Required permissions for Amazon EMR WAL - Amazon EMR
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Required permissions for Amazon EMR WAL

For your cluster to connect to Amazon EMR WAL, the instance profile for the cluster requires certain IAM permissions:

  • Amazon EMR WAL uses the AWSServiceRoleForEMRWAL service-linked role to retrieve a cluster status. Amazon EMR automatically creates this service-linked role when you create a WAL workspace, or HBase will create the service-linked role when you configure a workspace for Amazon EMR WAL and the service-linked role doesn't yet exist.

    Before you can enable Amazon EMR WAL for a cluster, you must configure the permissions to allow automatic creation of the AWSServiceRoleForEMRWAL service-linked role. For more information and an example statement that adds this capability, see Using service-linked roles for write-ahead logging.

  • Because Amazon EMR WAL uses HBase Write Ahead Log (WAL), your clusters must use HBase WAL. The following are the minimum IAM permissions that you need to run HBase. Add these to the permissions policy for your instance profile:

    emrwal:DeleteWal
emrwal:CreateWal
emrwal:CreateWorkspace
emrwal:AppendEdit
emrwal:ReplayEdits
emrwal:GetCurrentWalTime
emrwal:CompleteWalFlush
    Note

    If you scope permissions for Amazon EMR WAL to only the minimal set, some EMRWAL CLI commands won't have the necessary permissions to run.