本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# 为 Amazon EC2 或 Amazon EKS 配置 EMR Studio 用户权限
您必须为 Amazon EMR Studio 配置用户权限策略,以便您能设置精细的用户和组权限。有关用户权限在 EMR Studio 中如何工作的信息,请参阅 [Amazon EMR Studio 工作原理](how-emr-studio-works.md) 中的 [访问控制](how-emr-studio-works.md#emr-studio-access-control)。
**注意**
本部分中介绍的权限不会强制执行数据访问控制。要管理对输入数据集的访问,您应该为 Studio 使用的集群配置权限。有关更多信息,请参阅 [Amazon EMR 中的安全性](emr-security.md)。
## 创建 IAM Identity Center 身份验证模式的 EMR Studio 用户角色
当您使用 IAM Identity Center 身份验证模式时,必须创建 EMR Studio 用户角色。
**创建 EMR Studio 用户角色**
1. 按照《*AWS Identity and Access Management 用户指南》*中[创建角色向 AWS 服务委派权限](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html)中的说明创建用户角色。
在创建角色时,使用以下信任关系策略。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole",
"sts:SetContext"
],
"Resource": "arn:aws:iam::123456789012:role/EMRStudioServiceRole",
"Sid": "AllowSTSAssumerole"
}
]
}
```
------
1. 删除默认角色权限和策略。
1. 在将用户和组分配给 Studio 之前,将您的 EMR Studio 会话策略附加到用户角色。有关如何创建会话策略的说明,请参阅 [为 EMR Studio 用户创建权限策略](#emr-studio-permissions-policies)。
## 为 EMR Studio 用户创建权限策略
要为 EMR Studio 创建权限策略,请参阅下面各部分。
**Topics**
+ [创建权限策略](#emr-studio-permissions-policies-create)
+ [设置 Workspace 协作的所有权](#emr-studio-workspace-collaboration-permissions)
+ [创建用户级的 Git 密钥策略](#emr-studio-permissions-policies-git)
+ [将权限策略附加到您的 IAM 身份](#emr-studio-permissions-policies-attach)
**注意**
要设置用于存储 Notebook 文件的 Amazon S3 访问权限,以及在将 Workspaces 链接到 Git 存储库时设置读取密钥的 AWS Secrets Manager 访问权限,请使用 EMR Studio 服务角色。
### 创建权限策略
创建一个或多个指定用户可在您的 Studio 中执行哪些操作的 IAM 权限策略。例如,您可以使用此页面上的示例策略为[基本]()、[中间]()和[高级]() Studio 用户类型创建三个独立策略。
关于用户可能执行的每个 Studio 操作的细分情况,以及执行每个操作所需的最低 IAM 操作,请参阅 [AWS Identity and Access Management EMR Studio 用户的权限](#emr-studio-iam-permissions-table)。有关创建策略的步骤,请参阅《IAM 用户指南》**中的[创建 IAM policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-console.html)。
您的权限策略必须包含以下语句。
```
{
"Sid": "AllowAddingTagsOnSecretsWithEMRStudioPrefix",
"Effect": "Allow",
"Action": "secretsmanager:TagResource",
"Resource": "arn:aws:secretsmanager:*:*:secret:emr-studio-*"
},
{
"Sid": "AllowPassingServiceRoleForWorkspaceCreation",
"Action": "iam:PassRole",
"Resource": [
"arn:aws:iam::*:role/your-emr-studio-service-role"
],
"Effect": "Allow"
}
```
### 设置 Workspace 协作的所有权
借助 Workspace 协作功能,多个用户可以在同一 Workspace 中同时工作,并且可以使用 Workspace UI 中的 **Collaboration**(协作)面板进行配置。要查看和使用 **Collaboration**(协作)面板,用户必须具有以下权限。任何拥有这些权限的用户都可以查看和使用 **Collaboration**(协作)面板。
```
"elasticmapreduce:UpdateEditor",
"elasticmapreduce:PutWorkspaceAccess",
"elasticmapreduce:DeleteWorkspaceAccess",
"elasticmapreduce:ListWorkspaceAccessIdentities"
```
要限制对 **Collaboration**(协作)面板的访问权限,您可以使用基于标签的访问控制。当用户创建某个 Workspace 时,EMR Studio 会应用一个原定设置标签,标签键为 `creatorUserId`,标签值为创建该 WorkSpace 的用户的 ID。
**注意**
EMR Studio 将 `creatorUserId` 标签添加到 2021 年 11 月 16 日后创建的 Workspaces。要限制谁可以为此日期前创建的 Workspace 配置协作,我们建议为您的 Workspace 手动添加 `creatorUserId` 标签,然后在用户权限策略中使用基于标签的访问控制。
以下示例语句允许用户为任何具有标签键 `creatorUserId` 并且标签值与该用户的 ID(由策略变量 `aws:userId` 指示)一致的 WorkSpace 配置协作。换言之,该语句允许用户为他们创建的 Workspace 配置协作。要详细了解策略变量,请参阅《IAM 用户指南》**中的 [IAM policy 元素:变量和标签](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html)。
```
{
"Sid": "UserRolePermissionsForCollaboration",
"Action": [
"elasticmapreduce:UpdateEditor",
"elasticmapreduce:PutWorkspaceAccess",
"elasticmapreduce:DeleteWorkspaceAccess",
"elasticmapreduce:ListWorkspaceAccessIdentities"
],
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"elasticmapreduce:ResourceTag/creatorUserId": "${aws:userid}"
}
}
}
```
### 创建用户级的 Git 密钥策略
**Topics**
+ [使用用户级权限](#emr-studio-permissions-policies-user)
+ [从服务级别权限转换为用户级别权限](#emr-studio-permissions-policies-transition)
+ [要使用服务级别权限](#emr-studio-permissions-policies-service)
