Configure IAM service roles for Amazon EMR permissions to Amazon services and resources - Amazon EMR
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Configure IAM service roles for Amazon EMR permissions to Amazon services and resources

Amazon EMR and applications such as Hadoop and Spark need permissions to access other Amazon resources and perform actions when they run. Each cluster in Amazon EMR must have a service role and a role for the Amazon EC2 instance profile. For more information, see IAM roles and Using instance profiles in the IAM User Guide. The IAM policies attached to these roles provide permissions for the cluster to interoperate with other Amazon services on behalf of a user.

An additional role, the Auto Scaling role, is required if your cluster uses automatic scaling in Amazon EMR. The Amazon service role for EMR Notebooks is required if you use EMR Notebooks.

Amazon EMR provides default roles and default managed policies that determine permissions for each role. Managed policies are created and maintained by Amazon, so they are updated automatically if service requirements change. See Amazon managed policies in the IAM User Guide.

If you are creating a cluster or notebook for the first time in an account, roles for Amazon EMR do not yet exist. After you create them, you can view the roles, the policies attached to them, and the permissions allowed or denied by the policies in the IAM console (https://console.amazonaws.cn/iam/). You can specify default roles for Amazon EMR to create and use, you can create your own roles and specify them individually when you create a cluster to customize permissions, and you can specify default roles to be used when you create a cluster using the Amazon CLI. For more information, see Customize IAM roles with Amazon EMR.

Modifying identity-based policies for permissions to pass service roles for Amazon EMR

The Amazon EMR full-permissions default managed policies incorporate iam:PassRole security configurations, including the following:

  • iam:PassRole permissions only for specific default Amazon EMR roles.

  • iam:PassedToService conditions that allow you to use the policy with only specified Amazon services, such as elasticmapreduce.amazonaws.com and ec2.amazonaws.com.

You can view the JSON version of the AmazonEMRFullAccessPolicy_v2 and AmazonEMRServicePolicy_v2 policies in the IAM console. We recommend that you create new clusters with the v2 managed policies.

Service role summary

The following table lists the IAM service roles associated with Amazon EMR for quick reference.

Function Default role Description Default managed policy

Service role for Amazon EMR (EMR role)

EMR_DefaultRole_V2

Allows Amazon EMR to call other Amazon services on your behalf when provisioning resources and performing service-level actions. This role is required for all clusters.

AmazonEMRServicePolicy_v2

Important

A service-linked role is required to request Spot Instances. If this role doesn't exist, the Amazon EMR service role must have permission to create it or a permission error occurs. If you plan to request Spot Instances, you must update this policy to include a statement that allows the creation of this service-linked role. For more information, see Service role for Amazon EMR (EMR role) and Service-linked role for Spot Instance requests in the Amazon EC2 User Guide.

Service role for cluster EC2 instances (EC2 instance profile)

EMR_EC2_DefaultRole

Application processes that run on top of the Hadoop ecosystem on cluster instances use this role when they call other Amazon services. For accessing data in Amazon S3 using EMRFS, you can specify different roles to be assumed based on the location of data in Amazon S3. For example, multiple teams can access a single Amazon S3 data "storage account." For more information, see Configure IAM roles for EMRFS requests to Amazon S3. This role is required for all clusters.

AmazonElasticMapReduceforEC2Role. For more information, see Service role for cluster EC2 instances (EC2 instance profile).

Service role for automatic scaling in Amazon EMR (Auto Scaling role)

EMR_AutoScaling_DefaultRole

Allows additional actions for dynamically scaling environments. Required only for clusters that use automatic scaling in Amazon EMR. For more information, see Using automatic scaling with a custom policy for instance groups in Amazon EMR.

AmazonElasticMapReduceforAutoScalingRole. For more information, see Service role for automatic scaling in Amazon EMR (Auto Scaling role).

Service role for EMR Notebooks

EMR_Notebooks_DefaultRole

Provides permissions that an EMR notebook needs to access other Amazon resources and perform actions. Required only if EMR Notebooks is used.

AmazonElasticMapReduceEditorsRole. For more information, see Service role for EMR Notebooks.

S3FullAccessPolicy is also attached by default. Following is the contents of this policy.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:*", "Resource": "*" } ] }

Service-Linked Role

AWSServiceRoleForEMRCleanup

Amazon EMR automatically creates a service-linked role. If the service for Amazon EMR has lost the ability to clean up Amazon EC2 resources, Amazon EMR can use this role to clean up. If a cluster uses Spot Instances, the permissions policy attached to the Service role for Amazon EMR (EMR role) must allow the creation of a service-linked role. For more information, see Using service-linked roles for Amazon EMR.

AmazonEMRCleanupPolicy