为 Amazon EC2 或 Amazon EKS 配置 EMR Studio 用户权限
您必须为 Amazon EMR Studio 配置用户权限策略,以便您能设置精细的用户和组权限。有关用户权限在 EMR Studio 中如何工作的信息,请参阅 Amazon EMR Studio 工作原理 中的 访问控制。
注意
本部分中介绍的权限不会强制执行数据访问控制。要管理对输入数据集的访问,您应该为 Studio 使用的集群配置权限。有关更多信息,请参阅 Amazon EMR 中的安全性。
创建 IAM Identity Center 身份验证模式的 EMR Studio 用户角色
当您使用 IAM Identity Center 身份验证模式时,必须创建 EMR Studio 用户角色。
创建 EMR Studio 用户角色
-
按照《Amazon Identity and Access Management 用户指南》中的创建向Amazon服务委派权限的角色中的说明,创建用户角色。
在创建角色时,使用以下信任关系策略。
{ "Version": "2008-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "elasticmapreduce.amazonaws.com" }, "Action": [ "sts:AssumeRole", "sts:SetContext" ] } ] }
-
删除默认角色权限和策略。
-
在将用户和组分配给 Studio 之前,将您的 EMR Studio 会话策略附加到用户角色。有关如何创建会话策略的说明,请参阅 为 EMR Studio 用户创建权限策略。
为 EMR Studio 用户创建权限策略
要为 EMR Studio 创建权限策略,请参阅下面各部分。
注意
要设置用于存储笔记本文件的 Amazon S3 访问权限,以及在将 Workspaces 链接到 Git 存储库时设置读取密钥的 Amazon Secrets Manager 访问权限,请使用 EMR Studio 服务角色。
创建权限策略
创建一个或多个指定用户可在您的 Studio 中执行哪些操作的 IAM 权限策略。例如,您可以使用此页面上的示例策略为基本、中间和高级 Studio 用户类型创建三个独立策略。
关于用户可能执行的每个 Studio 操作的细分情况,以及执行每个操作所需的最低 IAM 操作,请参阅 EMR Studio 用户的 Amazon Identity and Access Management 权限。有关创建策略的步骤,请参阅《IAM 用户指南》中的创建 IAM policy。
您的权限策略必须包含以下语句。
{ "Sid": "AllowAddingTagsOnSecretsWithEMRStudioPrefix", "Effect": "Allow", "Action": "secretsmanager:TagResource", "Resource": "arn:aws:secretsmanager:*:*:secret:emr-studio-*" }, { "Sid": "AllowPassingServiceRoleForWorkspaceCreation", "Action": "iam:PassRole", "Resource": [ "arn:aws:iam::*:role/
your-emr-studio-service-role
" ], "Effect": "Allow" }
设置 Workspace 协作的所有权
借助 Workspace 协作功能,多个用户可以在同一 Workspace 中同时工作,并且可以使用 Workspace UI 中的 Collaboration(协作)面板进行配置。要查看和使用 Collaboration(协作)面板,用户必须具有以下权限。任何拥有这些权限的用户都可以查看和使用 Collaboration(协作)面板。
"elasticmapreduce:UpdateEditor", "elasticmapreduce:PutWorkspaceAccess", "elasticmapreduce:DeleteWorkspaceAccess", "elasticmapreduce:ListWorkspaceAccessIdentities"
要限制对 Collaboration(协作)面板的访问权限,您可以使用基于标签的访问控制。当用户创建某个 Workspace 时,EMR Studio 会应用一个原定设置标签,标签键为 creatorUserId
,标签值为创建该 WorkSpace 的用户的 ID。
注意
EMR Studio 将 creatorUserId
标签添加到 2021 年 11 月 16 日后创建的 Workspaces。要限制谁可以为此日期前创建的工作区配置协作,我们建议为您的工作区手动添加 creatorUserId
标签,然后在用户权限策略中使用基于标签的访问控制。
以下示例语句允许用户为任何具有标签键 creatorUserId
并且标签值与该用户的 ID(由策略变量 aws:userId
指示)一致的 WorkSpace 配置协作。换言之,该语句允许用户为他们创建的 Workspace 配置协作。要详细了解策略变量,请参阅《IAM 用户指南》中的 IAM policy 元素:变量和标签。
{ "Sid": "UserRolePermissionsForCollaboration", "Action": [ "elasticmapreduce:UpdateEditor", "elasticmapreduce:PutWorkspaceAccess", "elasticmapreduce:DeleteWorkspaceAccess", "elasticmapreduce:ListWorkspaceAccessIdentities" ], "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "elasticmapreduce:ResourceTag/creatorUserId": "${aws:userid}" } } }
创建用户级的 Git 密钥策略
使用用户级权限
EMR Studio 在创建 Git 密钥时会自动添加 for-use-with-amazon-emr-managed-user-policies
标签。如果要在用户级别控制对 Git 密钥的访问,请使用 secretsmanager:GetSecretValue