#### 使用用户级权限
EMR Studio 在创建 Git 密钥时会自动添加 `for-use-with-amazon-emr-managed-user-policies` 标签。如果要在用户级别控制对 Git 密钥的访问,请使用 `secretsmanager:GetSecretValue` 将基于标签的权限添加到 EMR Studio **用户角色策略**中,如以下 [从服务级别权限转换为用户级别权限](#emr-studio-permissions-policies-transition) 部分所示。
如果您在 EMR Studio **服务角色策略**中已有对 `secretsmanager:GetSecretValue` 的权限,则应移除这些权限。
#### 从服务级别权限转换为用户级别权限
**注意**
`for-use-with-amazon-emr-managed-user-policies` 标签可确保以下**步骤 1** 中的权限为 Workspace 的创建者授予对 Git 密钥的访问权。但是,如果您在 2023 年 9 月 1 日之前链接 Git 存储库,则相应的 Git 密钥将被拒绝访问,因为它们没有应用 `for-use-with-amazon-emr-managed-user-policies` 标签。要应用用户级权限,必须从中重新创建旧密钥 JupyterLab 并重新链接相应的 Git 存储库。
有关策略变量的更多信息,请参阅《IAM 用户指南》**中的 [IAM policy 元素:变量和标签](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html)。
1. 将以下权限添加到 [EMR Studio **用户角色策略**](emr-studio-service-role.md)中。它会使用 `for-use-with-amazon-emr-managed-user-policies` 密钥和值 `"${aws:userid}"`。
```
{
"Sid": "AllowSecretsManagerReadOnlyActionsWithEMRTags",
"Effect": "Allow",
"Action": "secretsmanager:GetSecretValue",
"Resource": "arn:aws:secretsmanager:*:*:secret:*",
"Condition": {
"StringEquals": {
"secretsmanager:ResourceTag/for-use-with-amazon-emr-managed-user-policies": "${aws:userid}"
}
}
}
```
1. 如果以下权限存在,请从 [EMR Studio **服务角色策略**](emr-studio-service-role.md)中移除这些权限。由于服务角色策略适用于各个用户定义的所有密钥,您只需执行一次即可。
```
{
"Sid": "AllowSecretsManagerReadOnlyActionsWithEMRTags",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": "arn:aws:secretsmanager:*:*:secret:*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/for-use-with-amazon-emr-managed-policies": "true"
}
}
}
```
#### 要使用服务级别权限
自 2023 年 9 月 1 日起,EMR Studio 会自动添加用于用户级访问控制的 `for-use-with-amazon-emr-managed-user-policies` 标签。由于这是一项新增功能,您可以继续使用通过 [EMR Studio 服务角色](emr-studio-service-role.md)中的 `GetSecretValue` 权限提供的服务级别访问权限。
对于 2023 年 9 月 1 日之前创建的密钥,EMR Studio 没有添加 `for-use-with-amazon-emr-managed-user-policies` 标签。要继续使用服务级别权限,只需保留现有的 [EMR Studio 服务角色](emr-studio-service-role.md)和用户角色权限即可。但是,要限制可访问某个单独密钥的人员,建议按照 [使用用户级权限](#emr-studio-permissions-policies-user) 中的步骤手动将 `for-use-with-amazon-emr-managed-user-policies` 标签到密钥中,然后在用户权限策略中使用基于标签的访问控制。
有关策略变量的更多信息,请参阅《IAM 用户指南》**中的 [IAM policy 元素:变量和标签](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html)。
### 将权限策略附加到您的 IAM 身份
下表总结了您将权限策略附加到的具体 IAM 身份,其取决于您的 EMR Studio 身份验证模式。有关如何附加策略的说明,请参阅[添加和删除 IAM 身份权限](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html)。
****
| 如果您使用... | 将策略附加到… |
| --- | --- |
| IAM 身份验证 | 您的 IAM 身份(用户、用户组或角色)。例如,您可以将权限策略附加到 AWS 账户中的用户。 |
| 与外部身份提供商 (IdP) 进行 IAM 联合身份验证 | 您为外部 IdP 创建的一个或多个 IAM 角色。例如,用于 SAML 2.0 联合身份验证的 IAM。 对于具有 Studio 联合访问权限的用户,EMR Studio 使用您附加到 IAM 单个或多个角色的权限。 |
| IAM Identity Center | 您的 Amazon EMR Studio 用户角色。 |
## 示例用户策略
以下基本用户策略允许大多数 EMR Studio 操作,但不允许用户创建新的 Amazon EMR 集群。
### 基本策略
**重要**
该示例策略不包括 `CreateStudioPresignedUrl` 权限,当您使用 IAM 身份验证模式时,必须允许用户使用该权限。有关更多信息,请参阅 [将用户或组分配到 EMR Studio](emr-studio-manage-users.md#emr-studio-assign-users-groups)。
该示例策略包括要强制执行基于标签的访问控制 (TBAC) 的 `Condition` 元素,以便您可以将该策略与 EMR Studio 的示例服务角色配合使用。有关更多信息,请参阅 [创建 EMR Studio 服务角色](emr-studio-service-role.md)。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowDefaultEC2SecurityGroupsCreationInVPCWithEMRTags",
"Effect": "Allow",
"Action": [
"ec2:CreateSecurityGroup"
],
"Resource": [
"arn:aws:ec2:*:*:vpc/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/for-use-with-amazon-emr-managed-policies": "true"
}
}
},
{
"Sid": "AllowAddingEMRTagsDuringDefaultSecurityGroupCreation",
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": [
"arn:aws:ec2:*:*:security-group/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/for-use-with-amazon-emr-managed-policies": "true",
"ec2:CreateAction": "CreateSecurityGroup"
}
}
},
{
"Sid": "AllowSecretManagerListSecrets",
"Action": [
"secretsmanager:ListSecrets"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Sid": "AllowSecretCreationWithEMRTagsAndEMRStudioPrefix",
"Effect": "Allow",
"Action": [
