为 Amazon EC2 或 Amazon EKS 配置 EMR Studio 用户权限 - Amazon EMR
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

为 Amazon EC2 或 Amazon EKS 配置 EMR Studio 用户权限

您必须为 Amazon EMR Studio 配置用户权限策略,以便您能设置精细的用户和组权限。有关用户权限在 EMR Studio 中如何工作的信息,请参阅 Amazon EMR Studio 工作原理 中的 访问控制

注意

本部分中介绍的权限不会强制执行数据访问控制。要管理对输入数据集的访问,您应该为 Studio 使用的集群配置权限。有关更多信息,请参阅 Amazon EMR 中的安全性

创建 IAM Identity Center 身份验证模式的 EMR Studio 用户角色

当您使用 IAM Identity Center 身份验证模式时,必须创建 EMR Studio 用户角色。

创建 EMR Studio 用户角色
  1. 按照《Amazon Identity and Access Management 用户指南》中的创建向Amazon服务委派权限的角色中的说明,创建用户角色。

    在创建角色时,使用以下信任关系策略。

    { "Version": "2008-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "elasticmapreduce.amazonaws.com" }, "Action": [ "sts:AssumeRole", "sts:SetContext" ] } ] }
  2. 删除默认角色权限和策略。

  3. 在将用户和组分配给 Studio 之前,将您的 EMR Studio 会话策略附加到用户角色。有关如何创建会话策略的说明,请参阅 为 EMR Studio 用户创建权限策略

为 EMR Studio 用户创建权限策略

要为 EMR Studio 创建权限策略,请参阅下面各部分。

注意

要设置用于存储笔记本文件的 Amazon S3 访问权限,以及在将 Workspaces 链接到 Git 存储库时设置读取密钥的 Amazon Secrets Manager 访问权限,请使用 EMR Studio 服务角色。

创建权限策略

创建一个或多个指定用户可在您的 Studio 中执行哪些操作的 IAM 权限策略。例如,您可以使用此页面上的示例策略为基本中间高级 Studio 用户类型创建三个独立策略。

关于用户可能执行的每个 Studio 操作的细分情况,以及执行每个操作所需的最低 IAM 操作,请参阅 EMR Studio 用户的 Amazon Identity and Access Management 权限。有关创建策略的步骤,请参阅《IAM 用户指南》中的创建 IAM policy

您的权限策略必须包含以下语句。

{ "Sid": "AllowAddingTagsOnSecretsWithEMRStudioPrefix", "Effect": "Allow", "Action": "secretsmanager:TagResource", "Resource": "arn:aws:secretsmanager:*:*:secret:emr-studio-*" }, { "Sid": "AllowPassingServiceRoleForWorkspaceCreation", "Action": "iam:PassRole", "Resource": [ "arn:aws:iam::*:role/your-emr-studio-service-role" ], "Effect": "Allow" }

设置 Workspace 协作的所有权

借助 Workspace 协作功能,多个用户可以在同一 Workspace 中同时工作,并且可以使用 Workspace UI 中的 Collaboration(协作)面板进行配置。要查看和使用 Collaboration(协作)面板,用户必须具有以下权限。任何拥有这些权限的用户都可以查看和使用 Collaboration(协作)面板。

"elasticmapreduce:UpdateEditor", "elasticmapreduce:PutWorkspaceAccess", "elasticmapreduce:DeleteWorkspaceAccess", "elasticmapreduce:ListWorkspaceAccessIdentities"

要限制对 Collaboration(协作)面板的访问权限,您可以使用基于标签的访问控制。当用户创建某个 Workspace 时,EMR Studio 会应用一个原定设置标签,标签键为 creatorUserId,标签值为创建该 WorkSpace 的用户的 ID。

注意

EMR Studio 将 creatorUserId 标签添加到 2021 年 11 月 16 日后创建的 Workspaces。要限制谁可以为此日期前创建的工作区配置协作,我们建议为您的工作区手动添加 creatorUserId 标签,然后在用户权限策略中使用基于标签的访问控制。

以下示例语句允许用户为任何具有标签键 creatorUserId 并且标签值与该用户的 ID(由策略变量 aws:userId 指示)一致的 WorkSpace 配置协作。换言之,该语句允许用户为他们创建的 Workspace 配置协作。要详细了解策略变量,请参阅《IAM 用户指南》中的 IAM policy 元素:变量和标签

{ "Sid": "UserRolePermissionsForCollaboration", "Action": [ "elasticmapreduce:UpdateEditor", "elasticmapreduce:PutWorkspaceAccess", "elasticmapreduce:DeleteWorkspaceAccess", "elasticmapreduce:ListWorkspaceAccessIdentities" ], "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "elasticmapreduce:ResourceTag/creatorUserId": "${aws:userid}" } } }