将基于标签的权限添加到 EMR Studio 用户角色策略中,如以下 从服务级别权限转换为用户级别权限 部分所示。
如果您在 EMR Studio 服务角色策略中已有对 secretsmanager:GetSecretValue
的权限,则应移除这些权限。
从服务级别权限转换为用户级别权限
注意
for-use-with-amazon-emr-managed-user-policies
标签可确保以下步骤 1 中的权限为工作区的创建者授予对 Git 密钥的访问权。但是,如果您在 2023 年 9 月 1 日之前链接 Git 存储库,则相应的 Git 密钥将被拒绝访问,因为它们没有应用 for-use-with-amazon-emr-managed-user-policies
标签。要应用用户级权限,必须从 JupyterLab 中重新创建旧密钥,然后再次链接相应的 Git 存储库。
有关策略变量的更多信息,请参阅《IAM 用户指南》中的 IAM policy 元素:变量和标签。
-
将以下权限添加到 EMR Studio 用户角色策略中。它会使用
for-use-with-amazon-emr-managed-user-policies
密钥和值"${aws:
。userid
}"{ "Sid": "AllowSecretsManagerReadOnlyActionsWithEMRTags", "Effect": "Allow", "Action": "secretsmanager:GetSecretValue", "Resource": "arn:aws:secretsmanager:*:*:
secret
:*", "Condition": { "StringEquals": { "secretsmanager:ResourceTag/for-use-with-amazon-emr-managed-user-policies": "${aws:userid
}" } } } -
如果以下权限存在,请从 EMR Studio 服务角色策略中移除这些权限。由于服务角色策略适用于各个用户定义的所有密钥,您只需执行一次即可。
{ "Sid": "AllowSecretsManagerReadOnlyActionsWithEMRTags", "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue" ], "Resource": "arn:aws:secretsmanager:*:*:
secret
:*", "Condition": { "StringEquals": { "aws:ResourceTag/for-use-with-amazon-emr-managed-policies": "true" } } }
要使用服务级别权限
自 2023 年 9 月 1 日起,EMR Studio 会自动添加用于用户级访问控制的 for-use-with-amazon-emr-managed-user-policies
标签。由于这是一项新增功能,您可以继续使用通过 EMR Studio 服务角色中的 GetSecretValue
权限提供的服务级别访问权限。
对于 2023 年 9 月 1 日之前创建的密钥,EMR Studio 没有添加 for-use-with-amazon-emr-managed-user-policies
标签。要继续使用服务级别权限,只需保留现有的 EMR Studio 服务角色和用户角色权限即可。但是,要限制可访问某个单独密钥的人员,建议按照 使用用户级权限 中的步骤手动将 for-use-with-amazon-emr-managed-user-policies
标签到密钥中,然后在用户权限策略中使用基于标签的访问控制。
有关策略变量的更多信息,请参阅《IAM 用户指南》中的 IAM policy 元素:变量和标签。
将权限策略附加到您的 IAM 身份
下表总结了您将权限策略附加到的具体 IAM 身份,其取决于您的 EMR Studio 身份验证模式。有关如何附加策略的说明,请参阅添加和删除 IAM 身份权限。
如果您使用... | 将策略附加到… |
---|---|
IAM 身份验证 | 您的 IAM 身份(用户、用户组或角色)。例如,您可以将权限策略附加到 Amazon Web Services 账户中的用户。 |
与外部身份提供商 (IdP) 进行 IAM 联合身份验证 |
您为外部 IdP 创建的一个或多个 IAM 角色。例如,用于 SAML 2.0 联合身份验证的 IAM。 对于具有 Studio 联合访问权限的用户,EMR Studio 使用您附加到 IAM 单个或多个角色的权限。 |
IAM Identity Center | 您的 Amazon EMR Studio 用户角色。 |
示例用户策略
以下基本用户策略允许大多数 EMR Studio 操作,但不允许用户创建新的 Amazon EMR 集群。
重要
该示例策略不包括 CreateStudioPresignedUrl
权限,当您使用 IAM 身份验证模式时,必须允许用户使用该权限。有关更多信息,请参阅 将用户或组分配到 EMR Studio。
该示例策略包括要强制执行基于标签的访问控制 (TBAC) 的 Condition
元素,以便您可以将该策略与 EMR Studio 的示例服务角色配合使用。有关更多信息,请参阅 创建 EMR Studio 服务角色。
{ "Version":"2012-10-17", "Statement":[ { "Sid":"AllowDefaultEC2SecurityGroupsCreationInVPCWithEMRTags", "Effect":"Allow", "Action":[ "ec2:CreateSecurityGroup" ], "Resource":[ "arn:aws:ec2:*:*:vpc/*" ], "Condition":{ "StringEquals":{ "aws:ResourceTag/for-use-with-amazon-emr-managed-policies":"true" } } }, { "Sid":"AllowAddingEMRTagsDuringDefaultSecurityGroupCreation", "Effect":"Allow", "Action":[ "ec2:CreateTags" ], "Resource":"arn:aws:ec2:*:*:security-group/*", "Condition":{ "StringEquals":{ "aws:RequestTag/for-use-with-amazon-emr-managed-policies":"true", "ec2:CreateAction":"CreateSecurityGroup" } } }, { "Sid":"AllowSecretManagerListSecrets", "Action":[ "secretsmanager:ListSecrets" ], "Resource":"*", "Effect":"Allow" }, { "Sid":"AllowSecretCreationWithEMRTagsAndEMRStudioPrefix", "Effect":"Allow", "Action":"secretsmanager:CreateSecret", "Resource":"arn:aws:secretsmanager:*:*:secret:emr-studio-*", "Condition":{ "StringEquals":{ "aws:RequestTag/for-use-with-amazon-emr-managed-policies":"true" } } }, { "Sid":"AllowAddingTagsOnSecretsWithEMRStudioPrefix", "Effect":"Allow", "Action":"secretsmanager:TagResource", "Resource":"arn:aws:secretsmanager:*:*:secret:emr-studio-*" }, { "Sid":"AllowPassingServiceRoleForWorkspaceCreation", "Action":"iam:PassRole", "Resource":[ "arn:aws:iam::*:role/
<your-emr-studio-service-role>
" ], "Effect":"Allow" }, { "Sid":"AllowS3ListAndLocationPermissions", "Action":[ "s3:ListAllMyBuckets", "s3:ListBucket", "s3:GetBucketLocation" ], "Resource":"arn:aws:s3:::*", "Effect":"Allow" }, { "Sid":"AllowS3ReadOnlyAccessToLogs", "Action":[ "s3:GetObject" ], "Resource":[ "arn:aws:s3:::aws-logs-<aws-account-id>
-<region>
/elasticmapreduce/*" ], "Effect":"Allow" }, { "Sid":"AllowConfigurationForWorkspaceCollaboration", "Action":[ "elasticmapreduce:UpdateEditor", "elasticmapreduce:PutWorkspaceAccess", "elasticmapreduce:DeleteWorkspaceAccess", "elasticmapreduce:ListWorkspaceAccessIdentities" ], "Resource":"*", "Effect":"Allow", "Condition":{ "StringEquals":{ "elasticmapreduce:ResourceTag/creatorUserId":"${aws:userId}" } } }, { "Sid":"DescribeNetwork", "Effect":"Allow", "Action":[ "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups" ], "Resource":"*" }, { "Sid":"ListIAMRoles", "Effect":"Allow", "Action":[ "iam:ListRoles" ], "Resource":"*" } ] }
以下中间用户策略允许大多数 EMR Studio 操作,并允许用户使用集群模板创建新的 Amazon EMR 集群。
重要
该示例策略不包括 CreateStudioPresignedUrl
权限,当您使用 IAM 身份验证模式时,必须允许用户使用该权限。有关更多信息,请参阅 将用户或组分配到 EMR Studio。
该示例策略包括要强制执行基于标签的访问控制 (TBAC) 的 Condition
元素,以便您可以将该策略与 EMR Studio 的示例服务角色配合使用。有关更多信息,请参阅 创建 EMR Studio 服务角色。
{ "Version":"2012-10-17", "Statement":[ { "Sid":"AllowEMRBasicActions", "Action":[ "elasticmapreduce:CreateEditor", "elasticmapreduce:DescribeEditor", "elasticmapreduce:ListEditors", "elasticmapreduce:StartEditor", "elasticmapreduce:StopEditor", "elasticmapreduce:DeleteEditor", "elasticmapreduce:OpenEditorInConsole", "elasticmapreduce:AttachEditor", "elasticmapreduce:DetachEditor", "elasticmapreduce:CreateRepository", "elasticmapreduce:DescribeRepository", "elasticmapreduce:DeleteRepository", "elasticmapreduce:ListRepositories", "elasticmapreduce:LinkRepository", "elasticmapreduce:UnlinkRepository", "elasticmapreduce:DescribeCluster", "elasticmapreduce:ListInstanceGroups", "elasticmapreduce:ListBootstrapActions", "elasticmapreduce:ListClusters", "elasticmapreduce:ListSteps", "elasticmapreduce:CreatePersistentAppUI", "elasticmapreduce:DescribePersistentAppUI", "elasticmapreduce:GetPersistentAppUIPresignedURL", "elasticmapreduce:GetOnClusterAppUIPresignedURL" ], "Resource":"*", "Effect":"Allow" }, { "Sid":"AllowEMRContainersBasicActions", "Action":[ "emr-containers:DescribeVirtualCluster", "emr-containers:ListVirtualClusters", "emr-containers:DescribeManagedEndpoint", "emr-containers:ListManagedEndpoints", "emr-containers:DescribeJobRun", "emr-containers:ListJobRuns" ], "Resource":"*", "Effect":"Allow" }, { "Sid": "AllowRetrievingManagedEndpointCredentials", "Effect": "Allow", "Action": [ "emr-containers:GetManagedEndpointSessionCredentials" ], "Resource": [ "arn:aws:emr-containers:
<region>
:<account-id>
:/virtualclusters/<virtual-cluster-id>
/endpoints/<managed-endpoint-id>
" ], "Condition": { "StringEquals": { "emr-containers:ExecutionRoleArn": [ "arn:aws:iam::<account-id>
:role/<emr-on-eks-execution-role>
" ] } } }, { "Sid":"AllowSecretManagerListSecrets", "Action":[ "secretsmanager:ListSecrets" ], "Resource":"*", "Effect":"Allow" }, { "Sid":"AllowSecretCreationWithEMRTagsAndEMRStudioPrefix", "Effect":"Allow", "Action":"secretsmanager:CreateSecret", "Resource":"arn:aws:secretsmanager:*:*:secret:emr-studio-*", "Condition":{ "StringEquals":{ "aws:RequestTag/for-use-with-amazon-emr-managed-policies":"true" } } }, { "Sid":"AllowAddingTagsOnSecretsWithEMRStudioPrefix", "Effect":"Allow", "Action":"secretsmanager:TagResource", "Resource":"arn:aws:secretsmanager:*:*:secret:emr-studio-*" }, { "Sid":"AllowClusterTemplateRelatedIntermediateActions", "Action":[ "servicecatalog:DescribeProduct", "servicecatalog:DescribeProductView", "servicecatalog:DescribeProvisioningParameters", "servicecatalog:ProvisionProduct", "servicecatalog:SearchProducts", "servicecatalog:UpdateProvisionedProduct", "servicecatalog:ListProvisioningArtifacts", "servicecatalog:ListLaunchPaths", "servicecatalog:DescribeRecord", "cloudformation:DescribeStackResources" ], "Resource":"*", "Effect":"Allow" }, { "Sid":"AllowPassingServiceRoleForWorkspaceCreation", "Action":"iam:PassRole", "Resource":[ "arn:aws:iam::*:role/<your-emr-studio-service-role>
" ], "Effect":"Allow" }, { "Sid":"AllowS3ListAndLocationPermissions", "Action":[ "s3:ListAllMyBuckets", "s3:ListBucket", "s3:GetBucketLocation" ], "Resource":"arn:aws:s3:::*", "Effect":"Allow" }, { "Sid":"AllowS3ReadOnlyAccessToLogs", "Action":[ "s3:GetObject" ], "Resource":[ "arn:aws:s3:::aws-logs-<aws-account-id>
-<region>
