为 Amazon EC2 或 Amazon EKS 配置 EMR Studio 用户权限
您必须为 Amazon EMR Studio 配置用户权限策略,以便您能设置精细的用户和组权限。有关用户权限在 EMR Studio 中如何工作的信息,请参阅 Amazon EMR Studio 工作原理 中的 访问控制。
注意
本部分中介绍的权限不会强制执行数据访问控制。要管理对输入数据集的访问,您应该为 Studio 使用的集群配置权限。有关更多信息,请参阅Amazon EMR 中的安全性。
创建 IAM Identity Center 身份验证模式的 EMR Studio 用户角色
当您使用 IAM Identity Center 身份验证模式时,必须创建 EMR Studio 用户角色。
创建 EMR Studio 用户角色
-
按照《Amazon Identity and Access Management 用户指南》中的创建向Amazon服务委派权限的角色中的说明,创建用户角色。
在创建角色时,使用以下信任关系策略。
{ "Version": "2008-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "elasticmapreduce.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } -
删除默认角色权限和策略。
-
在将用户和组分配给 Studio 之前,应将您的 EMR Studio 会话策略附加到用户角色。有关如何创建会话策略的说明,请参阅 为 EMR Studio 用户创建权限策略。
为 EMR Studio 用户创建权限策略
完成以下步骤,为 EMR Studio 创建权限策略。
注意
要设置用于存储笔记本文件的 Amazon S3 访问权限,以及在将 Workspaces 链接到 Git 存储库时读取密钥的 Amazon Secrets Manager 访问权限,请使用 EMR Studio 服务角色。
-
创建一个或多个指定用户可在您的 Studio 中执行哪些操作的 IAM 权限策略。例如,您可以使用此页面上的示例策略为基本、中间和高级 Studio 用户创建三个独立策略。
EMR Studio 用户的 Amazon Identity and Access Management 权限表细分了用户可能执行的每个 Studio 运营,并列出了执行该运营所需的最低 IAM 操作。有关说明,请参阅创建 IAM policy。
您的权限策略必须包含以下语句。
{ "Sid": "AllowAddingTagsOnSecretsWithEMRStudioPrefix", "Effect": "Allow", "Action": "secretsmanager:TagResource", "Resource": "arn:aws:secretsmanager:*:*:secret:emr-studio-*" }, { "Sid": "AllowPassingServiceRoleForWorkspaceCreation", "Action": "iam:PassRole", "Resource": [ "arn:aws:iam::*:role/<your-emr-studio-service-role>" ], "Effect": "Allow" }设置 Workspace 协作的所有权
借助 Workspace 协作功能,多个用户可以在同一 Workspace 中同时工作,并且可以使用 Workspace UI 中的 Collaboration(协作)面板进行配置。要查看和使用 Collaboration(协作)面板,用户必须具有以下权限。任何拥有这些权限的用户都可以查看和使用 Collaboration(协作)面板。
"elasticmapreduce:UpdateEditor", "elasticmapreduce:PutWorkspaceAccess", "elasticmapreduce:DeleteWorkspaceAccess", "elasticmapreduce:ListWorkspaceAccessIdentities"要限制对 Collaboration(协作)面板的访问权限,您可以使用基于标签的访问控制。当用户创建某个 Workspace 时,EMR Studio 会应用一个原定设置标签,标签键为
creatorUserId,标签值为创建该 WorkSpace 的用户的 ID。注意
对于在 2021 年 11 月 16 日之前创建的 WorkSpace,EMR Studio 并未添加
creatorUserId标签。要限制有权配置协作的用户,我们建议为您的 Workspace 手动添加creatorUserId标签,然后在用户权限策略中使用基于标签的访问控制。以下示例语句允许用户为任何具有标签键
creatorUserId并且标签值与该用户的 ID(由策略变量aws:userId指示)一致的 WorkSpace 配置协作。换言之,该语句允许用户为他们创建的 Workspace 配置协作。要详细了解策略变量,请参阅 IAM policy 元素:变量和标签。{ "Sid": "UserRolePermissionsForCollaboration", "Action": [ "elasticmapreduce:UpdateEditor", "elasticmapreduce:PutWorkspaceAccess", "elasticmapreduce:DeleteWorkspaceAccess", "elasticmapreduce:ListWorkspaceAccessIdentities" ], "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "elasticmapreduce:ResourceTag/creatorUserId": "${aws:userid}" } } } -
将权限策略附加到您的 IAM 身份。
下表总结了您将权限策略附加到的具体 IAM 身份,其取决于您的 EMR Studio 身份验证模式。有关如何附加策略的说明,请参阅添加和删除 IAM 身份权限。