创建用户级的 Git 密钥策略

要使用用户级权限

EMR Studio 在创建 Git 密钥时会自动添加 for-use-with-amazon-emr-managed-user-policies 标签。如果要在用户级别控制对 Git 密钥的访问,请使用下面的 要从服务级别权限过渡到用户级别权限 部分中显示的 secretsmanager:GetSecretValue 将基于标签的权限添加到 EMR Studio 用户角色策略

如果您在 EMR Studio 服务角色策略中拥有对 secretsmanager:GetSecretValue 的现有权限,则应移除这些权限。

要从服务级别权限过渡到用户级别权限

注意

for-use-with-amazon-emr-managed-user-policies 标签可确保以下步骤 1 中的权限授予工作空间创建者访问 Git 密钥的权限。但是,如果您在 2023 年 9 月 1 日之前链接 Git 存储库,则相应的 Git 密钥将被拒绝访问,因为它们没有应用 for-use-with-amazon-emr-managed-user-policies 标签。要应用用户级权限,必须从中重新创建旧密钥 JupyterLab 并重新链接相应的 Git 存储库。

有关策略变量的更多信息,请参阅《IAM 用户指南》中的 IAM policy 元素:变量和标签

  1. 将以下权限添加到 EMR Studio 用户角色策略中。它使用带有值 "${aws:userid}"for-use-with-amazon-emr-managed-user-policies 密钥。

    { "Sid": "AllowSecretsManagerReadOnlyActionsWithEMRTags", "Effect": "Allow", "Action": "secretsmanager:GetSecretValue", "Resource": "arn:aws:secretsmanager:*:*:secret:*", "Condition": { "StringEquals": { "secretsmanager:ResourceTag/for-use-with-amazon-emr-managed-user-policies": "${aws:userid}" } } }
  2. 如果存在,请从 EMR Studio 服务角色策略中移除以下权限。由于服务角色策略适用于每个用户定义的所有密钥,您只需执行一次即可。

    { "Sid": "AllowSecretsManagerReadOnlyActionsWithEMRTags", "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue" ], "Resource": "arn:aws:secretsmanager:*:*:secret:*", "Condition": { "StringEquals": { "aws:ResourceTag/for-use-with-amazon-emr-managed-policies": "true" } } }

要使用服务级别权限

自 2023 年 9 月 1 日起,EMR Studio 会自动添加用于用户级访问控制的 for-use-with-amazon-emr-managed-user-policies 标签。由于这是一项附加功能,您可以继续使用通过 EMR Studio 服务角色中的 GetSecretValue 权限提供的服务级别访问权限。

对于 2023 年 9 月 1 日之前创建的密钥,EMR Studio 没有添加 for-use-with-amazon-emr-managed-user-policies 标签。要保持使用服务级别权限,只需保留现有的 EMR Studio 服务角色和用户角色权限即可。但是,要限制谁可以访问个人密钥,我们建议您按照 要使用用户级权限 中的步骤手动添加 for-use-with-amazon-emr-managed-user-policies 标签到密钥中,然后在用户权限策略中使用基于标签的访问控制。

有关策略变量的更多信息,请参阅《IAM 用户指南》中的 IAM policy 元素:变量和标签

将权限策略附加到您的 IAM 身份

下表总结了您将权限策略附加到的具体 IAM 身份,其取决于您的 EMR Studio 身份验证模式。有关如何附加策略的说明,请参阅添加和删除 IAM 身份权限

如果您使用... 将策略附加到…
IAM 身份验证 您的 IAM 身份(用户、用户组或角色)。例如,您可以将权限策略附加到 Amazon Web Services 账户中的用户。
与外部身份提供商 (IdP) 进行 IAM 联合身份验证

您为外部 IdP 创建的一个或多个 IAM 角色。例如,用于 SAML 2.0 联合身份验证的 IAM。

对于具有 Studio 联合访问权限的用户,EMR Studio 使用您附加到 IAM 单个或多个角色的权限。

IAM Identity Center 您的 Amazon EMR Studio 用户角色。

示例用户策略

以下基本用户策略允许大多数 EMR Studio 操作,但不允许用户创建新的 Amazon EMR 集群。

重要

该示例策略不包括 CreateStudioPresignedUrl 权限,当您使用 IAM 身份验证模式时,必须允许用户使用该权限。有关更多信息,请参阅 将用户或组分配到 EMR Studio

该示例策略包括要强制执行基于标签的访问控制 (TBAC) 的 Condition 元素,以便您可以将该策略与 EMR Studio 的示例服务角色配合使用。有关更多信息,请参阅 创建 EMR Studio 服务角色