"secretsmanager:CreateSecret"
],
"Resource": [
"arn:aws:secretsmanager:*:*:secret:emr-studio-*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/for-use-with-amazon-emr-managed-policies": "true"
}
}
},
{
"Sid": "AllowAddingTagsOnSecretsWithEMRStudioPrefix",
"Effect": "Allow",
"Action": [
"secretsmanager:TagResource"
],
"Resource": [
"arn:aws:secretsmanager:*:*:secret:emr-studio-*"
]
},
{
"Sid": "AllowPassingServiceRoleForWorkspaceCreation",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/your-emr-studio-service-role>"
],
"Effect": "Allow"
},
{
"Sid": "AllowS3ListAndLocationPermissions",
"Action": [
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::*"
],
"Effect": "Allow"
},
{
"Sid": "AllowS3ReadOnlyAccessToLogs",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::aws-logs-aws-111122223333>-region>/elasticmapreduce/*"
],
"Effect": "Allow"
},
{
"Sid": "AllowConfigurationForWorkspaceCollaboration",
"Action": [
"elasticmapreduce:UpdateEditor",
"elasticmapreduce:PutWorkspaceAccess",
"elasticmapreduce:DeleteWorkspaceAccess",
"elasticmapreduce:ListWorkspaceAccessIdentities"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Condition": {
"StringEquals": {
"elasticmapreduce:ResourceTag/creatorUserId": "${aws:userId}"
}
}
},
{
"Sid": "DescribeNetwork",
"Effect": "Allow",
"Action": [
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups"
],
"Resource": [
"*"
]
},
{
"Sid": "ListIAMRoles",
"Effect": "Allow",
"Action": [
"iam:ListRoles"
],
"Resource": [
"*"
]
}
]
}
```
------
以下中间用户策略允许大多数 EMR Studio 操作,并允许用户使用集群模板创建新的 Amazon EMR 集群。
### 中间策略
**重要**
该示例策略不包括 `CreateStudioPresignedUrl` 权限,当您使用 IAM 身份验证模式时,必须允许用户使用该权限。有关更多信息,请参阅 [将用户或组分配到 EMR Studio](emr-studio-manage-users.md#emr-studio-assign-users-groups)。
该示例策略包括要强制执行基于标签的访问控制 (TBAC) 的 `Condition` 元素,以便您可以将该策略与 EMR Studio 的示例服务角色配合使用。有关更多信息,请参阅 [创建 EMR Studio 服务角色](emr-studio-service-role.md)。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowEMRBasicActions",
"Action": [
"elasticmapreduce:CreateEditor",
"elasticmapreduce:DescribeEditor",
"elasticmapreduce:ListEditors",
"elasticmapreduce:StartEditor",
"elasticmapreduce:StopEditor",
"elasticmapreduce:DeleteEditor",
"elasticmapreduce:OpenEditorInConsole",
"elasticmapreduce:AttachEditor",
"elasticmapreduce:DetachEditor",
"elasticmapreduce:CreateRepository",
"elasticmapreduce:DescribeRepository",
"elasticmapreduce:DeleteRepository",
"elasticmapreduce:ListRepositories",
"elasticmapreduce:LinkRepository",
"elasticmapreduce:UnlinkRepository",
"elasticmapreduce:DescribeCluster",
"elasticmapreduce:ListInstanceGroups",
"elasticmapreduce:ListBootstrapActions",
"elasticmapreduce:ListClusters",
"elasticmapreduce:ListSteps",
"elasticmapreduce:CreatePersistentAppUI",
"elasticmapreduce:DescribePersistentAppUI",
"elasticmapreduce:GetPersistentAppUIPresignedURL",
"elasticmapreduce:GetOnClusterAppUIPresignedURL"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Sid": "AllowEMRContainersBasicActions",
"Action": [
"emr-containers:DescribeVirtualCluster",
"emr-containers:ListVirtualClusters",
"emr-containers:DescribeManagedEndpoint",
"emr-containers:ListManagedEndpoints",
"emr-containers:DescribeJobRun",
"emr-containers:ListJobRuns"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Sid": "AllowRetrievingManagedEndpointCredentials",
"Effect": "Allow",
"Action": [
"emr-containers:GetManagedEndpointSessionCredentials"
],
"Resource": [
"arn:aws:emr-containers:us-west-1:123456789012:/virtualclusters/virtual-cluster-id/endpoints/managed-endpoint-id"
],
"Condition": {
"StringEquals": {
"emr-containers:ExecutionRoleArn": [
"arn:aws:iam::123456789012:role/emr-on-eks-execution-role"
]
}
}
},
{
"Sid": "AllowSecretManagerListSecrets",
"Action": [
"secretsmanager:ListSecrets"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Sid": "AllowSecretCreationWithEMRTagsAndEMRStudioPrefix",