如果您使用... 将策略附加到… IAM 身份验证 您的 IAM 身份(用户、用户组或角色)。例如,您可以将权限策略附加到 Amazon Web Services 账户中的用户。 与外部身份提供商 (IdP) 进行 IAM 联合身份验证 您为外部 IdP 创建的一个或多个 IAM 角色。例如,用于 SAML 2.0 联合身份验证的 IAM。
对于具有 Studio 联合访问权限的用户,EMR Studio 使用您附加到 IAM 单个或多个角色的权限。
IAM Identity Center 您的 Amazon EMR Studio 用户角色。
示例用户策略
以下基本用户策略允许大多数 EMR Studio 操作,但不允许用户创建新的 Amazon EMR 集群。
重要
该示例策略不包括 CreateStudioPresignedUrl 权限,当您使用 IAM 身份验证模式时,必须允许用户使用该权限。有关更多信息,请参阅将用户或组分配到 EMR Studio。
该示例策略包括要强制执行基于标签的访问控制 (TBAC) 的 Condition 元素,以便您可以将该策略与 EMR Studio 的示例服务角色配合使用。有关更多信息,请参阅创建 EMR Studio 服务角色。
{ "Version":"2012-10-17", "Statement":[ { "Sid":"AllowDefaultEC2SecurityGroupsCreationInVPCWithEMRTags", "Effect":"Allow", "Action":[ "ec2:CreateSecurityGroup" ], "Resource":[ "arn:aws:ec2:*:*:vpc/*" ], "Condition":{ "StringEquals":{ "aws:ResourceTag/for-use-with-amazon-emr-managed-policies":"true" } } }, { "Sid":"AllowAddingEMRTagsDuringDefaultSecurityGroupCreation", "Effect":"Allow", "Action":[ "ec2:CreateTags" ], "Resource":"arn:aws:ec2:*:*:security-group/*", "Condition":{ "StringEquals":{ "aws:RequestTag/for-use-with-amazon-emr-managed-policies":"true", "ec2:CreateAction":"CreateSecurityGroup" } } }, { "Sid":"AllowSecretManagerListSecrets", "Action":[ "secretsmanager:ListSecrets" ], "Resource":"*", "Effect":"Allow" }, { "Sid":"AllowSecretCreationWithEMRTagsAndEMRStudioPrefix", "Effect":"Allow", "Action":"secretsmanager:CreateSecret", "Resource":"arn:aws:secretsmanager:*:*:secret:emr-studio-*", "Condition":{ "StringEquals":{ "aws:RequestTag/for-use-with-amazon-emr-managed-policies":"true" } } }, { "Sid":"AllowAddingTagsOnSecretsWithEMRStudioPrefix", "Effect":"Allow", "Action":"secretsmanager:TagResource", "Resource":"arn:aws:secretsmanager:*:*:secret:emr-studio-*" }, { "Sid":"AllowPassingServiceRoleForWorkspaceCreation", "Action":"iam:PassRole", "Resource":[ "arn:aws:iam::*:role/<your-emr-studio-service-role>" ], "Effect":"Allow" }, { "Sid":"AllowS3ListAndLocationPermissions", "Action":[ "s3:ListAllMyBuckets", "s3:ListBucket", "s3:GetBucketLocation" ], "Resource":"arn:aws:s3:::*", "Effect":"Allow" }, { "Sid":"AllowS3ReadOnlyAccessToLogs", "Action":[ "s3:GetObject" ], "Resource":[ "arn:aws:s3:::aws-logs-<aws-account-id>-<region>/elasticmapreduce/*" ], "Effect":"Allow" }, { "Sid":"AllowConfigurationForWorkspaceCollaboration", "Action":[ "elasticmapreduce:UpdateEditor", "elasticmapreduce:PutWorkspaceAccess", "elasticmapreduce:DeleteWorkspaceAccess", "elasticmapreduce:ListWorkspaceAccessIdentities" ], "Resource":"*", "Effect":"Allow", "Condition":{ "StringEquals":{ "elasticmapreduce:ResourceTag/creatorUserId":"${aws:userId}" } } }, { "Sid":"DescribeNetwork", "Effect":"Allow", "Action":[ "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups" ], "Resource":"*" }, { "Sid":"ListIAMRoles", "Effect":"Allow", "Action":[ "iam:ListRoles" ], "Resource":"*" } ] }
