IAM policies for Amazon EMR Serverless - Amazon Step Functions
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

IAM policies for Amazon EMR Serverless

When you create a state machine using the console, Step Functions automatically creates an execution role for your state machine with the least privileges required. These automatically generated IAM roles are valid for the Amazon Web Services Region in which you create the state machine.

The following example templates show how Amazon Step Functions generates IAM policies based on the resources in your state machine definition. For more information, see IAM Policies for integrated services and Service integration patterns.

We recommend that when you create IAM policies, do not include wildcards in the policies. As a security best practice, you should scope your policies down as much as possible. You should use dynamic policies only when certain input parameters are not known during runtime.

Further, administrator users should be careful when granting non-administrator users execution roles for running the state machines. We recommend that you include passRole policies in the execution roles if you're creating policies on your own. We also recommend that you add the aws:SourceARN and aws:SourceAccount context keys in the execution roles.

In this topic

IAM policy examples for EMR Serverless integration with Step Functions

IAM policy example for CreateApplication

The following is an IAM policy example for a state machine with a CreateApplication Task state.

Note

You need to specify the CreateServiceLinkedRole permissions in your IAM policies during the creation of the first ever application in your account. Thereafter, you need not add this permission. For information about CreateServiceLinkedRole, see CreateServiceLinkedRole in the https://docs.amazonaws.cn/IAM/latest/APIReference/.

Static and dynamic resources for the following policies are the same.

Run a Job (.sync)
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "emr-serverless:CreateApplication" ], "Resource": [ "arn:aws:emr-serverless:{{region}}:{{accountId}}:/*" ] }, { "Effect": "Allow", "Action": [ "emr-serverless:GetApplication", "emr-serverless:DeleteApplication" ], "Resource": [ "arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/*" ] }, { "Effect": "Allow", "Action": [ "events:PutTargets", "events:PutRule", "events:DescribeRule" ], "Resource": [ "arn:aws:events:{{region}}:{{accountId}}:rule/StepFunctionsGetEventsForEMRServerlessApplicationRule" ] }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::{{accountId}}:role/aws-service-role/ops.emr-serverless.amazonaws.com/AmazonServiceRoleForAmazonEMRServerless*", "Condition": { "StringLike": { "iam:AWSServiceName": "ops.emr-serverless.amazonaws.com" } } } ] }
Request Response
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "emr-serverless:CreateApplication" ], "Resource": [ "arn:aws:emr-serverless:{{region}}:{{accountId}}:/*" ] }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::{{accountId}}:role/aws-service-role/ops.emr-serverless.amazonaws.com/AmazonServiceRoleForAmazonEMRServerless*", "Condition": { "StringLike": { "iam:AWSServiceName": "ops.emr-serverless.amazonaws.com" } } } ] }

IAM policy example for StartApplication

Static resources

The following are IAM policy examples for static resources when you use a state machine with a StartApplication Task state.

Run a Job (.sync)
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "emr-serverless:StartApplication", "emr-serverless:GetApplication", "emr-serverless:StopApplication" ], "Resource": [ "arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/[[applicationId]]" ] }, { "Effect": "Allow", "Action": [ "events:PutTargets", "events:PutRule", "events:DescribeRule" ], "Resource": [ "arn:aws:events:{{region}}:{{accountId}}:rule/StepFunctionsGetEventsForEMRServerlessApplicationRule" ] } ] }
Request Response
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "emr-serverless:StartApplication" ], "Resource": [ "arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/[[applicationId]]" ] } ] }
Dynamic resources

The following are IAM policy examples for dynamic resources when you use a state machine with a StartApplication Task state.

Run a Job (.sync)
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "emr-serverless:StartApplication", "emr-serverless:GetApplication", "emr-serverless:StopApplication" ], "Resource": [ "arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/*" ] }, { "Effect": "Allow", "Action": [ "events:PutTargets", "events:PutRule", "events:DescribeRule" ], "Resource": [ "arn:aws:events:{{region}}:{{accountId}}:rule/StepFunctionsGetEventsForEMRServerlessApplicationRule" ] } ] }
Request Response
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "emr-serverless:StartApplication" ], "Resource": [ "arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/*" ] } ] }

IAM policy example for StopApplication

Static resources

The following are IAM policy examples for static resources when you use a state machine with a StopApplication Task state.

Run a Job (.sync)
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "emr-serverless:StopApplication", "emr-serverless:GetApplication" ], "Resource": [ "arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/[[applicationId]]" ] }, { "Effect": "Allow", "Action": [ "events:PutTargets", "events:PutRule", "events:DescribeRule" ], "Resource": [ "arn:aws:events:{{region}}:{{accountId}}:rule/StepFunctionsGetEventsForEMRServerlessApplicationRule" ] } ] }
Request Response
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "emr-serverless:StopApplication" ], "Resource": [ "arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/[[applicationId]]" ] } ] }
Dynamic resources

The following are IAM policy examples for dynamic resources when you use a state machine with a StopApplication Task state.