"Effect": "Allow",
"Action": [
"secretsmanager:CreateSecret"
],
"Resource": [
"arn:aws:secretsmanager:*:*:secret:emr-studio-*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/for-use-with-amazon-emr-managed-policies": "true"
}
}
},
{
"Sid": "AllowAddingTagsOnSecretsWithEMRStudioPrefix",
"Effect": "Allow",
"Action": [
"secretsmanager:TagResource"
],
"Resource": [
"arn:aws:secretsmanager:*:*:secret:emr-studio-*"
]
},
{
"Sid": "AllowClusterTemplateRelatedIntermediateActions",
"Action": [
"servicecatalog:DescribeProduct",
"servicecatalog:DescribeProductView",
"servicecatalog:DescribeProvisioningParameters",
"servicecatalog:ProvisionProduct",
"servicecatalog:SearchProducts",
"servicecatalog:UpdateProvisionedProduct",
"servicecatalog:ListProvisioningArtifacts",
"servicecatalog:ListLaunchPaths",
"servicecatalog:DescribeRecord",
"cloudformation:DescribeStackResources"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Sid": "AllowPassingServiceRoleForWorkspaceCreation",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/your-emr-studio-service-role"
],
"Effect": "Allow"
},
{
"Sid": "AllowS3ListAndLocationPermissions",
"Action": [
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::*"
],
"Effect": "Allow"
},
{
"Sid": "AllowS3ReadOnlyAccessToLogs",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::aws-logs-123456789012-us-east-1/elasticmapreduce/*"
],
"Effect": "Allow"
},
{
"Sid": "AllowConfigurationForWorkspaceCollaboration",
"Action": [
"elasticmapreduce:UpdateEditor",
"elasticmapreduce:PutWorkspaceAccess",
"elasticmapreduce:DeleteWorkspaceAccess",
"elasticmapreduce:ListWorkspaceAccessIdentities"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Condition": {
"StringEquals": {
"elasticmapreduce:ResourceTag/creatorUserId": "${aws:userId}"
}
}
},
{
"Sid": "DescribeNetwork",
"Effect": "Allow",
"Action": [
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups"
],
"Resource": [
"*"
]
},
{
"Sid": "ListIAMRoles",
"Effect": "Allow",
"Action": [
"iam:ListRoles"
],
"Resource": [
"*"
]
},
{
"Sid": "AllowServerlessActions",
"Action": [
"emr-serverless:CreateApplication",
"emr-serverless:UpdateApplication",
"emr-serverless:DeleteApplication",
"emr-serverless:ListApplications",
"emr-serverless:GetApplication",
"emr-serverless:StartApplication",
"emr-serverless:StopApplication",
"emr-serverless:StartJobRun",
"emr-serverless:CancelJobRun",
"emr-serverless:ListJobRuns",
"emr-serverless:GetJobRun",
"emr-serverless:GetDashboardForJobRun",
"emr-serverless:AccessInteractiveEndpoints"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Sid": "AllowPassingRuntimeRoleForRunningServerlessJob",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/serverless-runtime-role"
],
"Effect": "Allow"
}
]
}
```
------
以下高级用户策略允许所有 EMR Studio 操作,并允许用户使用集群模板或通过提供集群配置创建新的 Amazon EMR 集群。
### 高级策略
**重要**
该示例策略不包括 `CreateStudioPresignedUrl` 权限,当您使用 IAM 身份验证模式时,必须允许用户使用该权限。有关更多信息,请参阅 [将用户或组分配到 EMR Studio](emr-studio-manage-users.md#emr-studio-assign-users-groups)。
该示例策略包括要强制执行基于标签的访问控制 (TBAC) 的 `Condition` 元素,以便您可以将该策略与 EMR Studio 的示例服务角色配合使用。有关更多信息,请参阅 [创建 EMR Studio 服务角色](emr-studio-service-role.md)。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowEMRBasicActions",
"Action": [
"elasticmapreduce:CreateEditor",
"elasticmapreduce:DescribeEditor",
"elasticmapreduce:ListEditors",
"elasticmapreduce:StartEditor",
"elasticmapreduce:StopEditor",
"elasticmapreduce:DeleteEditor",
"elasticmapreduce:OpenEditorInConsole",
"elasticmapreduce:AttachEditor",
"elasticmapreduce:DetachEditor",
"elasticmapreduce:CreateRepository",
"elasticmapreduce:DescribeRepository",
"elasticmapreduce:DeleteRepository",
"elasticmapreduce:ListRepositories",
"elasticmapreduce:LinkRepository",
"elasticmapreduce:UnlinkRepository",
