Create a job execution role

To run workloads on Amazon EMR on EKS, you need to create an IAM role. We refer to this role as the job execution role in this documentation. For more information about how to create IAM roles, see Creating IAM roles in the IAM user Guide.

You must also create an IAM policy that specifies the permissions for the job execution role and then attach the IAM policy to the job execution role.

The following policy for the job execution role allows access to resource targets, Amazon S3, and CloudWatch. These permissions are necessary to monitor jobs and access logs. To follow the same process using the Amazon CLI, you can also set up your role using the steps in the Create IAM Role for job execution section of the Amazon EMR on EKS Workshop.

Note

Access should be appropriately scoped, not granted to all S3 objects in the job execution role.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": "arn:aws:s3:::example-bucket"
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs:PutLogEvents",
                "logs:CreateLogStream",
                "logs:DescribeLogGroups",
                "logs:DescribeLogStreams"
            ],
            "Resource": [
                "arn:aws:logs:*:*:*"
            ]
        }
    ]
}

For more information, see Using job execution roles, Configure a job run to use S3 logs, and Configure a job run to use CloudWatch Logs.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Enable IAM Roles for Service Accounts (IRSA) on the EKS cluster

Update the trust policy of the job execution role