Job runtime roles - Amazon EMR
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Job runtime roles

You can specify IAM role permissions that a EMR Serverless job run can assume when calling other services on your behalf. This includes access to Amazon S3 for any data sources, targets, as well as other Amazon resources like Amazon Redshift clusters and DynamoDB tables. To learn more about how to create a role, see Create a job runtime role.

Sample runtime policies

You can attach the a runtime policy like the following to a job runtime role. This particular job runtime policy allows:

  • Read access to Amazon S3 buckets with EMR samples.

  • Full access to S3 buckets.

  • Create and read access to Amazon Glue Data Catalog.

To add access to other Amazon resources like DynamoDB, you’ll need to include permissions for them in the policy when creating the runtime role.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "ReadAccessForEMRSamples", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::*.elasticmapreduce", "arn:aws:s3:::*.elasticmapreduce/*" ] }, { "Sid": "FullAccessToS3Bucket", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:ListBucket", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::DOC-EXAMPLE-BUCKET", "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*" ] }, { "Sid": "GlueCreateAndReadDataCatalog", "Effect": "Allow", "Action": [ "glue:GetDatabase", "glue:CreateDatabase", "glue:GetDataBases", "glue:CreateTable", "glue:GetTable", "glue:UpdateTable", "glue:DeleteTable", "glue:GetTables", "glue:GetPartition", "glue:GetPartitions", "glue:CreatePartition", "glue:BatchCreatePartition", "glue:GetUserDefinedFunctions" ], "Resource": ["*"] } ] }

Pass role privileges

You can attach IAM permissions policies to the IAM user’s role to allow the user to pass only approved roles. This allows administrators to control which users can pass specific job runtime roles to EMR Serverless jobs. To learn more about setting permissions, see Granting a user permissions to pass a role to an Amazon service.

The following is an example policy that allows passing a job runtime role to the EMR Serverless service principal.

{ "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::1234567890:role/JobRuntimeRoleForEMRServerless", "Condition": { "StringLike": { "iam:PassedToService": "" } } }