"elasticmapreduce:DescribeCluster",
"elasticmapreduce:ListInstanceGroups",
"elasticmapreduce:ListBootstrapActions",
"elasticmapreduce:ListClusters",
"elasticmapreduce:ListSteps",
"elasticmapreduce:CreatePersistentAppUI",
"elasticmapreduce:DescribePersistentAppUI",
"elasticmapreduce:GetPersistentAppUIPresignedURL",
"elasticmapreduce:GetOnClusterAppUIPresignedURL"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Sid": "AllowEMRContainersBasicActions",
"Action": [
"emr-containers:DescribeVirtualCluster",
"emr-containers:ListVirtualClusters",
"emr-containers:DescribeManagedEndpoint",
"emr-containers:ListManagedEndpoints",
"emr-containers:DescribeJobRun",
"emr-containers:ListJobRuns"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Sid": "AllowRetrievingManagedEndpointCredentials",
"Effect": "Allow",
"Action": [
"emr-containers:GetManagedEndpointSessionCredentials"
],
"Resource": [
"arn:aws:emr-containers:*:123456789012:/virtualclusters/virtual-cluster-id/endpoints/managed-endpoint-id"
],
"Condition": {
"StringEquals": {
"emr-containers:ExecutionRoleArn": [
"arn:aws:iam::123456789012:role/emr-on-eks-execution-role"
]
}
}
},
{
"Sid": "AllowSecretManagerListSecrets",
"Action": [
"secretsmanager:ListSecrets"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Sid": "AllowSecretCreationWithEMRTagsAndEMRStudioPrefix",
"Effect": "Allow",
"Action": [
"secretsmanager:CreateSecret"
],
"Resource": [
"arn:aws:secretsmanager:*:*:secret:emr-studio-*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/for-use-with-amazon-emr-managed-policies": "true"
}
}
},
{
"Sid": "AllowAddingTagsOnSecretsWithEMRStudioPrefix",
"Effect": "Allow",
"Action": [
"secretsmanager:TagResource"
],
"Resource": [
"arn:aws:secretsmanager:*:*:secret:emr-studio-*"
]
},
{
"Sid": "AllowClusterTemplateRelatedIntermediateActions",
"Action": [
"servicecatalog:DescribeProduct",
"servicecatalog:DescribeProductView",
"servicecatalog:DescribeProvisioningParameters",
"servicecatalog:ProvisionProduct",
"servicecatalog:SearchProducts",
"servicecatalog:UpdateProvisionedProduct",
"servicecatalog:ListProvisioningArtifacts",
"servicecatalog:ListLaunchPaths",
"servicecatalog:DescribeRecord",
"cloudformation:DescribeStackResources"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Sid": "AllowEMRCreateClusterAdvancedActions",
"Action": [
"elasticmapreduce:RunJobFlow"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Sid": "AllowPassingServiceRoleForWorkspaceCreation",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/your-emr-studio-service-role",
"arn:aws:iam::*:role/EMR_DefaultRole_V2",
"arn:aws:iam::*:role/EMR_EC2_DefaultRole"
],
"Effect": "Allow"
},
{
"Sid": "AllowS3ListAndLocationPermissions",
"Action": [
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::*"
],
"Effect": "Allow"
},
{
"Sid": "AllowS3ReadOnlyAccessToLogs",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::aws-logs-123456789012-us-east-1/elasticmapreduce/*"
],
"Effect": "Allow"
},
{
"Sid": "AllowConfigurationForWorkspaceCollaboration",
"Action": [
"elasticmapreduce:UpdateEditor",
"elasticmapreduce:PutWorkspaceAccess",
"elasticmapreduce:DeleteWorkspaceAccess",
"elasticmapreduce:ListWorkspaceAccessIdentities"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Condition": {
"StringEquals": {
"elasticmapreduce:ResourceTag/creatorUserId": "${aws:userId}"
}
}
},
{
"Sid": "SageMakerDataWranglerForEMRStudio",
"Effect": "Allow",
"Action": [
"sagemaker:CreatePresignedDomainUrl",
"sagemaker:DescribeDomain",
"sagemaker:ListDomains",
"sagemaker:ListUserProfiles"
],
"Resource": [
"*"
]
},
{
"Sid": "DescribeNetwork",
"Effect": "Allow",
"Action": [
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups"
],
"Resource": [
"*"
]
},
{
"Sid": "ListIAMRoles",
"Effect": "Allow",
"Action": [
"iam:ListRoles"
],