{ "Version":"2012-10-17", "Statement":[ { "Sid":"AllowDefaultEC2SecurityGroupsCreationInVPCWithEMRTags", "Effect":"Allow", "Action":[ "ec2:CreateSecurityGroup" ], "Resource":[ "arn:aws:ec2:*:*:vpc/*" ], "Condition":{ "StringEquals":{ "aws:ResourceTag/for-use-with-amazon-emr-managed-policies":"true" } } }, { "Sid":"AllowAddingEMRTagsDuringDefaultSecurityGroupCreation", "Effect":"Allow", "Action":[ "ec2:CreateTags" ], "Resource":"arn:aws:ec2:*:*:security-group/*", "Condition":{ "StringEquals":{ "aws:RequestTag/for-use-with-amazon-emr-managed-policies":"true", "ec2:CreateAction":"CreateSecurityGroup" } } }, { "Sid":"AllowSecretManagerListSecrets", "Action":[ "secretsmanager:ListSecrets" ], "Resource":"*", "Effect":"Allow" }, { "Sid":"AllowSecretCreationWithEMRTagsAndEMRStudioPrefix", "Effect":"Allow", "Action":"secretsmanager:CreateSecret", "Resource":"arn:aws:secretsmanager:*:*:secret:emr-studio-*", "Condition":{ "StringEquals":{ "aws:RequestTag/for-use-with-amazon-emr-managed-policies":"true" } } }, { "Sid":"AllowAddingTagsOnSecretsWithEMRStudioPrefix", "Effect":"Allow", "Action":"secretsmanager:TagResource", "Resource":"arn:aws:secretsmanager:*:*:secret:emr-studio-*" }, { "Sid":"AllowPassingServiceRoleForWorkspaceCreation", "Action":"iam:PassRole", "Resource":[ "arn:aws:iam::*:role/<your-emr-studio-service-role>" ], "Effect":"Allow" }, { "Sid":"AllowS3ListAndLocationPermissions", "Action":[ "s3:ListAllMyBuckets", "s3:ListBucket", "s3:GetBucketLocation" ], "Resource":"arn:aws:s3:::*", "Effect":"Allow" }, { "Sid":"AllowS3ReadOnlyAccessToLogs", "Action":[ "s3:GetObject" ], "Resource":[ "arn:aws:s3:::aws-logs-<aws-account-id>-<region>/elasticmapreduce/*" ], "Effect":"Allow" }, { "Sid":"AllowConfigurationForWorkspaceCollaboration", "Action":[ "elasticmapreduce:UpdateEditor", "elasticmapreduce:PutWorkspaceAccess", "elasticmapreduce:DeleteWorkspaceAccess", "elasticmapreduce:ListWorkspaceAccessIdentities" ], "Resource":"*", "Effect":"Allow", "Condition":{ "StringEquals":{ "elasticmapreduce:ResourceTag/creatorUserId":"${aws:userId}" } } }, { "Sid":"DescribeNetwork", "Effect":"Allow", "Action":[ "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups" ], "Resource":"*" }, { "Sid":"ListIAMRoles", "Effect":"Allow", "Action":[ "iam:ListRoles" ], "Resource":"*" } ] }

以下中间用户策略允许大多数 EMR Studio 操作,并允许用户使用集群模板创建新的 Amazon EMR 集群。

重要

该示例策略不包括 CreateStudioPresignedUrl 权限,当您使用 IAM 身份验证模式时,必须允许用户使用该权限。有关更多信息,请参阅 将用户或组分配到 EMR Studio

该示例策略包括要强制执行基于标签的访问控制 (TBAC) 的 Condition 元素,以便您可以将该策略与 EMR Studio 的示例服务角色配合使用。有关更多信息,请参阅 创建 EMR Studio 服务角色

