Getting started with AWS IAM Identity Center integration for Amazon EMR
This section helps you configure Amazon EMR to integrate with AWS IAM Identity Center.
Topics
- Create an Identity Center instance
- Create an IAM role for Identity Center
- Add permissions for services not integrated with IAM Identity Center
- Create an Identity Center enabled security configuration
- Create and launch an Identity Center enabled cluster
- Configure Lake Formation for an IAM Identity Center enabled EMR cluster
- Working with S3 Access Grants on an IAM Identity Center enabled EMR cluster
Note
In order to use Identity Center integration with EMR, Lake Formation or S3 Access Grants must be enabled. You can also use both. If neither is enabled, Identity Center integration isn't supported.
Create an Identity Center instance
If you don't already have one, create an Identity Center instance in the AWS Region where you want to launch your EMR cluster. An Identity Center instance can only exist in a single Region for an AWS account.
Use the following AWS CLI command to create a new instance named
MyInstance
aws sso-admin create-instance --nameMyInstance
Create an IAM role for Identity Center
To integrate Amazon EMR with AWS IAM Identity Center, create an IAM role that authenticates with Identity Center from the EMR cluster. Under the hood, Amazon EMR uses SigV4 credentials to relay the Identity Center identity to downstream services such as AWS Lake Formation. Your role should also have the respective permissions to invoke the downstream services.
When you create the role, use the following permissions policy:
{ "Statement": [ { "Sid": "IdCPermissions", "Effect": "Allow", "Action": [ "sso-oauth:*" ], "Resource": "*" }, { "Sid": "GlueandLakePermissions", "Effect": "Allow", "Action": [ "glue:*", "lakeformation:GetDataAccess" ], "Resource": "*" }, { "Sid": "AccessGrantsPermissions", "Effect": "Allow", "Action": [ "s3:GetDataAccess", "s3:GetAccessGrantsInstanceForPrefix" ], "Resource": "*" } ] }
The trust policy for this role allows the InstanceProfile role to let it assume the role.
{ "Sid": "AssumeRole", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::12345678912:role/EMR_EC2_DefaultRole" }, "Action": [ "sts:AssumeRole", "sts:SetContext" ] }
If the role doesn't have trusted credentials and accesses a Lake Formation-protected table, Amazon EMR automatically
sets the principalId of the assumed role to userID-untrustedprincipalId.
{ "eventVersion": "1.09", "userIdentity": { "type": "AssumedRole", "principalId": "ABCDEFGH1JKLMNO2PQR3TU:5000-untrusted", "arn": "arn:aws:sts::123456789012:assumed-role/EMR_TIP/5000-untrusted", "accountId": "123456789012", "accessKeyId": "ABCDEFGH1IJKLMNOPQ7R3" ...
Add permissions for services not integrated with IAM Identity Center
AWS credentials that use trusted identity propagation use the IAM policies defined in the IAM role for any calls made to services not integrated with IAM Identity Center. This includes, for example, the AWS Key Management Service. Your role should also define any IAM permissions for any such services you would attempt to access. Currently supported IAM Identity Center integrated services include AWS Lake Formation and Amazon S3 Access Grants.
To learn more about trusted identity propagation, see Trusted identity propagation across applications.
Create an Identity Center enabled security configuration
To launch an EMR cluster with IAM Identity Center integration, use the following example command to create an Amazon EMR security configuration that has Identity Center enabled. Each configuration is explained below.
aws emr create-security-configuration --name "IdentityCenterConfiguration-with-lf-accessgrants" --region "us-west-2" --security-configuration '{ "AuthenticationConfiguration":{ "IdentityCenterConfiguration":{ "EnableIdentityCenter":true, "IdentityCenterApplicationAssigmentRequired":false, "IdentityCenterInstanceARN": "arn:aws:sso:::instance/ssoins-123xxxxxxxxxx789", "IAMRoleForEMRIdentityCenterApplicationARN": "arn:aws:iam::123456789012:role/tip-role" } }, "AuthorizationConfiguration": { "LakeFormationConfiguration": { "EnableLakeFormation": true } }, "EncryptionConfiguration": { "EnableInTransitEncryption": true, "EnableAtRestEncryption": false, "InTransitEncryptionConfiguration": { "TLSCertificateConfiguration": { "CertificateProviderType": "PEM", "S3Object": "s3://amzn-s3-demo-bucket/cert/my-certs.zip" } } } }'
-
EnableIdentityCenter– (required) Enables Identity Center integration. -
IdentityCenterInstanceARN– (optional) The Identity Center instance ARN. If this isn't included, the existing IAM Identity Center instance ARN is looked up as part of the configuration step. -
IAMRoleForEMRIdentityCenterApplicationARN– (required) The IAM role that procures Identity Center tokens from the cluster. -
IdentityCenterApplicationAssignmentRequired– (boolean) Governs if an assignment will be required to use the Identity Center application. This field is optional. If a value isn't provided, the default isfalse. -
AuthorizationConfiguration/LakeFormationConfiguration– Optionally, configure authorization:-
EnableLakeFormation– Enable Lake Formation authorization on the cluster.
-
To enable Identity Center integration with Amazon EMR, you must specify
EncryptionConfiguration and
IntransitEncryptionConfiguration.
Create and launch an Identity Center enabled cluster
Now that you've set up the IAM role that authenticates with Identity Center, and created an Amazon EMR security configuration that has Identity Center enabled, you can create and launch your identity-aware cluster. For steps to launch your cluster with the required security configuration, see Specify a security configuration for an Amazon EMR cluster.
The following sections describe how to configure your Identity Center enabled cluster with security options that Amazon EMR supports:
