View a markdown version of this page

Actions, resources, and condition keys for Amazon EMR on EKS (EMR Containers) - Service Authorization Reference

Actions, resources, and condition keys for Amazon EMR on EKS (EMR Containers)

Amazon EMR on EKS (EMR Containers) (service prefix: emr-containers) provides the following service-specific operations, resources, actions, and condition keys for use in IAM permission policies.

References:

API operations defined by Amazon EMR on EKS (EMR Containers)

The following table maps API operations to the IAM actions they authorize. Only condition keys that have static values for the given API and action are listed; for the full set of condition keys supported by each action, see the Actions table.

Operation IAM action Condition key Possible value(s) Access level

CancelJobRun

emr-containers:CancelJobRun

Write

CreateJobTemplate

emr-containers:CreateJobTemplate

Write

emr-containers:TagResource

Tagging, Write

CreateManagedEndpoint

emr-containers:CreateManagedEndpoint

Write

emr-containers:TagResource

Tagging, Write

ec2:AuthorizeSecurityGroupEgress

Write

ec2:AuthorizeSecurityGroupIngress

Write

ec2:CreateSecurityGroup

Write

ec2:DeleteSecurityGroup

Write

ec2:RevokeSecurityGroupEgress

Write

ec2:RevokeSecurityGroupIngress

Write

iam:PassRole

iam:PassedToService

pods.eks.amazonaws.com

Write

CreateSecurityConfiguration

emr-containers:CreateSecurityConfiguration

Write

emr-containers:TagResource

Tagging, Write

CreateVirtualCluster

emr-containers:CreateVirtualCluster

Write

emr-containers:TagResource

Tagging, Write

DeleteJobTemplate

emr-containers:DeleteJobTemplate

Write

DeleteManagedEndpoint

emr-containers:DeleteManagedEndpoint

Write

ec2:DeleteSecurityGroup

Write

ec2:RevokeSecurityGroupEgress

Write

ec2:RevokeSecurityGroupIngress

Write

DeleteVirtualCluster

emr-containers:DeleteVirtualCluster

Write

eks:AssociateAccessPolicy

Write

eks:DeleteAccessEntry

Write

eks:DescribeAccessEntry

Read

eks:DisassociateAccessPolicy

Write

eks:ListAssociatedAccessPolicies

List

DescribeJobRun

emr-containers:DescribeJobRun

Read

DescribeJobTemplate

emr-containers:DescribeJobTemplate

Read

DescribeManagedEndpoint

emr-containers:DescribeManagedEndpoint

Read

DescribeSecurityConfiguration

emr-containers:DescribeSecurityConfiguration

Read

DescribeVirtualCluster

emr-containers:DescribeVirtualCluster

Read

GetManagedEndpointSessionCredentials

emr-containers:GetManagedEndpointSessionCredentials

Write

ListJobRuns

emr-containers:ListJobRuns

List

ListJobTemplates

emr-containers:ListJobTemplates

List

ListManagedEndpoints

emr-containers:ListManagedEndpoints

List

ListSecurityConfigurations

emr-containers:ListSecurityConfigurations

List

ListTagsForResource

emr-containers:ListTagsForResource

List

ListVirtualClusters

emr-containers:ListVirtualClusters

List

StartJobRun

emr-containers:DescribeJobTemplate

Read

emr-containers:StartJobRun

Write

emr-containers:TagResource

Tagging, Write

iam:PassRole

iam:PassedToService

pods.eks.amazonaws.com

Write

TagResource

emr-containers:TagResource

Tagging, Write

UntagResource

emr-containers:UntagResource

Tagging, Write

Actions defined by Amazon EMR on EKS (EMR Containers)

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

Actions Description Resource types (*required) Condition keys Access level

CancelJobRun

Grants permission to cancel a job run

jobRun*

aws:ResourceTag/${TagKey}

Write

CreateCertificate

Grants permission to call the CreateCertificate method to accept the CertificateSigningRequest, and return the signed certificate