{ "Version":"2012-10-17", "Statement":[ { "Sid":"AllowEMRBasicActions", "Action":[ "elasticmapreduce:CreateEditor", "elasticmapreduce:DescribeEditor", "elasticmapreduce:ListEditors", "elasticmapreduce:StartEditor", "elasticmapreduce:StopEditor", "elasticmapreduce:DeleteEditor", "elasticmapreduce:OpenEditorInConsole", "elasticmapreduce:AttachEditor", "elasticmapreduce:DetachEditor", "elasticmapreduce:CreateRepository", "elasticmapreduce:DescribeRepository", "elasticmapreduce:DeleteRepository", "elasticmapreduce:ListRepositories", "elasticmapreduce:LinkRepository", "elasticmapreduce:UnlinkRepository", "elasticmapreduce:DescribeCluster", "elasticmapreduce:ListInstanceGroups", "elasticmapreduce:ListBootstrapActions", "elasticmapreduce:ListClusters", "elasticmapreduce:ListSteps", "elasticmapreduce:CreatePersistentAppUI", "elasticmapreduce:DescribePersistentAppUI", "elasticmapreduce:GetPersistentAppUIPresignedURL", "elasticmapreduce:GetOnClusterAppUIPresignedURL" ], "Resource":"*", "Effect":"Allow" }, { "Sid":"AllowEMRContainersBasicActions", "Action":[ "emr-containers:DescribeVirtualCluster", "emr-containers:ListVirtualClusters", "emr-containers:DescribeManagedEndpoint", "emr-containers:ListManagedEndpoints", "emr-containers:DescribeJobRun", "emr-containers:ListJobRuns" ], "Resource":"*", "Effect":"Allow" }, { "Sid": "AllowRetrievingManagedEndpointCredentials", "Effect": "Allow", "Action": [ "emr-containers:GetManagedEndpointSessionCredentials" ], "Resource": [ "arn:aws:emr-containers:<region>:<account-id>:/virtualclusters/<virtual-cluster-id>/endpoints/<managed-endpoint-id>" ], "Condition": { "StringEquals": { "emr-containers:ExecutionRoleArn": [ "arn:aws:iam::<account-id>:role/<emr-on-eks-execution-role>" ] } } }, { "Sid":"AllowSecretManagerListSecrets", "Action":[ "secretsmanager:ListSecrets" ], "Resource":"*", "Effect":"Allow" }, { "Sid":"AllowSecretCreationWithEMRTagsAndEMRStudioPrefix", "Effect":"Allow", "Action":"secretsmanager:CreateSecret", "Resource":"arn:aws:secretsmanager:*:*:secret:emr-studio-*", "Condition":{ "StringEquals":{ "aws:RequestTag/for-use-with-amazon-emr-managed-policies":"true" } } }, { "Sid":"AllowAddingTagsOnSecretsWithEMRStudioPrefix", "Effect":"Allow", "Action":"secretsmanager:TagResource", "Resource":"arn:aws:secretsmanager:*:*:secret:emr-studio-*" }, { "Sid":"AllowClusterTemplateRelatedIntermediateActions", "Action":[ "servicecatalog:DescribeProduct", "servicecatalog:DescribeProductView", "servicecatalog:DescribeProvisioningParameters", "servicecatalog:ProvisionProduct", "servicecatalog:SearchProducts", "servicecatalog:UpdateProvisionedProduct", "servicecatalog:ListProvisioningArtifacts", "servicecatalog:ListLaunchPaths", "servicecatalog:DescribeRecord", "cloudformation:DescribeStackResources" ], "Resource":"*", "Effect":"Allow" }, { "Sid":"AllowPassingServiceRoleForWorkspaceCreation", "Action":"iam:PassRole", "Resource":[ "arn:aws:iam::*:role/<your-emr-studio-service-role>" ], "Effect":"Allow" }, { "Sid":"AllowS3ListAndLocationPermissions", "Action":[ "s3:ListAllMyBuckets", "s3:ListBucket", "s3:GetBucketLocation" ], "Resource":"arn:aws:s3:::*", "Effect":"Allow" }, { "Sid":"AllowS3ReadOnlyAccessToLogs", "Action":[ "s3:GetObject" ], "Resource":[ "arn:aws:s3:::aws-logs-<aws-account-id>-<region>/elasticmapreduce/*" ], "Effect":"Allow" }, { "Sid":"AllowConfigurationForWorkspaceCollaboration", "Action":[ "elasticmapreduce:UpdateEditor", "elasticmapreduce:PutWorkspaceAccess", "elasticmapreduce:DeleteWorkspaceAccess", "elasticmapreduce:ListWorkspaceAccessIdentities" ], "Resource":"*", "Effect":"Allow", "Condition":{ "StringEquals":{ "elasticmapreduce:ResourceTag/creatorUserId":"${aws:userId}" } } }, { "Sid":"DescribeNetwork", "Effect":"Allow", "Action":[ "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups" ], "Resource":"*" }, { "Sid":"ListIAMRoles", "Effect":"Allow", "Action":[ "iam:ListRoles" ], "Resource":"*" }, { "Sid": "AllowServerlessActions", "Action": [ "emr-serverless:CreateApplication", "emr-serverless:UpdateApplication", "emr-serverless:DeleteApplication", "emr-serverless:ListApplications", "emr-serverless:GetApplication", "emr-serverless:StartApplication", "emr-serverless:StopApplication", "emr-serverless:StartJobRun", "emr-serverless:CancelJobRun", "emr-serverless:ListJobRuns", "emr-serverless:GetJobRun", "emr-serverless:GetDashboardForJobRun", "emr-serverless:AccessInteractiveEndpoints" ], "Resource": "*", "Effect": "Allow" }, { "Sid": "AllowPassingRuntimeRoleForRunningServerlessJob", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/serverless-runtime-role", "Effect": "Allow" } ] }

以下高级用户策略允许所有 EMR Studio 操作,并允许用户使用集群模板或通过提供集群配置创建新的 Amazon EMR 集群。

重要

该示例策略不包括 CreateStudioPresignedUrl 权限,当您使用 IAM 身份验证模式时,必须允许用户使用该权限。有关更多信息,请参阅 将用户或组分配到 EMR Studio

