创建和管理 EMR Studio 的管理员权限 - Amazon EMR
管理工作EMR室所需的权限

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

创建和管理 EMR Studio 的管理员权限

此页面上描述的IAM权限允许您创建和管理 EMR Studio。有关每个所需权限的详细信息,请参阅管理工作EMR室所需的权限

管理工作EMR室所需的权限

下表列出了与创建和管理 EMR Studio 相关的操作。该表还显示了每个运营所需的权限。

注意

使用IAM身份中心身份验证模式时,您只需要IAM身份中心和 Studio SessionMapping 操作。

创建和管理EMR工作室的权限
操作 权限
创建 Studio 
"elasticmapreduce:CreateStudio", 
"sso:CreateApplication",
"sso:PutApplicationAuthenticationMethod",
"sso:PutApplicationGrant",
"sso:PutApplicationAccessScope",
"sso:PutApplicationAssignmentConfiguration",
"iam:PassRole"
描述 Studio 
"elasticmapreduce:DescribeStudio",
"sso:GetManagedApplicationInstance"
列出 Studios 
"elasticmapreduce:ListStudios"
删除 Studio 
"elasticmapreduce:DeleteStudio",
"sso:DeleteApplication",
"sso:DeleteApplicationAuthenticationMethod",
"sso:DeleteApplicationAccessScope",
"sso:DeleteApplicationGrant"
Additional permissions required when you use IAM Identity Center mode

将用户或组分配给 Studio

 
"elasticmapreduce:CreateStudioSessionMapping",
"sso:GetProfile",
"sso:ListDirectoryAssociations",
"sso:ListProfiles",
"sso:AssociateProfile",
"sso-directory:SearchUsers",
"sso-directory:SearchGroups",
"sso-directory:DescribeUser",
"sso-directory:DescribeGroup",
"sso:ListInstances",
"sso:CreateApplicationAssignment",
"sso:DescribeInstance",
"organizations:DescribeOrganization",
"organizations:ListDelegatedAdministrators",
"sso:CreateInstance",
"sso:DescribeRegisteredRegions",
"sso:GetSharedSsoConfiguration",
"iam:ListPolicies"

请检索特定用户或组的 Studio 分配详细信息

 
"sso-directory:SearchUsers",
"sso-directory:SearchGroups",
"sso-directory:DescribeUser",
"sso-directory:DescribeGroup",
"sso:DescribeApplication",
"elasticmapreduce:GetStudioSessionMapping"
列出分配给 Studio 的所有用户和组 
"elasticmapreduce:ListStudioSessionMappings"
更新附加到分配给 Studio 的用户或组的会话策略 
"sso-directory:SearchUsers",
"sso-directory:SearchGroups",
"sso-directory:DescribeUser",
"sso-directory:DescribeGroup",
"sso:DescribeApplication",
"sso:DescribeInstance",
"elasticmapreduce:UpdateStudioSessionMapping"
从 Studio 中删除用户或组 
"elasticmapreduce:DeleteStudioSessionMapping",
"sso-directory:SearchUsers",
"sso-directory:SearchGroups",
"sso-directory:DescribeUser",
"sso-directory:DescribeGroup",
"sso:ListDirectoryAssociations",
"sso:GetProfile",
"sso:DescribeApplication",
"sso:DescribeInstance",
"sso:ListProfiles",
"sso:DisassociateProfile",
"sso:DeleteApplicationAssignment",
"sso:ListApplicationAssignments"
为 EMR Studio 创建具有管理员权限的策略

  1. 按照创建IAM策略中的说明使用以下示例之一创建策略。您需要的权限取决于您的 EMRStudio 身份验证模式

    为这些项插入您自己的值:

    • Replace(替换) <your-resource->ARN 为您的用例指定声明涵盖的一个或多个对象的 Amazon 资源名称 (ARN)。

    • Replace(替换) <region> 附上你计划在 AWS 区域 哪里创建 Studio 的代码。

    • Replace(替换) <aws-account_id> 使用工作室 AWS 账户的 ID。

    • Replace(替换) <EMRStudio-Service-Role> 以及 <EMRStudio-User-Role> 包含您的 EMRStudio 服务角色和 EMR St udio 用户角色的名称。

