View a markdown version of this page

Actions, resources, and condition keys for Amazon EMR Serverless - Service Authorization Reference
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Actions, resources, and condition keys for Amazon EMR Serverless

Amazon EMR Serverless (service prefix: emr-serverless) provides the following service-specific operations, resources, actions, and condition keys for use in IAM permission policies.

References:

API operations defined by Amazon EMR Serverless

The following table maps API operations to the IAM actions they authorize. Only condition keys that have static values for the given API and action are listed; for the full set of condition keys supported by each action, see the Actions table.

Operation IAM action Condition key Possible value(s) Access level

CancelJobRun

emr-serverless:CancelJobRun

Write

CreateApplication

emr-serverless:CreateApplication

Write

emr-serverless:TagResource

Tagging, Write

DeleteApplication

emr-serverless:DeleteApplication

Write

GetApplication

emr-serverless:GetApplication

Read

GetDashboardForJobRun

emr-serverless:AccessSystemProfileLogs

Write

emr-serverless:GetDashboardForJobRun

Read

glue:GetDatabases

Read

glue:SearchTables

Read

GetJobRun

emr-serverless:GetJobRun

Read

GetResourceDashboard

emr-serverless:GetResourceDashboard

Read

GetSession

emr-serverless:GetSession

Read

GetSessionEndpoint

emr-serverless:GetSessionEndpoint

Read

ListApplications

emr-serverless:ListApplications

List

ListJobRunAttempts

emr-serverless:ListJobRunAttempts

List

ListJobRuns

emr-serverless:ListJobRuns

List

ListSessions

emr-serverless:ListSessions

List

ListTagsForResource

emr-serverless:ListTagsForResource

Read

StartApplication

emr-serverless:StartApplication

Write

StartJobRun

emr-serverless:StartJobRun

Write

emr-serverless:TagResource

Tagging, Write

iam:PassRole

iam:PassedToService

emr-serverless.amazonaws.com

Write

StartSession

emr-serverless:StartSession

Write

emr-serverless:TagResource

Tagging, Write

iam:PassRole

iam:PassedToService

emr-serverless.amazonaws.com

Write

StopApplication

emr-serverless:StopApplication

Write

TagResource

emr-serverless:TagResource

Tagging, Write

TerminateSession

emr-serverless:TerminateSession

Write

UntagResource

emr-serverless:UntagResource

Tagging, Write

UpdateApplication

emr-serverless:UpdateApplication

Write

Actions defined by Amazon EMR Serverless

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in Amazon. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

Actions Description Resource types (*required) Condition keys Access level

CancelJobRun

Grants permission to cancel a job run

jobRun*

aws:ResourceTag/${TagKey}

Write

CreateApplication

Grants permission to create an Application

aws:RequestTag/${TagKey}

aws:TagKeys

Write

DeleteApplication

Grants permission to delete an application

application*

aws:ResourceTag/${TagKey}

Write

GetApplication

Grants permission to get application

application*

aws:ResourceTag/${TagKey}

Read

GetDashboardForJobRun

Grants permission to get job run dashboard

jobRun*

aws:ResourceTag/${TagKey}

Read

GetJobRun

Grants permission to get a job run

jobRun*

aws:ResourceTag/${TagKey}

Read

GetResourceDashboard

Grants permission to get the resource dashboard

session*

aws:ResourceTag/${TagKey}

Read

GetSession

Grants permission to get details about a session

session*

aws:ResourceTag/${TagKey}

Read

GetSessionEndpoint

Grants permission to get the endpoint URL and authentication token for connecting to a session

session*

aws:ResourceTag/${TagKey}

Read

ListApplications

Grants permission to list applications

List

ListJobRunAttempts

Grants permission to list job run attempts associated with a job run

jobRun*

aws:ResourceTag/${TagKey}

List

ListJobRuns

Grants permission to list job runs associated with an application

application*

aws:ResourceTag/${TagKey}

List

ListSessions

Grants permission to list sessions associated with an application

application*

aws:ResourceTag/${TagKey}

List

ListTagsForResource

Grants permission to list tags for the specified resource

application

aws:ResourceTag/${TagKey}

Read

jobRun

aws:ResourceTag/${TagKey}

session

aws:ResourceTag/${TagKey}

StartApplication

Grants permission to Start an application

application*

aws:ResourceTag/${TagKey}

Write

StartJobRun

Grants permission to start a job run

application*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

StartSession

Grants permission to start a session in an application

application*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

StopApplication

Grants permission to Stop an application

application*

aws:ResourceTag/${TagKey}

Write

TagResource

Grants permission to tag the specified resource

application

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

jobRun

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

session

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

TerminateSession

Grants permission to terminate a session

session*

aws:ResourceTag/${TagKey}

Write

UntagResource

Grants permission to untag the specified resource

application

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

jobRun

aws:ResourceTag/${TagKey}

aws:TagKeys

session

aws:ResourceTag/${TagKey}

aws:TagKeys

UpdateApplication

Grants permission to Update an application

application*

aws:ResourceTag/${TagKey}

Write

Permission-only actions for Amazon EMR Serverless

The following actions are defined by Amazon EMR Serverless but are not directly invocable through any API operation. They can only be used in IAM policy statements to grant or deny permissions.

Actions Description Resource types (*required) Condition keys Access level

AccessInteractiveEndpoints

Grants permission to execute interactive workloads on an application

application*

aws:ResourceTag/${TagKey}

Write

AccessLivyEndpoints

Grants permission to execute interactive workloads on Livy Endpoint enabled on an EMR Serverless Application

application*

aws:ResourceTag/${TagKey}

Write

AccessSystemProfileLogs

Grants permission to access system profile logs

jobRun*

aws:ResourceTag/${TagKey}

Write

Resource types defined by Amazon EMR Serverless

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements.

Resource types ARN Condition keys

application

arn:${Partition}:emr-serverless:${Region}:${Account}:/applications/${ApplicationId}

aws:ResourceTag/${TagKey}

jobRun

arn:${Partition}:emr-serverless:${Region}:${Account}:/applications/${ApplicationId}/jobruns/${JobRunId}

aws:ResourceTag/${TagKey}

session

arn:${Partition}:emr-serverless:${Region}:${Account}:/applications/${ApplicationId}/sessions/${SessionId}

aws:ResourceTag/${TagKey}

Condition keys for Amazon EMR Serverless

Amazon EMR Serverless defines the following condition keys that can be used in the Condition element of an IAM policy.

Condition keys Description Type

aws:RequestTag/${TagKey}

Filters access by the presence of tag key-value pairs in the request

String

aws:ResourceTag/${TagKey}

Filters access by tag key-value pairs attached to the resource

String

aws:TagKeys

Filters access by the presence of tag keys in the request

ArrayOfString