"Resource": [
"*"
]
},
{
"Sid": "AllowServerlessActions",
"Action": [
"emr-serverless:CreateApplication",
"emr-serverless:UpdateApplication",
"emr-serverless:DeleteApplication",
"emr-serverless:ListApplications",
"emr-serverless:GetApplication",
"emr-serverless:StartApplication",
"emr-serverless:StopApplication",
"emr-serverless:StartJobRun",
"emr-serverless:CancelJobRun",
"emr-serverless:ListJobRuns",
"emr-serverless:GetJobRun",
"emr-serverless:GetDashboardForJobRun",
"emr-serverless:AccessInteractiveEndpoints"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Sid": "AllowPassingRuntimeRoleForRunningServerlessJob",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/serverless-runtime-role"
],
"Effect": "Allow"
},
{
"Sid": "AllowCodeWhisperer",
"Effect": "Allow",
"Action": [
"codewhisperer:GenerateRecommendations"
],
"Resource": [
"*"
]
},
{
"Sid": "AllowAthenaSQL",
"Action": [
"athena:StartQueryExecution",
"athena:StopQueryExecution",
"athena:GetQueryExecution",
"athena:GetQueryRuntimeStatistics",
"athena:GetQueryResults",
"athena:ListQueryExecutions",
"athena:BatchGetQueryExecution",
"athena:GetNamedQuery",
"athena:ListNamedQueries",
"athena:BatchGetNamedQuery",
"athena:UpdateNamedQuery",
"athena:DeleteNamedQuery",
"athena:ListDataCatalogs",
"athena:GetDataCatalog",
"athena:ListDatabases",
"athena:GetDatabase",
"athena:ListTableMetadata",
"athena:GetTableMetadata",
"athena:ListWorkGroups",
"athena:GetWorkGroup",
"athena:CreateNamedQuery",
"athena:GetPreparedStatement",
"glue:CreateDatabase",
"glue:DeleteDatabase",
"glue:GetDatabase",
"glue:GetDatabases",
"glue:UpdateDatabase",
"glue:CreateTable",
"glue:DeleteTable",
"glue:BatchDeleteTable",
"glue:UpdateTable",
"glue:GetTable",
"glue:GetTables",
"glue:BatchCreatePartition",
"glue:CreatePartition",
"glue:DeletePartition",
"glue:BatchDeletePartition",
"glue:UpdatePartition",
"glue:GetPartition",
"glue:GetPartitions",
"glue:BatchGetPartition",
"kms:ListAliases",
"kms:ListKeys",
"kms:DescribeKey",
"lakeformation:GetDataAccess",
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListMultipartUploadParts",
"s3:AbortMultipartUpload",
"s3:PutObject",
"s3:PutBucketPublicAccessBlock",
"s3:ListAllMyBuckets"
],
"Resource": [
"*"
],
"Effect": "Allow"
}
]
}
```
------
以下用户策略包含将 EMR Serverless 交互式应用程序与 EMR Studio Workspace 结合使用所需的最低用户权限。
### EMR Serveless 交互式策略
[在此示例策略中,使用 EMR Studio 拥有 EMR 无服务器交互式应用程序的用户权限,*emr-studio-service-role*请将和的占位符替换为正确的 EMR Stud [io 服务](emr-studio-service-role.md)角色和 *serverless-runtime-role* EMR 无服务器运行时角色。](https://docs.aws.amazon.com/emr/latest/EMR-Serverless-UserGuide/security-iam-runtime-role.html)
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowServerlessActions",
"Action": [
"emr-serverless:CreateApplication",
"emr-serverless:UpdateApplication",
"emr-serverless:DeleteApplication",
"emr-serverless:ListApplications",
"emr-serverless:GetApplication",
"emr-serverless:StartApplication",
"emr-serverless:StopApplication",
"emr-serverless:StartJobRun",
"emr-serverless:CancelJobRun",
"emr-serverless:ListJobRuns",
"emr-serverless:GetJobRun",
"emr-serverless:GetDashboardForJobRun",
"emr-serverless:AccessInteractiveEndpoints"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Sid": "AllowEMRBasicActions",
"Action": [
"elasticmapreduce:CreateEditor",
"elasticmapreduce:DescribeEditor",
"elasticmapreduce:ListEditors",
"elasticmapreduce:UpdateStudio",
"elasticmapreduce:StartEditor",
"elasticmapreduce:StopEditor",
"elasticmapreduce:DeleteEditor",
"elasticmapreduce:OpenEditorInConsole",
"elasticmapreduce:AttachEditor",
"elasticmapreduce:DetachEditor",
"elasticmapreduce:CreateStudio",
"elasticmapreduce:DescribeStudio",
"elasticmapreduce:DeleteStudio",
"elasticmapreduce:ListStudios",
