Integrate Amazon EMR with Amazon IAM Identity Center - Amazon EMR
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Integrate Amazon EMR with Amazon IAM Identity Center

With Amazon EMR releases 6.15.0 and higher, you can use identities from Amazon IAM Identity Center to authenticate with an Amazon EMR cluster. The following sections provides a conceptual overview, prerequisites, and steps required to launch an EMR cluster with Identity Center integration.


Trusted identity propagation through IAM Identity Center can help you securely create or connect your workforce identities, and centrally manage their access across Amazon accounts and applications. With this capability, a user can sign in to the application that uses trusted identity propagation, and that application can pass the identity of the user in requests that it makes to access data in Amazon services that also use trusted identity propagation. Because access is managed based on a user's identity, users don't need to use database local user credentials or assume an IAM role to access data.

Identity Center is the recommended approach for workforce authentication and authorization on Amazon for organizations of any size and type. With Identity Center, you can create and manage user identities in Amazon, or connect your existing identity source, including Microsoft Active Directory, Okta, Ping Identity, JumpCloud, Google Workspace, and Microsoft Entra ID (formerly Azure AD).

For more information, see What is Amazon IAM Identity Center? and Trusted identity propagation across applications in the Amazon IAM Identity Center User Guide.

Features and benefits

The Amazon EMR integration with IAM Identity Center provides the following benefits:

  • Amazon EMR provides credentials to relay your Identity Center Identity to an EMR cluster.

  • Amazon EMR configures all supported applications to authenticate with the cluster credentials.

  • Amazon EMR configures and maintains the supported application security with the Kerberos protocol and no commands or scripts required by you.

  • The ability to enforce Amazon S3 prefix-level authorization with Identity Center identities on S3 Access Grants-managed S3 prefixes.

  • The ability to enforce table-level authorization with Identity Center identities on Amazon Lake Formation managed Amazon Glue tables.