Actions, resources, and condition keys for Amazon Elastic MapReduce
Amazon Elastic MapReduce (service prefix: elasticmapreduce) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
Topics
Actions defined by Amazon Elastic MapReduce
You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in Amazon. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.
The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.
For details about the columns in the following table, see Actions table.
The DescribeJobFlows API is deprecated and will eventually be removed. We recommend you use ListClusters, DescribeCluster, ListSteps, ListInstanceGroups and ListBootstrapActions instead
| Actions | Description | Access level | Resource types (*required) | Condition keys | Dependent actions |
|---|---|---|---|---|---|
| AddInstanceFleet | Grants permission to add an instance fleet to a running cluster | Write | |||
| AddInstanceGroups | Grants permission to add instance groups to a running cluster | Write | |||
| AddJobFlowSteps | Grants permission to add new steps to a running cluster | Write | |||
| AddTags | Grants permission to add tags to an Amazon EMR resource | Tagging | |||
| AttachEditor [permission only] | Grants permission to attach an EMR notebook to a compute engine | Write | |||
| CancelSteps | Grants permission to cancel a pending step or steps in a running cluster | Write | |||
| CreateEditor [permission only] | Grants permission to create an EMR notebook | Write | |||
| CreatePersistentAppUI | Grants permission to create a persistent application history server | Write | |||
| CreateRepository [permission only] | Grants permission to create an EMR notebook repository | Write | |||
| CreateSecurityConfiguration | Grants permission to create a security configuration | Write | |||
| CreateStudio | Grants permission to create an EMR Studio | Write | |||
| CreateStudioPresignedUrl | Grants permission to launch an EMR Studio using IAM authentication mode | Write | |||
| CreateStudioSessionMapping | Grants permission to create an EMR Studio session mapping | Write | |||
| DeleteEditor [permission only] | Grants permission to delete an EMR notebook | Write | |||
| DeleteRepository [permission only] | Grants permission to delete an EMR notebook repository | Write | |||
| DeleteSecurityConfiguration | Grants permission to delete a security configuration | Write | |||
| DeleteStudio | Grants permission to delete an EMR Studio | Write | |||
| DeleteStudioSessionMapping | Grants permission to delete an EMR Studio session mapping | Write | |||
| DeleteWorkspaceAccess [permission only] | Grants permission to block an identity from opening a collaborative workspace | Permissions management | |||
| DescribeCluster | Grants permission to get details about a cluster, including status, hardware and software configuration, VPC settings, and so on | Read | |||
| DescribeEditor [permission only] | Grants permission to view information about a notebook, including status, user, role, tags, location, and more | Read | |||
| DescribeJobFlows | Grants permission to describe details of clusters (job flows). This API is deprecated and will eventually be removed. We recommend you use ListClusters, DescribeCluster, ListSteps, ListInstanceGroups and ListBootstrapActions instead | Read | |||
| DescribeNotebookExecution | Grants permission to view information about a notebook execution | Read | |||
| DescribePersistentAppUI | Grants permission to describe a persistent application history server | Read | |||
| DescribeReleaseLabel | Grants permission to view information about an EMR release, such as which applications are supported | Read | |||
| DescribeRepository [permission only] | Grants permission to describe an EMR notebook repository | Read | |||
| DescribeSecurityConfiguration | Grants permission to get details of a security configuration | Read | |||
| DescribeStep | Grants permission to get details about a cluster step | Read | |||
| DescribeStudio | Grants permission to view information about an EMR Studio | Read | |||
| DetachEditor [permission only] | Grants permission to detach an EMR notebook from a compute engine | Write | |||
| GetAutoTerminationPolicy | Grants permission to retrieve the auto-termination policy associated with a cluster | Read | |||
| GetBlockPublicAccessConfiguration | Grants permission to retrieve the EMR block public access configuration for the Amazon Web Services account in the Region | Read | |||
| GetClusterSessionCredentials | Grants permission to retrieve HTTP basic credentials associated with a given execution IAM Role for a fine-grained access control enabled EMR Cluster | Write | |||
| GetManagedScalingPolicy | Grants permission to retrieve the managed scaling policy associated with a cluster | Read | |||
| GetOnClusterAppUIPresignedURL | Grants permission to get a presigned URL for an application history server running on the cluster | Write | |||
| GetPersistentAppUIPresignedURL | Grants permission to get a presigned URL for a persistent application history server | Write | |||
| GetStudioSessionMapping | Grants permission to view information about an EMR Studio session mapping | Read | |||
| LinkRepository [permission only] | Grants permission to link an EMR notebook repository to EMR notebooks | Write | |||
| ListBootstrapActions | Grants permission to get details about the bootstrap actions associated with a cluster | Read | |||
| ListClusters | Grants permission to get the status of accessible clusters | List | |||
| ListEditors [permission only] | Grants permission to list summary information for accessible EMR notebooks | List | |||
| ListInstanceFleets | Grants permission to get details of instance fleets in a cluster | Read | |||
| ListInstanceGroups | Grants permission to get details of instance groups in a cluster | Read | |||
