IAM Identity Center 目录的操作、资源和条件键](https://docs.amazonaws.cn/service-authorization/latest/reference/list_awsssodirectory.html#awsssodirectory-actions-as-permissions)。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": [
"arn:aws:elasticmapreduce:*:123456789012:studio/*"
],
"Action": [
"elasticmapreduce:CreateStudio",
"elasticmapreduce:DescribeStudio",
"elasticmapreduce:DeleteStudio",
"elasticmapreduce:CreateStudioSessionMapping",
"elasticmapreduce:GetStudioSessionMapping",
"elasticmapreduce:UpdateStudioSessionMapping",
"elasticmapreduce:DeleteStudioSessionMapping"
],
"Sid": "AllowELASTICMAPREDUCECreatestudio"
},
{
"Effect": "Allow",
"Resource": [
"*"
],
"Action": [
"elasticmapreduce:ListStudios",
"elasticmapreduce:ListStudioSessionMappings"
],
"Sid": "AllowELASTICMAPREDUCEListstudios"
},
{
"Effect": "Allow",
"Resource": [
"arn:aws:iam::123456789012:role/EMRStudio-SvcRole",
"arn:aws:iam::123456789012:role/EMRStudio-User-Role"
],
"Action": [
"iam:PassRole"
],
"Sid": "AllowIAMPassrole"
},
{
"Effect": "Allow",
"Resource": [
"*"
],
"Action": [
"sso:CreateApplication",
"sso:PutApplicationAuthenticationMethod",
"sso:PutApplicationGrant",
"sso:PutApplicationAccessScope",
"sso:PutApplicationAssignmentConfiguration",
"sso:DescribeApplication",
"sso:DeleteApplication",
"sso:DeleteApplicationAuthenticationMethod",
"sso:DeleteApplicationAccessScope",
"sso:DeleteApplicationGrant",
"sso:ListInstances",
"sso:CreateApplicationAssignment",
"sso:DeleteApplicationAssignment",
"sso:ListApplicationAssignments",
"sso:DescribeInstance",
"sso:AssociateProfile",
"sso:DisassociateProfile",
"sso:GetProfile",
"sso:ListDirectoryAssociations",
"sso:ListProfiles",
"sso-directory:SearchUsers",
"sso-directory:SearchGroups",
"sso-directory:DescribeUser",
"sso-directory:DescribeGroup",
"organizations:DescribeOrganization",
"organizations:ListDelegatedAdministrators",
"sso:CreateInstance",
"sso:DescribeRegisteredRegions",
"sso:GetSharedSsoConfiguration",
"iam:ListPolicies"
],
"Sid": "AllowSSOCreateapplication"
}
]
}
```
------
1. 将该策略附加到您的 IAM 身份(用户、角色或组)。有关说明,请参阅[添加和删除 IAM 身份权限](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_manage-attach-detach.html)。