EC2 instance profile - Amazon EMR
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

EC2 instance profile

Amazon EMR uses an IAM service role to perform actions on your behalf to provision and manage clusters. The service role for cluster EC2 instances, also called the EC2 instance profile for Amazon EMR, is a special type of service role assigned to every EC2 instance in a cluster at launch.

To define permissions for EMR cluster interaction with Amazon S3 data and with Hive metastore protected by Apache Ranger and other Amazon services, define a custom EC2 instance profile to use instead of the EMR_EC2_DefaultRole when you launch your cluster.

For more information, see Service role for cluster EC2 instances (EC2 instance profile) and Customize IAM roles.

You need to add the following statements to the default EC2 Instance Profile for Amazon EMR to be able to tag sessions and access the Amazon Secrets Manager that stores TLS certificates.

{ "Sid": "AllowAssumeOfRolesAndTagging", "Effect": "Allow", "Action": ["sts:TagSession", "sts:AssumeRole"], "Resource": [ "arn:aws:iam::<AWS_ACCOUNT_ID>:role/<RANGER_ENGINE-PLUGIN_DATA_ACCESS_ROLE_NAME>", "arn:aws:iam::<AWS_ACCOUNT_ID>:role/<RANGER_USER_ACCESS_ROLE_NAME>" ] }, { "Sid": "AllowSecretsRetrieval", "Effect": "Allow", "Action": "secretsmanager:GetSecretValue", "Resource": [ "arn:aws:secretsmanager:<REGION>:<AWS_ACCOUNT_ID>:secret:<PLUGIN_TLS_SECRET_NAME>*", "arn:aws:secretsmanager:<REGION>:<AWS_ACCOUNT_ID>:secret:<ADMIN_RANGER_SERVER_TLS_SECRET_NAME>*" ] }

For the Secrets Manager permissions, do not forget the wildcard ("*") at the end of the secret name or your requests will fail. The wildcard is for secret versions.


Limit the scope of the Amazon Secrets Manager policy to only the certificates that are required for provisioning.