该示例策略包括要强制执行基于标签的访问控制 (TBAC) 的 Condition 元素,以便您可以将该策略与 EMR Studio 的示例服务角色配合使用。有关更多信息,请参阅 创建 EMR Studio 服务角色

{ "Version":"2012-10-17", "Statement":[ { "Sid":"AllowEMRBasicActions", "Action":[ "elasticmapreduce:CreateEditor", "elasticmapreduce:DescribeEditor", "elasticmapreduce:ListEditors", "elasticmapreduce:StartEditor", "elasticmapreduce:StopEditor", "elasticmapreduce:DeleteEditor", "elasticmapreduce:OpenEditorInConsole", "elasticmapreduce:AttachEditor", "elasticmapreduce:DetachEditor", "elasticmapreduce:CreateRepository", "elasticmapreduce:DescribeRepository", "elasticmapreduce:DeleteRepository", "elasticmapreduce:ListRepositories", "elasticmapreduce:LinkRepository", "elasticmapreduce:UnlinkRepository", "elasticmapreduce:DescribeCluster", "elasticmapreduce:ListInstanceGroups", "elasticmapreduce:ListBootstrapActions", "elasticmapreduce:ListClusters", "elasticmapreduce:ListSteps", "elasticmapreduce:CreatePersistentAppUI", "elasticmapreduce:DescribePersistentAppUI", "elasticmapreduce:GetPersistentAppUIPresignedURL", "elasticmapreduce:GetOnClusterAppUIPresignedURL" ], "Resource":"*", "Effect":"Allow" }, { "Sid":"AllowEMRContainersBasicActions", "Action":[ "emr-containers:DescribeVirtualCluster", "emr-containers:ListVirtualClusters", "emr-containers:DescribeManagedEndpoint", "emr-containers:ListManagedEndpoints", "emr-containers:DescribeJobRun", "emr-containers:ListJobRuns" ], "Resource":"*", "Effect":"Allow" }, { "Sid": "AllowRetrievingManagedEndpointCredentials", "Effect": "Allow", "Action": [ "emr-containers:GetManagedEndpointSessionCredentials" ], "Resource": [ "arn:aws:emr-containers:<region>:<account-id>:/virtualclusters/<virtual-cluster-id>/endpoints/<managed-endpoint-id>" ], "Condition": { "StringEquals": { "emr-containers:ExecutionRoleArn": [ "arn:aws:iam::<account-id>:role/<emr-on-eks-execution-role>" ] } } }, { "Sid":"AllowSecretManagerListSecrets", "Action":[ "secretsmanager:ListSecrets" ], "Resource":"*", "Effect":"Allow" }, { "Sid":"AllowSecretCreationWithEMRTagsAndEMRStudioPrefix", "Effect":"Allow", "Action":"secretsmanager:CreateSecret", "Resource":"arn:aws:secretsmanager:*:*:secret:emr-studio-*", "Condition":{ "StringEquals":{ "aws:RequestTag/for-use-with-amazon-emr-managed-policies":"true" } } }, { "Sid":"AllowAddingTagsOnSecretsWithEMRStudioPrefix", "Effect":"Allow", "Action":"secretsmanager:TagResource", "Resource":"arn:aws:secretsmanager:*:*:secret:emr-studio-*" }, { "Sid":"AllowClusterTemplateRelatedIntermediateActions", "Action":[ "servicecatalog:DescribeProduct", "servicecatalog:DescribeProductView", "servicecatalog:DescribeProvisioningParameters", "servicecatalog:ProvisionProduct", "servicecatalog:SearchProducts", "servicecatalog:UpdateProvisionedProduct", "servicecatalog:ListProvisioningArtifacts", "servicecatalog:ListLaunchPaths", "servicecatalog:DescribeRecord", "cloudformation:DescribeStackResources" ], "Resource":"*", "Effect":"Allow" }, { "Sid":"AllowEMRCreateClusterAdvancedActions", "Action":[ "elasticmapreduce:RunJobFlow" ], "Resource":"*", "Effect":"Allow" }, { "Sid":"AllowPassingServiceRoleForWorkspaceCreation", "Action":"iam:PassRole", "Resource":[ "arn:aws:iam::*:role/<your-emr-studio-service-role>", "arn:aws:iam::*:role/EMR_DefaultRole_V2", "arn:aws:iam::*:role/EMR_EC2_DefaultRole" ], "Effect":"Allow" }, { "Sid":"AllowS3ListAndLocationPermissions", "Action":[ "s3:ListAllMyBuckets", "s3:ListBucket", "s3:GetBucketLocation" ], "Resource":"arn:aws:s3:::*", "Effect":"Allow" }, { "Sid":"AllowS3ReadOnlyAccessToLogs", "Action":[ "s3:GetObject" ], "Resource":[ "arn:aws:s3:::aws-logs-<aws-account-id>-<region>/elasticmapreduce/*" ], "Effect":"Allow" }, { "Sid":"AllowConfigurationForWorkspaceCollaboration", "Action":[ "elasticmapreduce:UpdateEditor", "elasticmapreduce:PutWorkspaceAccess", "elasticmapreduce:DeleteWorkspaceAccess", "elasticmapreduce:ListWorkspaceAccessIdentities" ], "Resource":"*", "Effect":"Allow", "Condition":{ "StringEquals":{ "elasticmapreduce:ResourceTag/creatorUserId":"${aws:userId}" } } }, { "Sid" : "SageMakerDataWranglerForEMRStudio", "Effect" : "Allow", "Action" : [ "sagemaker:CreatePresignedDomainUrl", "sagemaker:DescribeDomain", "sagemaker:ListDomains", "sagemaker:ListUserProfiles" ], "Resource":"*" }, { "Sid":"DescribeNetwork", "Effect":"Allow", "Action":[ "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups" ], "Resource":"*" }, { "Sid":"ListIAMRoles", "Effect":"Allow", "Action":[ "iam:ListRoles" ], "Resource":"*" }, { "Sid": "AllowServerlessActions", "Action": [ "emr-serverless:CreateApplication", "emr-serverless:UpdateApplication", "emr-serverless:DeleteApplication", "emr-serverless:ListApplications", "emr-serverless:GetApplication", "emr-serverless:StartApplication", "emr-serverless:StopApplication", "emr-serverless:StartJobRun", "emr-serverless:CancelJobRun", "emr-serverless:ListJobRuns", "emr-serverless:GetJobRun", "emr-serverless:GetDashboardForJobRun", "emr-serverless:AccessInteractiveEndpoints" ], "Resource": "*", "Effect": "Allow" }, { "Sid": "AllowPassingRuntimeRoleForRunningServerlessJob", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/serverless-runtime-role", "Effect": "Allow" }, { "Sid": "AllowCodeWhisperer", "Effect": "Allow", "Action": [ "codewhisperer:GenerateRecommendations" ], "Resource": "*" }, { "Sid": "AllowAthenaSQL", "Action": [ "athena:StartQueryExecution", "athena:StopQueryExecution", "athena:GetQueryExecution", "athena:GetQueryRuntimeStatistics", "athena:GetQueryResults", "athena:ListQueryExecutions", "athena:BatchGetQueryExecution", "athena:GetNamedQuery", "athena:ListNamedQueries", "athena:BatchGetNamedQuery", "athena:UpdateNamedQuery", "athena:DeleteNamedQuery", "athena:ListDataCatalogs", "athena:GetDataCatalog", "athena:ListDatabases", "athena:GetDatabase", "athena:ListTableMetadata", "athena:GetTableMetadata", "athena:ListWorkGroups", "athena:GetWorkGroup", "athena:CreateNamedQuery", "athena:GetPreparedStatement", "glue:CreateDatabase", "glue:DeleteDatabase", "glue:GetDatabase", "glue:GetDatabases", "glue:UpdateDatabase", "glue:CreateTable", "glue:DeleteTable", "glue:BatchDeleteTable", "glue:UpdateTable", "glue:GetTable", "glue:GetTables", "glue:BatchCreatePartition", "glue:CreatePartition", "glue:DeletePartition", "glue:BatchDeletePartition", "glue:UpdatePartition", "glue:GetPartition", "glue:GetPartitions", "glue:BatchGetPartition", "kms:ListAliases", "kms:ListKeys", "kms:DescribeKey", "lakeformation:GetDataAccess", "s3:GetBucketLocation", "s3:GetBucketLocation", "s3:GetObject", "s3:ListBucket", "s3:ListBucketMultipartUploads", "s3:ListMultipartUploadParts", "s3:AbortMultipartUpload", "s3:PutObject", "s3:PutBucketPublicAccessBlock", "s3:ListAllMyBuckets" ], "Resource": "*", "Effect": "Allow" } ] }