Run a Job (.sync)
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "emr-serverless:StopApplication", "emr-serverless:GetApplication" ], "Resource": [ "arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/*" ] }, { "Effect": "Allow", "Action": [ "events:PutTargets", "events:PutRule", "events:DescribeRule" ], "Resource": [ "arn:aws:events:{{region}}:{{accountId}}:rule/StepFunctionsGetEventsForEMRServerlessApplicationRule" ] } ] }
Request Response
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "emr-serverless:StopApplication" ], "Resource": [ "arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/*" ] } ] }

IAM policy example for DeleteApplication

Static resources

The following are IAM policy examples for static resources when you use a state machine with a DeleteApplication Task state.

Run a Job (.sync)
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "emr-serverless:DeleteApplication", "emr-serverless:GetApplication" ], "Resource": [ "arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/[[applicationId]]" ] }, { "Effect": "Allow", "Action": [ "events:PutTargets", "events:PutRule", "events:DescribeRule" ], "Resource": [ "arn:aws:events:{{region}}:{{accountId}}:rule/StepFunctionsGetEventsForEMRServerlessApplicationRule" ] } ] }
Request Response
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "emr-serverless:DeleteApplication" ], "Resource": [ "arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/[[applicationId]]" ] } ] }
Dynamic resources

The following are IAM policy examples for dynamic resources when you use a state machine with a DeleteApplication Task state.

Run a Job (.sync)
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "emr-serverless:DeleteApplication", "emr-serverless:GetApplication" ], "Resource": [ "arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/*" ] }, { "Effect": "Allow", "Action": [ "events:PutTargets", "events:PutRule", "events:DescribeRule" ], "Resource": [ "arn:aws:events:{{region}}:{{accountId}}:rule/StepFunctionsGetEventsForEMRServerlessApplicationRule" ] } ] }
Request Response
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "emr-serverless:DeleteApplication" ], "Resource": [ "arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/*" ] } ] }

IAM policy example for StartJobRun

Static resources

The following are IAM policy examples for static resources when you use a state machine with a StartJobRun Task state.

Run a Job (.sync)
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "emr-serverless:StartJobRun" ], "Resource": [ "arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/[[applicationId]]" ] }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "[[jobExecutionRoleArn]]" ], "Condition": { "StringEquals": { "iam:PassedToService": "emr-serverless.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "emr-serverless:GetJobRun", "emr-serverless:CancelJobRun" ], "Resource": [ "arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/[[applicationId]]/jobruns/*" ] }, { "Effect": "Allow", "Action": [ "events:PutTargets", "events:PutRule", "events:DescribeRule" ], "Resource": [ "arn:aws:events:{{region}}:{{accountId}}:rule/StepFunctionsGetEventsForEMRServerlessJobRule" ] } ] }
Request Response
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "emr-serverless:StartJobRun" ], "Resource": [ "arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/[[applicationId]]" ] }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "[[jobExecutionRoleArn]]" ], "Condition": { "StringEquals": { "iam:PassedToService": "emr-serverless.amazonaws.com" } } } ] }
Dynamic resources

The following are IAM policy examples for dynamic resources when you use a state machine with a StartJobRun Task state.

Run a Job (.sync)
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "emr-serverless:StartJobRun", "emr-serverless:GetJobRun", "emr-serverless:CancelJobRun" ], "Resource": [ "arn:aws-cn:emr-serverless:{{region}}:{{accountId}}:/applications/*" ] }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "[[jobExecutionRoleArn]]" ], "Condition": { "StringEquals": { "iam:PassedToService": "emr-serverless.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "events:PutTargets", "events:PutRule", "events:DescribeRule" ], "Resource": [ "arn:aws-cn:events:{{region}}:{{accountId}}:rule/StepFunctionsGetEventsForEMRServerlessJobRule" ] } ] }
Request Response
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "emr-serverless:StartJobRun" ], "Resource": [ "arn:aws-cn:emr-serverless:{{region}}:{{accountId}}:/applications/*" ] }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "[[jobExecutionRoleArn]]" ], "Condition": { "StringEquals": { "iam:PassedToService": "emr-serverless.amazonaws.com" } } } ] }

IAM policy example for CancelJobRun

Static resources

The following are IAM policy examples for static resources when you use a state machine with a CancelJobRun Task state.

Run a Job (.sync)
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "emr-serverless:CancelJobRun", "emr-serverless:GetJobRun" ], "Resource": [ "arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/[[applicationId]]/jobruns/[[jobRunId]]" ] }, { "Effect": "Allow", "Action": [ "events:PutTargets", "events:PutRule", "events:DescribeRule" ], "Resource": [ "arn:aws:events:{{region}}:{{accountId}}:rule/StepFunctionsGetEventsForEMRServerlessJobRule" ] } ] }
Request Response
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "emr-serverless:CancelJobRun" ], "Resource": [ "arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/[[applicationId]]/jobruns/[[jobRunId]]" ] } ] }
Dynamic resources

The following are IAM policy examples for dynamic resources when you use a state machine with a CancelJobRun Task state.

Run a Job (.sync)
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "emr-serverless:CancelJobRun", "emr-serverless:GetJobRun" ], "Resource": [ "arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/*" ] }, { "Effect": "Allow", "Action": [ "events:PutTargets", "events:PutRule", "events:DescribeRule" ], "Resource": [ "arn:aws:events:{{region}}:{{accountId}}:rule/StepFunctionsGetEventsForEMRServerlessJobRule" ] } ] }
Request Response
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "emr-serverless:CancelJobRun" ], "Resource": [ "arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/*" ] } ] }