Integrate Amazon EMR with Amazon IAM Identity Center - Amazon EMR
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Integrate Amazon EMR with Amazon IAM Identity Center

With Amazon EMR releases 6.15.0 and higher, you can use identities from Amazon IAM Identity Center to authenticate with an Amazon EMR cluster. The following sections provides a conceptual overview, prerequisites, and steps required to launch an EMR cluster with Identity Center integration.

Overview

Identity Center is the recommended approach for workforce authentication and authorization on Amazon for organizations of any size and type. With Identity Center, you can create and manage user identities in Amazon, or connect your existing identity source, including Microsoft Active Directory, Okta, Ping Identity, JumpCloud, Google Workspace, and Microsoft Entra ID (formerly Azure AD).

Trusted identity propagation is an Amazon IAM Identity Center feature that administrators of connected Amazon Web Services services can use to grant and audit access to service data. Access to this data is based on user attributes such as group associations. Setting up trusted identity propagation requires collaboration between the administrators of connected Amazon Web Services services and the IAM Identity Center administrators. For more information, see Prerequisites and considerations.

Features and benefits

The Amazon EMR integration with IAM Identity Center provides the following benefits:

  • Amazon EMR provides credentials to relay your Identity Center Identity to an EMR cluster.

  • Amazon EMR configures all supported applications to authenticate with the cluster credentials.

  • Amazon EMR configures and maintains the supported application security with the Kerberos protocol and no commands or scripts required by you.

  • The ability to enforce Amazon S3 prefix-level authorization with Identity Center identities on S3 Access Grants-managed S3 prefixes.

  • The ability to enforce table-level authorization with Identity Center identities on Amazon Lake Formation managed Amazon Glue tables.