以下用户策略包含将 EMR Serverless 交互式应用程序与 EMR Studio Workspace 结合使用所需的最低用户权限。

在此示例策略中,使用 EMR Studio 拥有 EMR Serverless 交互式应用程序的用户权限,emr-studio-service-role请将和的占位符替换为正确的 EMR Stu dio 服务角色和 serverless-runtime-roleEMR 无服务器运行时角色。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowServerlessActions", "Action": [ "emr-serverless:CreateApplication", "emr-serverless:UpdateApplication", "emr-serverless:DeleteApplication", "emr-serverless:ListApplications", "emr-serverless:GetApplication", "emr-serverless:StartApplication", "emr-serverless:StopApplication", "emr-serverless:StartJobRun", "emr-serverless:CancelJobRun", "emr-serverless:ListJobRuns", "emr-serverless:GetJobRun", "emr-serverless:GetDashboardForJobRun", "emr-serverless:AccessInteractiveEndpoints" ], "Resource": "*", "Effect": "Allow" }, { "Sid": "AllowEMRBasicActions", "Action": [ "elasticmapreduce:CreateEditor", "elasticmapreduce:DescribeEditor", "elasticmapreduce:ListEditors", "elasticmapreduce:UpdateStudio", "elasticmapreduce:StartEditor", "elasticmapreduce:StopEditor", "elasticmapreduce:DeleteEditor", "elasticmapreduce:OpenEditorInConsole", "elasticmapreduce:AttachEditor", "elasticmapreduce:DetachEditor", "elasticmapreduce:CreateStudio", "elasticmapreduce:DescribeStudio", "elasticmapreduce:DeleteStudio", "elasticmapreduce:ListStudios", "elasticmapreduce:CreateStudioPresignedUrl" ], "Resource": "*", "Effect": "Allow" }, { "Sid": "AllowPassingRuntimeRoleForRunningEMRServerlessJob", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/serverless-runtime-role", "Effect": "Allow" }, { "Sid": "AllowPassingServiceRoleForWorkspaceCreation", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/emr-studio-service-role", "Effect": "Allow" }, { "Sid": "AllowS3ListAndGetPermissions", "Action": [ "s3:ListAllMyBuckets", "s3:ListBucket", "s3:GetBucketLocation", "s3:GetObject" ], "Resource": "arn:aws:s3:::*", "Effect": "Allow" }, { "Sid":"DescribeNetwork", "Effect":"Allow", "Action":[ "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups" ], "Resource":"*" }, { "Sid": "ListIAMRoles", "Effect": "Allow", "Action": [ "iam:ListRoles" ], "Resource": "*" } ] }

EMR Studio 用户的 Amazon Identity and Access Management 权限

下表包括用户可能执行的每个 Amazon EMR Studio 运营,并列出了执行该运营所需的最低 IAM 操作。您允许在 IAM 权限策略(当您使用 IAM 身份验证时)或用户角色会话策略(当您使用 IAM Identity Center 身份验证时)中执行这些针对 EMR Studio 的操作。

该表还显示了 EMR Studio 的每个示例权限策略中允许的运营。有关示例权限策略的更多信息,请参阅 为 EMR Studio 用户创建权限策略

操作 基本 中间 高级 关联操作
创建和删除 Workspaces
"elasticmapreduce:CreateEditor", "elasticmapreduce:DescribeEditor", "elasticmapreduce:ListEditors", "elasticmapreduce:DeleteEditor"
查看协作面板、启用 Workspace 协作并添加协作者。有关更多信息,请参阅设置 Workspace 协作的所有权
"elasticmapreduce:UpdateEditor", "elasticmapreduce:PutWorkspaceAccess", "elasticmapreduce:DeleteWorkspaceAccess", "elasticmapreduce:ListWorkspaceAccessIdentities"
创建新 EMR 集群时查看与 Studio 相同账户中的 Amazon S3 Control 存储存储桶列表,并在使用 Web UI 调试应用程序时访问容器日志
"s3:ListAllMyBuckets", "s3:ListBucket", "s3:GetBucketLocation", "s3:GetObject"
访问 Workspaces
"elasticmapreduce:DescribeEditor", "elasticmapreduce:ListEditors", "elasticmapreduce:StartEditor", "elasticmapreduce:StopEditor", "elasticmapreduce:OpenEditorInConsole"
附加或分离与 Workspace 关联的现有 Amazon EMR 集群
"elasticmapreduce:AttachEditor", "elasticmapreduce:DetachEditor", "elasticmapreduce:ListClusters", "elasticmapreduce:DescribeCluster", "elasticmapreduce:ListInstanceGroups", "elasticmapreduce:ListBootstrapActions"
附加或分离 Amazon EMR on EKS 集群
"elasticmapreduce:AttachEditor", "elasticmapreduce:DetachEditor", "emr-containers:ListVirtualClusters", "emr-containers:DescribeVirtualCluster", "emr-containers:ListManagedEndpoints", "emr-containers:DescribeManagedEndpoint", "emr-containers:GetManagedEndpointSessionCredentials"
附加或分离与 Workspace 关联的 EMR Serverless 应用程序
"elasticmapreduce:AttachEditor", "elasticmapreduce:DetachEditor", "emr-serverless:GetApplication", "emr-serverless:StartApplication", "emr-serverless:ListApplications", "emr-serverless:GetDashboardForJobRun", "emr-serverless:AccessInteractiveEndpoints", "iam:PassRole"

需要具有 PassRole 权限才能传递 EMR Serverless 作业运行时系统角色。有关更多信息,请参阅《Amazon EMR Serverless 用户指南》中的 Job runtime roles