    例 策略示例:使用IAM身份验证模式时的管理员权限
    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Resource": "arn:aws:elasticmapreduce:<region>:<aws-account-id>:studio/*",
            "Action": [
                "elasticmapreduce:CreateStudio",
                "elasticmapreduce:DescribeStudio",
                "elasticmapreduce:DeleteStudio"
            ]
        },
        {
            "Effect": "Allow",
            "Resource": "<your-resource-ARN>",
            "Action": [
                "elasticmapreduce:ListStudios"
            ]
        },
        {
            "Effect": "Allow",
            "Resource": [
                "arn:aws:iam::<aws-account-id>:role/<EMRStudio-Service-Role>"
            ],
            "Action": "iam:PassRole"
        }
    ]
}
    例 策略示例:使用IAM身份中心身份验证模式时的管理员权限
    注意

    Identity Center 和 Identity Center 目录APIs不支持ARN在IAM策略声明的资源元素中指定。为了允许访问IAM身份中心和IAM身份中心目录,以下权限为IAM身份中心操作指定了所有资源,即 “资源”: “*”。有关更多信息,请参阅 Identity C enter Director IAM y 的操作、资源和条件键

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Resource": "arn:aws:elasticmapreduce:<region>:<aws-account-id>:studio/*",
            "Action": [
                "elasticmapreduce:CreateStudio",
                "elasticmapreduce:DescribeStudio",
                "elasticmapreduce:DeleteStudio",
                "elasticmapreduce:CreateStudioSessionMapping",
                "elasticmapreduce:GetStudioSessionMapping",
                "elasticmapreduce:UpdateStudioSessionMapping",
                "elasticmapreduce:DeleteStudioSessionMapping"
            ]
        },
        {
            "Effect": "Allow",
            "Resource": "<your-resource-ARN>",
            "Action": [
                "elasticmapreduce:ListStudios",
                "elasticmapreduce:ListStudioSessionMappings"
            ]
        },
        {
            "Effect": "Allow",
            "Resource": [
                "arn:aws:iam::<aws-account-id>:role/<EMRStudio-Service-Role>",
                "arn:aws:iam::<aws-account-id>:role/<EMRStudio-User-Role>"
            ],
            "Action": "iam:PassRole"
        },
        {
            "Effect": "Allow",
            "Resource": "*",
            "Action": [
                "sso:CreateApplication", 
                "sso:PutApplicationAuthenticationMethod", 
                "sso:PutApplicationGrant", 
                "sso:PutApplicationAccessScope",
                "sso:PutApplicationAssignmentConfiguration",
                "sso:DescribeApplication", 
                "sso:DeleteApplication", 
                "sso:DeleteApplicationAuthenticationMethod", 
                "sso:DeleteApplicationAccessScope", 
                "sso:DeleteApplicationGrant", 
                "sso:ListInstances", 
                "sso:CreateApplicationAssignment", 
                "sso:DeleteApplicationAssignment",
                "sso:ListApplicationAssignments", 
                "sso:DescribeInstance",
                "sso:AssociateProfile",
                "sso:DisassociateProfile",
                "sso:GetProfile",
                "sso:ListDirectoryAssociations",
                "sso:ListProfiles",
                "sso-directory:SearchUsers",
                "sso-directory:SearchGroups",
                "sso-directory:DescribeUser",
                "sso-directory:DescribeGroup",
                "organizations:DescribeOrganization",
                "organizations:ListDelegatedAdministrators",
                "sso:CreateInstance",
                "sso:DescribeRegisteredRegions",
                "sso:GetSharedSsoConfiguration",
                "iam:ListPolicies"
            ]
        }
    ]
}

  2. 将策略附加到您的IAM身份(用户、角色或群组)。有关说明,请参阅添加和删除IAM身份权限