Allow users and groups to create and modify roles - Amazon EMR
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Allow users and groups to create and modify roles

IAM principals (users and groups) who create, modify, and specify roles for a cluster, including default roles, must be allowed to perform the following actions. For details about each action, see Actions in the IAM API Reference.

  • iam:CreateRole

  • iam:PutRolePolicy

  • iam:CreateInstanceProfile

  • iam:AddRoleToInstanceProfile

  • iam:ListRoles

  • iam:GetPolicy

  • iam:GetInstanceProfile

  • iam:GetPolicyVersion

  • iam:AttachRolePolicy

  • iam:PassRole

The iam:PassRole permission allows cluster creation. The remaining permissions allow the creation of the default roles.

For information about assigning permissions to an IAM user, see Changing permissions for an IAM user in the IAM User Guide.