以下中间用户策略允许大多数 EMR Studio 操作,并允许用户使用集群模板创建新的 Amazon EMR 集群。
重要
该示例策略不包括 CreateStudioPresignedUrl 权限,当您使用 IAM 身份验证模式时,必须允许用户使用该权限。有关更多信息,请参阅将用户或组分配到 EMR Studio。
该示例策略包括要强制执行基于标签的访问控制 (TBAC) 的 Condition 元素,以便您可以将该策略与 EMR Studio 的示例服务角色配合使用。有关更多信息,请参阅创建 EMR Studio 服务角色。
{ "Version":"2012-10-17", "Statement":[ { "Sid":"AllowEMRBasicActions", "Action":[ "elasticmapreduce:CreateEditor", "elasticmapreduce:DescribeEditor", "elasticmapreduce:ListEditors", "elasticmapreduce:StartEditor", "elasticmapreduce:StopEditor", "elasticmapreduce:DeleteEditor", "elasticmapreduce:OpenEditorInConsole", "elasticmapreduce:AttachEditor", "elasticmapreduce:DetachEditor", "elasticmapreduce:CreateRepository", "elasticmapreduce:DescribeRepository", "elasticmapreduce:DeleteRepository", "elasticmapreduce:ListRepositories", "elasticmapreduce:LinkRepository", "elasticmapreduce:UnlinkRepository", "elasticmapreduce:DescribeCluster", "elasticmapreduce:ListInstanceGroups", "elasticmapreduce:ListBootstrapActions", "elasticmapreduce:ListClusters", "elasticmapreduce:ListSteps", "elasticmapreduce:CreatePersistentAppUI", "elasticmapreduce:DescribePersistentAppUI", "elasticmapreduce:GetPersistentAppUIPresignedURL", "elasticmapreduce:GetOnClusterAppUIPresignedURL" ], "Resource":"*", "Effect":"Allow" }, { "Sid":"AllowEMRContainersBasicActions", "Action":[ "emr-containers:DescribeVirtualCluster", "emr-containers:ListVirtualClusters", "emr-containers:DescribeManagedEndpoint", "emr-containers:ListManagedEndpoints", "emr-containers:DescribeJobRun", "emr-containers:ListJobRuns" ], "Resource":"*", "Effect":"Allow" }, { "Sid": "AllowRetrievingManagedEndpointCredentials", "Effect": "Allow", "Action": [ "emr-containers:GetManagedEndpointSessionCredentials" ], "Resource": [ "arn:aws:emr-containers:<region>:<account-id>:/virtualclusters/<virtual-cluster-id>/endpoints/<managed-endpoint-id>" ], "Condition": { "StringEquals": { "emr-containers:ExecutionRoleArn": [ "arn:aws:iam::<account-id>:role/<emr-on-eks-execution-role>" ] } } }, { "Sid":"AllowSecretManagerListSecrets", "Action":[ "secretsmanager:ListSecrets" ], "Resource":"*", "Effect":"Allow" }, { "Sid":"AllowSecretCreationWithEMRTagsAndEMRStudioPrefix", "Effect":"Allow", "Action":"secretsmanager:CreateSecret", "Resource":"arn:aws:secretsmanager:*:*:secret:emr-studio-*", "Condition":{ "StringEquals":{ "aws:RequestTag/for-use-with-amazon-emr-managed-policies":"true" } } }, { "Sid":"AllowAddingTagsOnSecretsWithEMRStudioPrefix", "Effect":"Allow", "Action":"secretsmanager:TagResource", "Resource":"arn:aws:secretsmanager:*:*:secret:emr-studio-*" }, { "Sid":"AllowClusterTemplateRelatedIntermediateActions", "Action":[ "servicecatalog:DescribeProduct", "servicecatalog:DescribeProductView", "servicecatalog:DescribeProvisioningParameters", "servicecatalog:ProvisionProduct", "servicecatalog:SearchProducts", "servicecatalog:UpdateProvisionedProduct", "servicecatalog:ListProvisioningArtifacts", "servicecatalog:ListLaunchPaths", "servicecatalog:DescribeRecord", "cloudformation:DescribeStackResources" ], "Resource":"*", "Effect":"Allow" }, { "Sid":"AllowPassingServiceRoleForWorkspaceCreation", "Action":"iam:PassRole", "Resource":[ "arn:aws:iam::*:role/<your-emr-studio-service-role>" ], "Effect":"Allow" }, { "Sid":"AllowS3ListAndLocationPermissions", "Action":[ "s3:ListAllMyBuckets", "s3:ListBucket", "s3:GetBucketLocation" ], "Resource":"arn:aws:s3:::*", "Effect":"Allow" }, { "Sid":"AllowS3ReadOnlyAccessToLogs", "Action":[ "s3:GetObject" ], "Resource":[ "arn:aws:s3:::aws-logs-<aws-account-id>-<region>/elasticmapreduce/*" ], "Effect":"Allow" }, { "Sid":"AllowConfigurationForWorkspaceCollaboration", "Action":[ "elasticmapreduce:UpdateEditor", "elasticmapreduce:PutWorkspaceAccess", "elasticmapreduce:DeleteWorkspaceAccess", "elasticmapreduce:ListWorkspaceAccessIdentities" ], "Resource":"*", "Effect":"Allow", "Condition":{ "StringEquals":{ "elasticmapreduce:ResourceTag/creatorUserId":"${aws:userId}" } } }, { "Sid":"DescribeNetwork", "Effect":"Allow", "Action":[ "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups" ], "Resource":"*" }, { "Sid":"ListIAMRoles", "Effect":"Allow", "Action":[ "iam:ListRoles" ], "Resource":"*" }, { "Sid": "AllowServerlessActions", "Action": [ "emr-serverless:CreateApplication", "emr-serverless:UpdateApplication", "emr-serverless:DeleteApplication", "emr-serverless:ListApplications", "emr-serverless:GetApplication", "emr-serverless:StartApplication", "emr-serverless:StopApplication", "emr-serverless:StartJobRun", "emr-serverless:CancelJobRun", "emr-serverless:ListJobRuns", "emr-serverless:GetJobRun", "emr-serverless:GetDashboardForJobRun", "emr-serverless:AccessInteractiveEndpoints" ], "Resource": "*", "Effect": "Allow" }, { "Sid": "AllowPassingRuntimeRoleForRunningServerlessJob", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/serverless-runtime-role", "Effect": "Allow" } ] }
以下高级用户策略允许所有 EMR Studio 操作,并允许用户使用集群模板或通过提供集群配置创建新的 Amazon EMR 集群。
重要
该示例策略不包括 CreateStudioPresignedUrl 权限,当您使用 IAM 身份验证模式时,必须允许用户使用该权限。有关更多信息,请参阅将用户或组分配到 EMR Studio。
该示例策略包括要强制执行基于标签的访问控制 (TBAC) 的 Condition 元素,以便您可以将该策略与 EMR Studio 的示例服务角色配合使用。有关更多信息,请参阅创建 EMR Studio 服务角色。