"elasticmapreduce:CreateStudioPresignedUrl"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Sid": "AllowPassingRuntimeRoleForRunningEMRServerlessJob",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/serverless-runtime-role"
],
"Effect": "Allow"
},
{
"Sid": "AllowPassingServiceRoleForWorkspaceCreation",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/emr-studio-service-role"
],
"Effect": "Allow"
},
{
"Sid": "AllowS3ListAndGetPermissions",
"Action": [
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::*"
],
"Effect": "Allow"
},
{
"Sid": "DescribeNetwork",
"Effect": "Allow",
"Action": [
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups"
],
"Resource": [
"*"
]
},
{
"Sid": "ListIAMRoles",
"Effect": "Allow",
"Action": [
"iam:ListRoles"
],
"Resource": [
"*"
]
}
]
}
```
------
## AWS Identity and Access Management EMR Studio 用户的权限
下表包括用户可能执行的每个 Amazon EMR Studio 运营,并列出了执行该运营所需的最低 IAM 操作。您允许在 IAM 权限策略(当您使用 IAM 身份验证时)或用户角色会话策略(当您使用 IAM Identity Center 身份验证时)中执行这些针对 EMR Studio 的操作。
该表还显示了 EMR Studio 的每个示例权限策略中允许的运营。有关示例权限策略的更多信息,请参阅 [为 EMR Studio 用户创建权限策略](#emr-studio-permissions-policies)。
| Action | Basic | 中间 | 高级 | 关联操作 |
| --- | --- | --- | --- | --- |
| 创建和删除 Workspaces | 支持 | 是 | 是 | "elasticmapreduce:CreateEditor",
"elasticmapreduce:DescribeEditor",
"elasticmapreduce:ListEditors",
"elasticmapreduce:DeleteEditor"
|
| 查看协作面板、启用 Workspace 协作并添加协作者。有关更多信息,请参阅[设置 Workspace 协作的所有权](#emr-studio-workspace-collaboration-permissions)。 | 支持 | 是 | 是 | "elasticmapreduce:UpdateEditor",
"elasticmapreduce:PutWorkspaceAccess",
"elasticmapreduce:DeleteWorkspaceAccess",
"elasticmapreduce:ListWorkspaceAccessIdentities"
|
| 创建新的 EMR 集群时,请查看与 Studio 同一个账户中的 Amazon S3 Control 存储桶列表,在使用 Web UI 调试应用程序时访问容器日志 | 支持 | 是 | 是 | "s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:GetObject"
|
| 访问 Workspaces | 支持 | 是 | 是 | "elasticmapreduce:DescribeEditor",
"elasticmapreduce:ListEditors",
"elasticmapreduce:StartEditor",
"elasticmapreduce:StopEditor",
"elasticmapreduce:OpenEditorInConsole"
|
| 附加或分离与 Workspace 关联的现有 Amazon EMR 集群 | 支持 | 是 | 是 | "elasticmapreduce:AttachEditor",
"elasticmapreduce:DetachEditor",
"elasticmapreduce:ListClusters",
"elasticmapreduce:DescribeCluster",
"elasticmapreduce:ListInstanceGroups",
"elasticmapreduce:ListBootstrapActions"
|
| 附加或分离 Amazon EMR on EKS 集群 | 支持 | 是 | 是 | "elasticmapreduce:AttachEditor",
"elasticmapreduce:DetachEditor",
"emr-containers:ListVirtualClusters",
"emr-containers:DescribeVirtualCluster",
"emr-containers:ListManagedEndpoints",
"emr-containers:DescribeManagedEndpoint",
"emr-containers:GetManagedEndpointSessionCredentials"
|
| 附加或分离与 Workspace 关联的 EMR Serverless 应用程序 | 否 | 是 | 是 | "elasticmapreduce:AttachEditor",
"elasticmapreduce:DetachEditor",
"emr-serverless:GetApplication",
"emr-serverless:StartApplication",
"emr-serverless:ListApplications",
"emr-serverless:GetDashboardForJobRun",
"emr-serverless:AccessInteractiveEndpoints",
"iam:PassRole"
需要具有 `PassRole` 权限才能传递 EMR Serverless 作业运行时系统角色。有关更多信息,请参阅《Amazon EMR Serverless 用户指南》中的 [Job runtime roles](https://docs.aws.amazon.com/emr/latest/EMR-Serverless-UserGuide/security-iam-runtime-role.html)**。 |
| 使用持久的应用程序用户界面调试 Amazon EMR on EC2 任务 | 支持 | 是 | 是 | "elasticmapreduce:CreatePersistentAppUI",
"elasticmapreduce:DescribePersistentAppUI",
"elasticmapreduce:GetPersistentAppUIPresignedURL",
"elasticmapreduce:ListClusters",
"elasticmapreduce:ListSteps",
"elasticmapreduce:DescribeCluster",
"s3:ListBucket",
"s3:GetObject"
|
| 使用集群上应用程序用户界面调试 Amazon EMR on EC2 任务 | 支持 | 是 | 是 | "elasticmapreduce:GetOnClusterAppUIPresignedURL"
|
| 使用 Spark 历史记录服务器调试 Amazon EMR on EKS 任务运行 | 支持 | 是 | 是 | "elasticmapreduce:CreatePersistentAppUI",
"elasticmapreduce:DescribePersistentAppUI",
"elasticmapreduce:GetPersistentAppUIPresignedURL",
"emr-containers:ListVirtualClusters",
"emr-containers:DescribeVirtualCluster",