| ListInstances | Grants permission to get details about the Amazon EC2 instances in a cluster | Read | |||
| ListNotebookExecutions | Grants permission to list summary information for notebook executions | List | |||
| ListReleaseLabels | Grants permission to list and filter the available EMR releases in the current region | List | |||
| ListRepositories [permission only] | Grants permission to list existing EMR notebook repositories | List | |||
| ListSecurityConfigurations | Grants permission to list available security configurations in this account by name, along with creation dates and times | List | |||
| ListSteps | Grants permission to list steps associated with a cluster | Read | |||
| ListStudioSessionMappings | Grants permission to list summary information about EMR Studio session mappings | List | |||
| ListStudios | Grants permission to list summary information about EMR Studios | List | |||
| ListWorkspaceAccessIdentities [permission only] | Grants permission to list identities that are granted access to a workspace | List | |||
| ModifyCluster | Grants permission to change cluster settings such as number of steps that can be executed concurrently for a cluster | Write | |||
| ModifyInstanceFleet | Grants permission to change the target On-Demand and target Spot capacities for a instance fleet | Write | |||
| ModifyInstanceGroups | Grants permission to change the number and configuration of EC2 instances for an instance group | Write | |||
| OpenEditorInConsole [permission only] | Grants permission to launch the Jupyter notebook editor for an EMR notebook from within the console | Write | |||
| PutAutoScalingPolicy | Grants permission to create or update an automatic scaling policy for a core instance group or task instance group | Write | |||
| PutAutoTerminationPolicy | Grants permission to create or update the auto-termination policy associated with a cluster | Write | |||
| PutBlockPublicAccessConfiguration | Grants permission to create or update the EMR block public access configuration for the Amazon Web Services account in the Region | Permissions management | |||
| PutManagedScalingPolicy | Grants permission to create or update the managed scaling policy associated with a cluster | Write | |||
| PutWorkspaceAccess [permission only] | Grants permission to allow an identity to open a collaborative workspace | Permissions management | |||
| RemoveAutoScalingPolicy | Grants permission to remove an automatic scaling policy from an instance group | Write | |||
| RemoveAutoTerminationPolicy | Grants permission to remove the auto-termination policy associated with a cluster | Write | |||
| RemoveManagedScalingPolicy | Grants permission to remove the managed scaling policy associated with a cluster | Write | |||
| RemoveTags | Grants permission to remove tags from an Amazon EMR resource | Tagging | |||
| RunJobFlow | Grants permission to create and launch a cluster (job flow) | Write | |||
| SetTerminationProtection | Grants permission to add and remove termination protection for a cluster | Write | |||
| StartEditor [permission only] | Grants permission to start an EMR notebook | Write | |||
| StartNotebookExecution | Grants permission to start an EMR notebook execution | Write | |||
| StopEditor [permission only] | Grants permission to shut down an EMR notebook | Write | |||
| StopNotebookExecution | Grants permission to stop notebook execution | Write | |||
| TerminateJobFlows | Grants permission to terminate a cluster (job flow) | Write | |||
| UnlinkRepository [permission only] | Grants permission to unlink an EMR notebook repository from EMR notebooks | Write | |||
| UpdateEditor [permission only] | Grants permission to update an EMR notebook | Write | |||
| UpdateRepository [permission only] | Grants permission to update an EMR notebook repository | Write | |||
| UpdateStudio | Grants permission to update information about an EMR Studio | Write | |||
| UpdateStudioSessionMapping | Grants permission to update an EMR Studio session mapping | Write | |||
| ViewEventsFromAllClustersInConsole [permission only] | Grants permission to use the EMR console to view events from all clusters | List |
Resource types defined by Amazon Elastic MapReduce
The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see Resource types table.
| Resource types | ARN | Condition keys |
|---|---|---|
| cluster |
arn:${Partition}:elasticmapreduce:${Region}:${Account}:cluster/${ClusterId}
|
|
| editor |
arn:${Partition}:elasticmapreduce:${Region}:${Account}:editor/${EditorId}
|
|
| notebook-execution |
arn:${Partition}:elasticmapreduce:${Region}:${Account}:notebook-execution/${NotebookExecutionId}
|
|
| studio |
arn:${Partition}:elasticmapreduce:${Region}:${Account}:studio/${StudioId}
|
Condition keys for Amazon Elastic MapReduce
Amazon Elastic MapReduce defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.
To view the global condition keys that are available to all services, see Available global condition keys.
| Condition keys | Description | Type |
|---|---|---|
| aws:RequestTag/${TagKey} | Filters access by whether the tag and value pair is provided with the action | String |
| aws:ResourceTag/${TagKey} | Filters access by the tag and value pair associated with an Amazon EMR resource | String |
| aws:TagKeys | Filters access by whether the tag keys are provided with the action regardless of tag value | ArrayOfString |
| elasticmapreduce:ExecutionRoleArn | Filters access by whether the execution role ARN is provided with the action | String |
| elasticmapreduce:RequestTag/${TagKey} | Filters access by whether the tag and value pair is provided with the action | String |
| elasticmapreduce:ResourceTag/${TagKey} | Filters access by the tag and value pair associated with an Amazon EMR resource | String |