/elasticmapreduce/*" ], "Effect":"Allow" }, { "Sid":"AllowConfigurationForWorkspaceCollaboration", "Action":[ "elasticmapreduce:UpdateEditor", "elasticmapreduce:PutWorkspaceAccess", "elasticmapreduce:DeleteWorkspaceAccess", "elasticmapreduce:ListWorkspaceAccessIdentities" ], "Resource":"*", "Effect":"Allow", "Condition":{ "StringEquals":{ "elasticmapreduce:ResourceTag/creatorUserId":"${aws:userId}" } } }, { "Sid":"DescribeNetwork", "Effect":"Allow", "Action":[ "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups" ], "Resource":"*" }, { "Sid":"ListIAMRoles", "Effect":"Allow", "Action":[ "iam:ListRoles" ], "Resource":"*" }, { "Sid": "AllowServerlessActions", "Action": [ "emr-serverless:CreateApplication", "emr-serverless:UpdateApplication", "emr-serverless:DeleteApplication", "emr-serverless:ListApplications", "emr-serverless:GetApplication", "emr-serverless:StartApplication", "emr-serverless:StopApplication", "emr-serverless:StartJobRun", "emr-serverless:CancelJobRun", "emr-serverless:ListJobRuns", "emr-serverless:GetJobRun", "emr-serverless:GetDashboardForJobRun", "emr-serverless:AccessInteractiveEndpoints" ], "Resource": "*", "Effect": "Allow" }, { "Sid": "AllowPassingRuntimeRoleForRunningServerlessJob", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/serverless-runtime-role
", "Effect": "Allow" } ] }
以下高级用户策略允许所有 EMR Studio 操作,并允许用户使用集群模板或通过提供集群配置创建新的 Amazon EMR 集群。
重要
该示例策略不包括 CreateStudioPresignedUrl
权限,当您使用 IAM 身份验证模式时,必须允许用户使用该权限。有关更多信息,请参阅 将用户或组分配到 EMR Studio。
该示例策略包括要强制执行基于标签的访问控制 (TBAC) 的 Condition
元素,以便您可以将该策略与 EMR Studio 的示例服务角色配合使用。有关更多信息,请参阅 创建 EMR Studio 服务角色。
{ "Version":"2012-10-17", "Statement":[ { "Sid":"AllowEMRBasicActions", "Action":[ "elasticmapreduce:CreateEditor", "elasticmapreduce:DescribeEditor", "elasticmapreduce:ListEditors", "elasticmapreduce:StartEditor", "elasticmapreduce:StopEditor", "elasticmapreduce:DeleteEditor", "elasticmapreduce:OpenEditorInConsole", "elasticmapreduce:AttachEditor", "elasticmapreduce:DetachEditor", "elasticmapreduce:CreateRepository", "elasticmapreduce:DescribeRepository", "elasticmapreduce:DeleteRepository", "elasticmapreduce:ListRepositories", "elasticmapreduce:LinkRepository", "elasticmapreduce:UnlinkRepository", "elasticmapreduce:DescribeCluster", "elasticmapreduce:ListInstanceGroups", "elasticmapreduce:ListBootstrapActions", "elasticmapreduce:ListClusters", "elasticmapreduce:ListSteps", "elasticmapreduce:CreatePersistentAppUI", "elasticmapreduce:DescribePersistentAppUI", "elasticmapreduce:GetPersistentAppUIPresignedURL", "elasticmapreduce:GetOnClusterAppUIPresignedURL" ], "Resource":"*", "Effect":"Allow" }, { "Sid":"AllowEMRContainersBasicActions", "Action":[ "emr-containers:DescribeVirtualCluster", "emr-containers:ListVirtualClusters", "emr-containers:DescribeManagedEndpoint", "emr-containers:ListManagedEndpoints", "emr-containers:DescribeJobRun", "emr-containers:ListJobRuns" ], "Resource":"*", "Effect":"Allow" }, { "Sid": "AllowRetrievingManagedEndpointCredentials", "Effect": "Allow", "Action": [ "emr-containers:GetManagedEndpointSessionCredentials" ], "Resource": [ "arn:aws:emr-containers:
<region>
:<account-id>
:/virtualclusters/<virtual-cluster-id>
/endpoints/<managed-endpoint-id>