使用持久的应用程序用户界面调试 Amazon EMR on EC2 任务
"elasticmapreduce:CreatePersistentAppUI", "elasticmapreduce:DescribePersistentAppUI", "elasticmapreduce:GetPersistentAppUIPresignedURL", "elasticmapreduce:ListClusters", "elasticmapreduce:ListSteps", "elasticmapreduce:DescribeCluster", "s3:ListBucket", "s3:GetObject"
使用集群上应用程序用户界面调试 Amazon EMR on EC2 任务
"elasticmapreduce:GetOnClusterAppUIPresignedURL"
使用 Spark 历史记录服务器调试 Amazon EMR on EKS 任务运行
"elasticmapreduce:CreatePersistentAppUI", "elasticmapreduce:DescribePersistentAppUI", "elasticmapreduce:GetPersistentAppUIPresignedURL", "emr-containers:ListVirtualClusters", "emr-containers:DescribeVirtualCluster", "emr-containers:ListJobRuns", "emr-containers:DescribeJobRun", "s3:ListBucket", "s3:GetObject"
创建和删除 Git 存储库
"elasticmapreduce:CreateRepository", "elasticmapreduce:DeleteRepository", "elasticmapreduce:ListRepositories", "elasticmapreduce:DescribeRepository", "secretsmanager:CreateSecret", "secretsmanager:ListSecrets", "secretsmanager:TagResource"
链接和取消链接 Git 存储库
"elasticmapreduce:LinkRepository", "elasticmapreduce:UnlinkRepository", "elasticmapreduce:ListRepositories", "elasticmapreduce:DescribeRepository"
根据预定义的集群模板创建新集群
"servicecatalog:SearchProducts", "servicecatalog:DescribeProduct", "servicecatalog:DescribeProductView", "servicecatalog:DescribeProvisioningParameters", "servicecatalog:ProvisionProduct", "servicecatalog:UpdateProvisionedProduct", "servicecatalog:ListProvisioningArtifacts", "servicecatalog:DescribeRecord", "servicecatalog:ListLaunchPaths", "cloudformation:DescribeStackResources", "elasticmapreduce:ListClusters", "elasticmapreduce:DescribeCluster"
请提供集群配置以创建新集群。
"elasticmapreduce:RunJobFlow", "iam:PassRole", "elasticmapreduce:ListClusters", "elasticmapreduce:DescribeCluster"
当您使用 IAM 身份验证模式时,将用户分配给 Studio。
"elasticmapreduce:CreateStudioPresignedUrl"
描述网络对象。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DescribeNetwork", "Effect": "Allow", "Action": [ "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups" ], "Resource": "*" } ] }
列出 IAM 角色。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ListIAMRoles", "Effect": "Allow", "Action": [ "iam:ListRoles" ], "Resource": "*" } ] }
从 Amazon Studio 连接到 EMR Studi SageMaker o 并使用 Data Wrangler 可视化界面。
"sagemaker:CreatePresignedDomainUrl", "sagemaker:DescribeDomain", "sagemaker:ListDomains", "sagemaker:ListUserProfiles"
CodeWhisperer 在您的 EMR Studio 中使用亚马逊。
"codewhisperer:GenerateRecommendations"
从 EMR Studio 访问 Amazon Athena SQL 编辑器。此列表可能不包括使用所有 Athena 功能所需的所有权限。要了解更多 up-to-date 列表,请参阅 Athena 完全访问政策。
"athena:StartQueryExecution", "athena:StopQueryExecution", "athena:GetQueryExecution", "athena:GetQueryRuntimeStatistics", "athena:GetQueryResults", "athena:ListQueryExecutions", "athena:BatchGetQueryExecution", "athena:GetNamedQuery", "athena:ListNamedQueries", "athena:BatchGetNamedQuery", "athena:UpdateNamedQuery", "athena:DeleteNamedQuery", "athena:ListDataCatalogs", "athena:GetDataCatalog", "athena:ListDatabases", "athena:GetDatabase", "athena:ListTableMetadata", "athena:GetTableMetadata", "athena:ListWorkGroups", "athena:GetWorkGroup", "athena:CreateNamedQuery", "athena:GetPreparedStatement", "glue:CreateDatabase", "glue:DeleteDatabase", "glue:GetDatabase", "glue:GetDatabases", "glue:UpdateDatabase", "glue:CreateTable", "glue:DeleteTable", "glue:BatchDeleteTable", "glue:UpdateTable", "glue:GetTable", "glue:GetTables", "glue:BatchCreatePartition", "glue:CreatePartition", "glue:DeletePartition", "glue:BatchDeletePartition", "glue:UpdatePartition", "glue:GetPartition", "glue:GetPartitions", "glue:BatchGetPartition", "kms:ListAliases", "kms:ListKeys", "kms:DescribeKey", "lakeformation:GetDataAccess", "s3:GetBucketLocation", "s3:GetBucketLocation", "s3:GetObject", "s3:ListBucket", "s3:ListBucketMultipartUploads", "s3:ListMultipartUploadParts", "s3:AbortMultipartUpload", "s3:PutObject", "s3:PutBucketPublicAccessBlock", "s3:ListAllMyBuckets"