Write

CreateJobTemplate

Grants permission to create a job template

aws:RequestTag/${TagKey}

aws:TagKeys

Write

CreateManagedEndpoint

Grants permission to create a managed endpoint

virtualCluster*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

emr-containers:ExecutionRoleArn

Write

CreateSecurityConfiguration

Grants permission to create a security configuration

aws:RequestTag/${TagKey}

aws:TagKeys

Write

CreateVirtualCluster

Grants permission to create a virtual cluster

aws:RequestTag/${TagKey}

aws:TagKeys

Write

DeleteJobTemplate

Grants permission to delete a job template

jobTemplate*

aws:ResourceTag/${TagKey}

Write

DeleteManagedEndpoint

Grants permission to delete a managed endpoint

managedEndpoint*

aws:ResourceTag/${TagKey}

Write

DeleteSecurityConfiguration

Grants permission to delete a security configuration

securityConfiguration*

aws:ResourceTag/${TagKey}

Write

DeleteVirtualCluster

Grants permission to delete a virtual cluster

virtualCluster*

aws:ResourceTag/${TagKey}

Write

DescribeJobRun

Grants permission to describe a job run

jobRun*

aws:ResourceTag/${TagKey}

Read

DescribeJobTemplate

Grants permission to describe a job template

jobTemplate*

aws:ResourceTag/${TagKey}

Read

DescribeManagedEndpoint

Grants permission to describe a managed endpoint

managedEndpoint*

aws:ResourceTag/${TagKey}

Read

DescribeSecurityConfiguration

Grants permission to describe a security configuration

securityConfiguration*

aws:ResourceTag/${TagKey}

Read

DescribeVirtualCluster

Grants permission to describe a virtual cluster

virtualCluster*

aws:ResourceTag/${TagKey}

Read

GetManagedEndpointSessionCredentials

Grants permission to generate a session token used to connect to a managed endpoint

managedEndpoint*

aws:ResourceTag/${TagKey}

Write

ListJobRuns

Grants permission to list job runs associated with a virtual cluster

virtualCluster*

aws:ResourceTag/${TagKey}

List

ListJobTemplates

Grants permission to list job templates

List

ListManagedEndpoints

Grants permission to list managed endpoints associated with a virtual cluster

virtualCluster*

aws:ResourceTag/${TagKey}

List

ListSecurityConfigurations

Grants permission to list security configurations

List

ListTagsForResource

Grants permission to list tags for the specified resource

jobRun

aws:ResourceTag/${TagKey}

List

jobTemplate

aws:ResourceTag/${TagKey}

managedEndpoint

aws:ResourceTag/${TagKey}

securityConfiguration

aws:ResourceTag/${TagKey}

virtualCluster

aws:ResourceTag/${TagKey}

ListVirtualClusters

Grants permission to list virtual clusters

List

StartJobRun

Grants permission to start a job run

virtualCluster*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

emr-containers:ExecutionRoleArn

emr-containers:JobTemplateArn

Write

TagResource

Grants permission to tag the specified resource

jobRun

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

jobTemplate

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

managedEndpoint

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

securityConfiguration

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

virtualCluster

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

UntagResource

Grants permission to untag the specified resource

jobRun

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

jobTemplate

aws:ResourceTag/${TagKey}

aws:TagKeys

managedEndpoint

aws:ResourceTag/${TagKey}

aws:TagKeys

securityConfiguration

aws:ResourceTag/${TagKey}

aws:TagKeys

virtualCluster

aws:ResourceTag/${TagKey}

aws:TagKeys

Resource types defined by Amazon EMR on EKS (EMR Containers)

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements.

Resource types ARN Condition keys

jobRun

arn:${Partition}:emr-containers:${Region}:${Account}:/virtualclusters/${VirtualClusterId}/jobruns/${JobRunId}

aws:ResourceTag/${TagKey}

jobTemplate

arn:${Partition}:emr-containers:${Region}:${Account}:/jobtemplates/${JobTemplateId}

aws:ResourceTag/${TagKey}

managedEndpoint

arn:${Partition}:emr-containers:${Region}:${Account}:/virtualclusters/${VirtualClusterId}/endpoints/${EndpointId}

aws:ResourceTag/${TagKey}

securityConfiguration

arn:${Partition}:emr-containers:${Region}:${Account}:/securityconfigurations/${SecurityConfigurationId}

aws:ResourceTag/${TagKey}

virtualCluster

arn:${Partition}:emr-containers:${Region}:${Account}:/virtualclusters/${VirtualClusterId}

aws:ResourceTag/${TagKey}

Condition keys for Amazon EMR on EKS (EMR Containers)

Amazon EMR on EKS (EMR Containers) defines the following condition keys that can be used in the Condition element of an IAM policy.

Condition keys Description Type

aws:RequestTag/${TagKey}

Filters access by the tag key-value pairs present in the request

String

aws:ResourceTag/${TagKey}

Filters access by the tag key-value pairs attached to the resource

String

aws:TagKeys

Filters access by the tag keys present in the request

ArrayOfString

emr-containers:ExecutionRoleArn

Filters access by the execution role arn present in the request

ARN

emr-containers:JobTemplateArn

Filters access by the job template arn present in the request

ARN