" ], "Condition": { "StringEquals": { "emr-containers:ExecutionRoleArn": [ "arn:aws:iam::<account-id>
:role/<emr-on-eks-execution-role>
" ] } } }, { "Sid":"AllowSecretManagerListSecrets", "Action":[ "secretsmanager:ListSecrets" ], "Resource":"*", "Effect":"Allow" }, { "Sid":"AllowSecretCreationWithEMRTagsAndEMRStudioPrefix", "Effect":"Allow", "Action":"secretsmanager:CreateSecret", "Resource":"arn:aws:secretsmanager:*:*:secret:emr-studio-*", "Condition":{ "StringEquals":{ "aws:RequestTag/for-use-with-amazon-emr-managed-policies":"true" } } }, { "Sid":"AllowAddingTagsOnSecretsWithEMRStudioPrefix", "Effect":"Allow", "Action":"secretsmanager:TagResource", "Resource":"arn:aws:secretsmanager:*:*:secret:emr-studio-*" }, { "Sid":"AllowClusterTemplateRelatedIntermediateActions", "Action":[ "servicecatalog:DescribeProduct", "servicecatalog:DescribeProductView", "servicecatalog:DescribeProvisioningParameters", "servicecatalog:ProvisionProduct", "servicecatalog:SearchProducts", "servicecatalog:UpdateProvisionedProduct", "servicecatalog:ListProvisioningArtifacts", "servicecatalog:ListLaunchPaths", "servicecatalog:DescribeRecord", "cloudformation:DescribeStackResources" ], "Resource":"*", "Effect":"Allow" }, { "Sid":"AllowEMRCreateClusterAdvancedActions", "Action":[ "elasticmapreduce:RunJobFlow" ], "Resource":"*", "Effect":"Allow" }, { "Sid":"AllowPassingServiceRoleForWorkspaceCreation", "Action":"iam:PassRole", "Resource":[ "arn:aws:iam::*:role/<your-emr-studio-service-role>
", "arn:aws:iam::*:role/EMR_DefaultRole_V2", "arn:aws:iam::*:role/EMR_EC2_DefaultRole" ], "Effect":"Allow" }, { "Sid":"AllowS3ListAndLocationPermissions", "Action":[ "s3:ListAllMyBuckets", "s3:ListBucket", "s3:GetBucketLocation" ], "Resource":"arn:aws:s3:::*", "Effect":"Allow" }, { "Sid":"AllowS3ReadOnlyAccessToLogs", "Action":[ "s3:GetObject" ], "Resource":[ "arn:aws:s3:::aws-logs-<aws-account-id>
-<region>
/elasticmapreduce/*" ], "Effect":"Allow" }, { "Sid":"AllowConfigurationForWorkspaceCollaboration", "Action":[ "elasticmapreduce:UpdateEditor", "elasticmapreduce:PutWorkspaceAccess", "elasticmapreduce:DeleteWorkspaceAccess", "elasticmapreduce:ListWorkspaceAccessIdentities" ], "Resource":"*", "Effect":"Allow", "Condition":{ "StringEquals":{ "elasticmapreduce:ResourceTag/creatorUserId":"${aws:userId}" } } }, { "Sid" : "SageMakerDataWranglerForEMRStudio", "Effect" : "Allow", "Action" : [ "sagemaker:CreatePresignedDomainUrl", "sagemaker:DescribeDomain", "sagemaker:ListDomains", "sagemaker:ListUserProfiles" ], "Resource":"*" }, { "Sid":"DescribeNetwork", "Effect":"Allow", "Action":[ "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups" ], "Resource":"*" }, { "Sid":"ListIAMRoles", "Effect":"Allow", "Action":[ "iam:ListRoles" ], "Resource":"*" }, { "Sid": "AllowServerlessActions", "Action": [ "emr-serverless:CreateApplication", "emr-serverless:UpdateApplication", "emr-serverless:DeleteApplication", "emr-serverless:ListApplications", "emr-serverless:GetApplication", "emr-serverless:StartApplication", "emr-serverless:StopApplication", "emr-serverless:StartJobRun", "emr-serverless:CancelJobRun", "emr-serverless:ListJobRuns", "emr-serverless:GetJobRun", "emr-serverless:GetDashboardForJobRun", "emr-serverless:AccessInteractiveEndpoints" ], "Resource": "*", "Effect": "Allow" }, { "Sid": "AllowPassingRuntimeRoleForRunningServerlessJob", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/serverless-runtime-role
", "Effect": "Allow" }, { "Sid": "AllowCodeWhisperer", "Effect": "Allow", "Action": [ "codewhisperer:GenerateRecommendations" ], "Resource": "*" }, { "Sid": "AllowAthenaSQL", "Action": [ "athena:StartQueryExecution", "athena:StopQueryExecution", "athena:GetQueryExecution", "athena:GetQueryRuntimeStatistics", "athena:GetQueryResults", "athena:ListQueryExecutions", "athena:BatchGetQueryExecution", "athena:GetNamedQuery", "athena:ListNamedQueries", "athena:BatchGetNamedQuery", "athena:UpdateNamedQuery", "athena:DeleteNamedQuery", "athena:ListDataCatalogs", "athena:GetDataCatalog", "athena:ListDatabases", "athena:GetDatabase", "athena:ListTableMetadata", "athena:GetTableMetadata", "athena:ListWorkGroups", "athena:GetWorkGroup", "athena:CreateNamedQuery", "athena:GetPreparedStatement", "glue:CreateDatabase", "glue:DeleteDatabase", "glue:GetDatabase", "glue:GetDatabases", "glue:UpdateDatabase", "glue:CreateTable", "glue:DeleteTable", "glue:BatchDeleteTable", "glue:UpdateTable", "glue:GetTable", "glue:GetTables", "glue:BatchCreatePartition", "glue:CreatePartition", "glue:DeletePartition", "glue:BatchDeletePartition", "glue:UpdatePartition", "glue:GetPartition", "glue:GetPartitions", "glue:BatchGetPartition", "kms:ListAliases", "kms:ListKeys", "kms:DescribeKey", "lakeformation:GetDataAccess", "s3:GetBucketLocation", "s3:GetBucketLocation", "s3:GetObject", "s3:ListBucket", "s3:ListBucketMultipartUploads", "s3:ListMultipartUploadParts", "s3:AbortMultipartUpload", "s3:PutObject", "s3:PutBucketPublicAccessBlock", "s3:ListAllMyBuckets" ], "Resource": "*", "Effect": "Allow" } ] }
以下用户策略包含将 EMR Serverless 交互式应用程序与 EMR Studio Workspace 结合使用所需的最低用户权限。
此示例策略具有将 EMR Serverless 交互式应用程序与 EMR Studio 结合使用所需的用户权限,请将 serverless-runtime-role
和 emr-studio-service-role
的占位符分别替换为正确的 EMR Studio 服务角色 和 EMR Serverless 运行时系统角色。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowServerlessActions", "Action": [ "emr-serverless:CreateApplication", "emr-serverless:UpdateApplication", "emr-serverless:DeleteApplication", "emr-serverless:ListApplications", "emr-serverless:GetApplication", "emr-serverless:StartApplication", "emr-serverless:StopApplication", "emr-serverless:StartJobRun", "emr-serverless:CancelJobRun", "emr-serverless:ListJobRuns", "emr-serverless:GetJobRun", "emr-serverless:GetDashboardForJobRun", "emr-serverless:AccessInteractiveEndpoints" ], "Resource": "*", "Effect": "Allow" }, { "Sid": "AllowEMRBasicActions", "Action": [ "elasticmapreduce:CreateEditor", "elasticmapreduce:DescribeEditor", "elasticmapreduce:ListEditors", "elasticmapreduce:UpdateStudio", "elasticmapreduce:StartEditor", "elasticmapreduce:StopEditor", "elasticmapreduce:DeleteEditor", "elasticmapreduce:OpenEditorInConsole", "elasticmapreduce:AttachEditor", "elasticmapreduce:DetachEditor", "elasticmapreduce:CreateStudio", "elasticmapreduce:DescribeStudio", "elasticmapreduce:DeleteStudio", "elasticmapreduce:ListStudios", "elasticmapreduce:CreateStudioPresignedUrl" ], "Resource": "*", "Effect": "Allow" }, { "Sid": "AllowPassingRuntimeRoleForRunningEMRServerlessJob", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/
serverless-runtime-role
", "Effect": "Allow" }, { "Sid": "AllowPassingServiceRoleForWorkspaceCreation", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/emr-studio-service-role
", "Effect": "Allow" }, { "Sid": "AllowS3ListAndGetPermissions", "Action": [ "s3:ListAllMyBuckets", "s3:ListBucket", "s3:GetBucketLocation", "s3:GetObject" ], "Resource": "arn:aws:s3:::*", "Effect": "Allow" }, { "Sid":"DescribeNetwork", "Effect":"Allow", "Action":[ "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups" ], "Resource":"*" }, { "Sid": "ListIAMRoles", "Effect": "Allow", "Action": [ "iam:ListRoles" ], "Resource": "*" } ] }
EMR Studio 用户的 Amazon Identity and Access Management 权限
下表包括用户可能执行的每个 Amazon EMR Studio 运营,并列出了执行该运营所需的最低 IAM 操作。您允许在 IAM 权限策略(当您使用 IAM 身份验证时)或用户角色会话策略(当您使用 IAM Identity Center 身份验证时)中执行这些针对 EMR Studio 的操作。
该表还显示了 EMR Studio 的每个示例权限策略中允许的运营。有关示例权限策略的更多信息,请参阅 为 EMR Studio 用户创建权限策略。
操作 | 基本 | 中间 | 高级 | 关联操作 |
---|---|---|---|---|
创建和删除 Workspaces | 是 | 是 | 是 |
|
查看协作面板、启用 Workspace 协作并添加协作者。有关更多信息,请参阅设置 Workspace 协作的所有权。 | 是 | 是 | 是 |
|
创建新 EMR 集群时查看与 Studio 相同账户中的 Amazon S3 Control 存储存储桶列表,并在使用 Web UI 调试应用程序时访问容器日志 | 是 | 是 | 是 |
|
访问 Workspaces | 是 | 是 | 是 |
|
附加或分离与 Workspace 关联的现有 Amazon EMR 集群 | 是 | 是 | 是 |
|
附加或分离 Amazon EMR on EKS 集群 | 是 | 是 | 是 |
|
附加或分离与 Workspace 关联的 EMR Serverless 应用程序 | 否 | 是 | 是 |
需要具有 |
使用持久的应用程序用户界面调试 Amazon EMR on EC2 任务 | 是 | 是 | 是 |
|
使用集群上应用程序用户界面调试 Amazon EMR on EC2 任务 | 是 | 是 | 是 |
|
使用 Spark 历史记录服务器调试 Amazon EMR on EKS 任务运行 | 是 | 是 | 是 |
|
创建和删除 Git 存储库 | 是 | 是 | 是 |
|
链接和取消链接 Git 存储库 | 是 | 是 | 是 |
|
根据预定义的集群模板创建新集群 | 否 | 是 | 是 |
|
请提供集群配置以创建新集群。 | 否 | 否 | 是 |
|
当您使用 IAM 身份验证模式时,将用户分配给 Studio。 | 否 | 否 | 否 |
|
描述网络对象。 | 是 | 是 | 是 |
|
列出 IAM 角色。 | 是 | 是 | 是 |
|
从 Amazon SageMaker Studio 连接到 EMR Studio,然后使用 Data Wrangler 可视化界面。 |
否 | 否 | 是 |
|
在您的 EMR Studio 中使用 Amazon CodeWhisperer。 | 否 | 否 | 是 |
|
从 EMR Studio 访问 Amazon Athena SQL 编辑器。此列表可能不包括使用所有 Athena 功能所需的所有权限。要获取最新列表,请参阅 Athena 完全访问策略。 | 否 | 否 | 是 |
|