Create a job execution role - Amazon EMR
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Create a job execution role

To run workloads on Amazon EMR on EKS, you need to create an IAM role. We refer to this role as the job execution role in this documentation. For more information about how to create IAM roles, see Creating IAM roles in the IAM user Guide.

You must also create an IAM policy that specifies the permissions for the job execution role and then attach the IAM policy to the job execution role.

The following policy for the job execution role allows access to resource targets, Amazon S3, and CloudWatch. These permissions are necessary to monitor jobs and access logs. To follow the same process using the Amazon CLI, you can also set up your role using the steps in the Create IAM Role for job execution section of the Amazon EMR on EKS Workshop.

Note

Access should be appropriately scoped, not granted to all S3 objects in the job execution role.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:ListBucket" ], "Resource": "arn:aws:s3:::example-bucket" }, { "Effect": "Allow", "Action": [ "logs:PutLogEvents", "logs:CreateLogStream", "logs:DescribeLogGroups", "logs:DescribeLogStreams" ], "Resource": [ "arn:aws:logs:*:*:*" ] } ] }

For more information, see Using job execution roles, Configure a job run to use S3 logs, and Configure a job run to use CloudWatch Logs.