Use IAM roles with applications that call Amazon services directly - Amazon EMR
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Use IAM roles with applications that call Amazon services directly

Applications running on the EC2 instances of a cluster can use the EC2 instance profile to obtain temporary security credentials when calling Amazon services.

The versions of Hadoop available with Amazon EMR release 2.3.0 and later have already been updated to make use of IAM roles. If your application runs strictly on top of the Hadoop architecture, and does not directly call any service in Amazon, it should work with IAM roles with no modification.

If your application calls services in Amazon directly, you need to update it to take advantage of IAM roles. This means that instead of obtaining account credentials from /etc/hadoop/conf/core-site.xml on the EC2 instances in the cluster, your application uses an SDK to access the resources using IAM roles, or calls the EC2 instance metadata to obtain the temporary credentials.

To access Amazon resources with IAM roles using an SDK
To obtain temporary credentials from EC2 instance metadata

  • Call the following URL from an EC2 instance that is running with the specified IAM role, which returns the associated temporary security credentials (AccessKeyId, SecretAccessKey, SessionToken, and Expiration). The following example uses the default instance profile for Amazon EMR, EMR_EC2_DefaultRole. 

    
GET http://169.254.169.254/latest/meta-data/iam/security-credentials/EMR_EC2_DefaultRole

For more information about writing applications that use IAM roles, see Granting applications that run on Amazon EC2 instances access to Amazon resources.

For more information about temporary security credentials, see Using temporary security credentials in the Using Temporary Security Credentials guide.