{ "Version":"2012-10-17", "Statement":[ { "Sid":"AllowEMRBasicActions", "Action":[ "elasticmapreduce:CreateEditor", "elasticmapreduce:DescribeEditor", "elasticmapreduce:ListEditors", "elasticmapreduce:StartEditor", "elasticmapreduce:StopEditor", "elasticmapreduce:DeleteEditor", "elasticmapreduce:OpenEditorInConsole", "elasticmapreduce:AttachEditor", "elasticmapreduce:DetachEditor", "elasticmapreduce:CreateRepository", "elasticmapreduce:DescribeRepository", "elasticmapreduce:DeleteRepository", "elasticmapreduce:ListRepositories", "elasticmapreduce:LinkRepository", "elasticmapreduce:UnlinkRepository", "elasticmapreduce:DescribeCluster", "elasticmapreduce:ListInstanceGroups", "elasticmapreduce:ListBootstrapActions", "elasticmapreduce:ListClusters", "elasticmapreduce:ListSteps", "elasticmapreduce:CreatePersistentAppUI", "elasticmapreduce:DescribePersistentAppUI", "elasticmapreduce:GetPersistentAppUIPresignedURL", "elasticmapreduce:GetOnClusterAppUIPresignedURL" ], "Resource":"*", "Effect":"Allow" }, { "Sid":"AllowEMRContainersBasicActions", "Action":[ "emr-containers:DescribeVirtualCluster", "emr-containers:ListVirtualClusters", "emr-containers:DescribeManagedEndpoint", "emr-containers:ListManagedEndpoints", "emr-containers:DescribeJobRun", "emr-containers:ListJobRuns" ], "Resource":"*", "Effect":"Allow" }, { "Sid": "AllowRetrievingManagedEndpointCredentials", "Effect": "Allow", "Action": [ "emr-containers:GetManagedEndpointSessionCredentials" ], "Resource": [ "arn:aws:emr-containers:<region>:<account-id>:/virtualclusters/<virtual-cluster-id>/endpoints/<managed-endpoint-id>" ], "Condition": { "StringEquals": { "emr-containers:ExecutionRoleArn": [ "arn:aws:iam::<account-id>:role/<emr-on-eks-execution-role>" ] } } }, { "Sid":"AllowSecretManagerListSecrets", "Action":[ "secretsmanager:ListSecrets" ], "Resource":"*", "Effect":"Allow" }, { "Sid":"AllowSecretCreationWithEMRTagsAndEMRStudioPrefix", "Effect":"Allow", "Action":"secretsmanager:CreateSecret", "Resource":"arn:aws:secretsmanager:*:*:secret:emr-studio-*", "Condition":{ "StringEquals":{ "aws:RequestTag/for-use-with-amazon-emr-managed-policies":"true" } } }, { "Sid":"AllowAddingTagsOnSecretsWithEMRStudioPrefix", "Effect":"Allow", "Action":"secretsmanager:TagResource", "Resource":"arn:aws:secretsmanager:*:*:secret:emr-studio-*" }, { "Sid":"AllowClusterTemplateRelatedIntermediateActions", "Action":[ "servicecatalog:DescribeProduct", "servicecatalog:DescribeProductView", "servicecatalog:DescribeProvisioningParameters", "servicecatalog:ProvisionProduct", "servicecatalog:SearchProducts", "servicecatalog:UpdateProvisionedProduct", "servicecatalog:ListProvisioningArtifacts", "servicecatalog:ListLaunchPaths", "servicecatalog:DescribeRecord", "cloudformation:DescribeStackResources" ], "Resource":"*", "Effect":"Allow" }, { "Sid":"AllowEMRCreateClusterAdvancedActions", "Action":[ "elasticmapreduce:RunJobFlow" ], "Resource":"*", "Effect":"Allow" }, { "Sid":"AllowPassingServiceRoleForWorkspaceCreation", "Action":"iam:PassRole", "Resource":[ "arn:aws:iam::*:role/<your-emr-studio-service-role>", "arn:aws:iam::*:role/EMR_DefaultRole_V2", "arn:aws:iam::*:role/EMR_EC2_DefaultRole" ], "Effect":"Allow" }, { "Sid":"AllowS3ListAndLocationPermissions", "Action":[ "s3:ListAllMyBuckets", "s3:ListBucket", "s3:GetBucketLocation" ], "Resource":"arn:aws:s3:::*", "Effect":"Allow" }, { "Sid":"AllowS3ReadOnlyAccessToLogs", "Action":[ "s3:GetObject" ], "Resource":[ "arn:aws:s3:::aws-logs-<aws-account-id>-<region>/elasticmapreduce/*" ], "Effect":"Allow" }, { "Sid":"AllowConfigurationForWorkspaceCollaboration", "Action":[ "elasticmapreduce:UpdateEditor", "elasticmapreduce:PutWorkspaceAccess", "elasticmapreduce:DeleteWorkspaceAccess", "elasticmapreduce:ListWorkspaceAccessIdentities" ], "Resource":"*", "Effect":"Allow", "Condition":{ "StringEquals":{ "elasticmapreduce:ResourceTag/creatorUserId":"${aws:userId}" } } }, { "Sid" : "SageMakerDataWranglerForEMRStudio", "Effect" : "Allow", "Action" : [ "sagemaker:CreatePresignedDomainUrl", "sagemaker:DescribeDomain", "sagemaker:ListDomains", "sagemaker:ListUserProfiles" ], "Resource":"*" }, { "Sid":"DescribeNetwork", "Effect":"Allow", "Action":[ "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups" ], "Resource":"*" }, { "Sid":"ListIAMRoles", "Effect":"Allow", "Action":[ "iam:ListRoles" ], "Resource":"*" }, { "Sid": "AllowServerlessActions", "Action": [ "emr-serverless:CreateApplication", "emr-serverless:UpdateApplication", "emr-serverless:DeleteApplication", "emr-serverless:ListApplications", "emr-serverless:GetApplication", "emr-serverless:StartApplication", "emr-serverless:StopApplication", "emr-serverless:StartJobRun", "emr-serverless:CancelJobRun", "emr-serverless:ListJobRuns", "emr-serverless:GetJobRun", "emr-serverless:GetDashboardForJobRun", "emr-serverless:AccessInteractiveEndpoints" ], "Resource": "*", "Effect": "Allow" }, { "Sid": "AllowPassingRuntimeRoleForRunningServerlessJob", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/serverless-runtime-role", "Effect": "Allow" } ] }
以下用户策略包含将 EMR Serverless 交互式应用程序与 EMR Studio Workspace 结合使用所需的最低用户权限。
此示例策略具有将 EMR Serverless 交互式应用程序与 EMR Studio 结合使用所需的用户权限,请将 serverless-runtime-role 和 emr-studio-service-role 的占位符分别替换为正确的 EMR Studio 服务角色 和 EMR Serverless 运行时系统角色。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowServerlessActions", "Action": [ "emr-serverless:CreateApplication", "emr-serverless:UpdateApplication", "emr-serverless:DeleteApplication", "emr-serverless:ListApplications", "emr-serverless:GetApplication", "emr-serverless:StartApplication", "emr-serverless:StopApplication", "emr-serverless:StartJobRun", "emr-serverless:CancelJobRun", "emr-serverless:ListJobRuns", "emr-serverless:GetJobRun", "emr-serverless:GetDashboardForJobRun", "emr-serverless:AccessInteractiveEndpoints" ], "Resource": "*", "Effect": "Allow" }, { "Sid": "AllowEMRBasicActions", "Action": [ "elasticmapreduce:CreateEditor", "elasticmapreduce:DescribeEditor", "elasticmapreduce:ListEditors", "elasticmapreduce:UpdateStudio", "elasticmapreduce:StartEditor", "elasticmapreduce:StopEditor", "elasticmapreduce:DeleteEditor", "elasticmapreduce:OpenEditorInConsole", "elasticmapreduce:AttachEditor", "elasticmapreduce:DetachEditor", "elasticmapreduce:CreateStudio", "elasticmapreduce:DescribeStudio", "elasticmapreduce:DeleteStudio", "elasticmapreduce:ListStudios", "elasticmapreduce:CreateStudioPresignedUrl" ], "Resource": "*", "Effect": "Allow" }, { "Sid": "AllowPassingRuntimeRoleForRunningEMRServerlessJob", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/serverless-runtime-role", "Effect": "Allow" }, { "Sid": "AllowPassingServiceRoleForWorkspaceCreation", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/emr-studio-service-role", "Effect": "Allow" }, { "Sid": "AllowS3ListAndGetPermissions", "Action": [ "s3:ListAllMyBuckets", "s3:ListBucket", "s3:GetBucketLocation", "s3:GetObject" ], "Resource": "arn:aws:s3:::*", "Effect": "Allow" }, { "Sid":"DescribeNetwork", "Effect":"Allow", "Action":[ "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups" ], "Resource":"*" }, { "Sid": "ListIAMRoles", "Effect": "Allow", "Action": [ "iam:ListRoles" ], "Resource": "*" } ] }
EMR Studio 用户的 Amazon Identity and Access Management 权限
下表包括用户可能执行的每个 Amazon EMR Studio 运营,并列出了执行该运营所需的最低 IAM 操作。您允许在 IAM 权限策略(当您使用 IAM 身份验证时)或会话策略(当您使用 IAM Identity Center 身份验证时)中执行这些针对 EMR Studio 的操作。
该表还显示了 EMR Studio 的每个示例权限策略中允许的运营。有关示例权限策略的更多信息,请参阅 为 EMR Studio 用户创建权限策略。
| 操作 | 基本 | 中间 | 高级 | 关联操作 |
|---|---|---|---|---|
| 创建和删除 Workspaces | 是 | 是 | 是 |
|
| 查看协作面板、启用 Workspace 协作并添加协作者。有关更多信息,请参阅设置 Workspace 协作的所有权。 | 是 | 是 | 是 |
|
| 创建新 EMR 集群时查看与 Studio 相同账户中的 Amazon S3 Control 存储存储桶列表,并在使用 Web UI 调试应用程序时访问容器日志 | 是 | 是 | 是 |
|
| 访问 Workspaces | 是 | 是 | 是 |
|
| 附加或分离与 Workspace 关联的现有 Amazon EMR 集群 | 是 | 是 | 是 |
|
| 附加或分离 Amazon EMR on EKS 集群 | 是 | 是 | 是 |
|
| 附加或分离与 Workspace 关联的 EMR Serverless 应用程序 | 否 | 是 | 是 |
需要具有 |
| 使用持久的应用程序用户界面调试 Amazon EMR on EC2 任务 | 是 | 是 | 是 |
|
| 使用集群上应用程序用户界面调试 Amazon EMR on EC2 任务 | 是 | 是 | 是 |
|
| 使用 Spark 历史记录服务器调试 Amazon EMR on EKS 任务运行 | 是 | 是 | 是 |
|
| 创建和删除 Git 存储库 | 是 | 是 | 是 |
|
| 链接和取消链接 Git 存储库 | 是 | 是 | 是 |
|
| 根据预定义的集群模板创建新集群 | 否 | 是 | 是 |
|
| 通过提供集群配置创建新的集群 | 否 | 否 | 是 |
|
| 当您使用 IAM 身份验证模式时,应将用户分配给 Studio。有关更多信息,请参阅将用户或组分配到 EMR Studio。 | 否 | 否 | 否 |
|
| 描述网络对象。 | 是 | 是 | 是 |
|
| 列出 IAM 角色。 | 是 | 是 | 是 |
|
| 从 Amazon SageMaker Studio 连接到 EMR Studio,然后使用 Data Wrangler 可视化界面。 | 否 | 否 | 是 |
|