"emr-containers:ListJobRuns",
"emr-containers:DescribeJobRun",
"s3:ListBucket",
"s3:GetObject"
|
| 创建和删除 Git 存储库 | 支持 | 是 | 是 | "elasticmapreduce:CreateRepository",
"elasticmapreduce:DeleteRepository",
"elasticmapreduce:ListRepositories",
"elasticmapreduce:DescribeRepository",
"secretsmanager:CreateSecret",
"secretsmanager:ListSecrets",
"secretsmanager:TagResource"
|
| 链接和取消链接 Git 存储库 | 支持 | 是 | 是 | "elasticmapreduce:LinkRepository",
"elasticmapreduce:UnlinkRepository",
"elasticmapreduce:ListRepositories",
"elasticmapreduce:DescribeRepository"
|
| 根据预定义的集群模板创建新集群 | 否 | 是 | 是 | "servicecatalog:SearchProducts",
"servicecatalog:DescribeProduct",
"servicecatalog:DescribeProductView",
"servicecatalog:DescribeProvisioningParameters",
"servicecatalog:ProvisionProduct",
"servicecatalog:UpdateProvisionedProduct",
"servicecatalog:ListProvisioningArtifacts",
"servicecatalog:DescribeRecord",
"servicecatalog:ListLaunchPaths",
"cloudformation:DescribeStackResources",
"elasticmapreduce:ListClusters",
"elasticmapreduce:DescribeCluster"
|
| 请提供集群配置以创建新集群。 | 否 | 否 | 是 | "elasticmapreduce:RunJobFlow",
"iam:PassRole",
"elasticmapreduce:ListClusters",
"elasticmapreduce:DescribeCluster"
|
| [当您使用 IAM 身份验证模式时,将用户分配给 Studio。](emr-studio-manage-users.md#emr-studio-assign-users-groups) | 否 | 否 | 否 | "elasticmapreduce:CreateStudioPresignedUrl"
|
| 描述网络对象。 | 支持 | 是 | 是 | JSON
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "DescribeNetwork",
"Effect": "Allow",
"Action": [
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups"
],
"Resource": [
"*"
]
}
]
}
``` |
| 列出 IAM 角色。 | 支持 | 是 | 是 | JSON
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ListIAMRoles",
"Effect": "Allow",
"Action": [
"iam:ListRoles"
],
"Resource": [
"*"
]
}
]
}
``` |
| [从 Amazon A SageMaker I Studio 连接到 EMR Studio,然后使用 Data Wrangler 可视化界面。](https://aws.amazon.com/blogs/machine-learning/prepare-data-from-amazon-emr-for-machine-learning-using-amazon-sagemaker-data-wrangler/) | 否 | 否 | 是 | "sagemaker:CreatePresignedDomainUrl",
"sagemaker:DescribeDomain",
"sagemaker:ListDomains",
"sagemaker:ListUserProfiles"
|
| [ CodeWhisperer 在您的 EMR Studio 中使用亚马逊。](emr-studio-codewhisperer.md) | 否 | 否 | 是 | "codewhisperer:GenerateRecommendations"
|
| [从 EMR Studio 访问 Amazon Athena SQL 编辑器。](emr-studio-athena.md)此列表可能不包括使用所有 Athena 功能所需的所有权限。要了解更多 up-to-date列表,请参阅 [Athena 完全访问政策。](https://docs.aws.amazon.com/athena/latest/ug/managed-policies.html#amazonathenafullaccess-managed-policy) | 否 | 否 | 是 | "athena:StartQueryExecution",
"athena:StopQueryExecution",
"athena:GetQueryExecution",
"athena:GetQueryRuntimeStatistics",
"athena:GetQueryResults",
"athena:ListQueryExecutions",
"athena:BatchGetQueryExecution",
"athena:GetNamedQuery",
"athena:ListNamedQueries",
"athena:BatchGetNamedQuery",
"athena:UpdateNamedQuery",
"athena:DeleteNamedQuery",
"athena:ListDataCatalogs",
"athena:GetDataCatalog",
"athena:ListDatabases",
"athena:GetDatabase",
"athena:ListTableMetadata",
"athena:GetTableMetadata",
"athena:ListWorkGroups",
"athena:GetWorkGroup",
"athena:CreateNamedQuery",
"athena:GetPreparedStatement",
"glue:CreateDatabase",
"glue:DeleteDatabase",
"glue:GetDatabase",
"glue:GetDatabases",
"glue:UpdateDatabase",
"glue:CreateTable",
"glue:DeleteTable",
"glue:BatchDeleteTable",
"glue:UpdateTable",
"glue:GetTable",
"glue:GetTables",
"glue:BatchCreatePartition",
"glue:CreatePartition",
"glue:DeletePartition",
"glue:BatchDeletePartition",
"glue:UpdatePartition",
"glue:GetPartition",
"glue:GetPartitions",
"glue:BatchGetPartition",
"kms:ListAliases",
"kms:ListKeys",
"kms:DescribeKey",
"lakeformation:GetDataAccess",
"s3:GetBucketLocation",
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListMultipartUploadParts",
"s3:AbortMultipartUpload",
"s3:PutObject",
"s3:PutBucketPublicAccessBlock",
"s3:ListAllMyBuckets"
|