本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
为亚马逊EC2或亚马逊配置 EMR Studio 用户权限 EKS
您必须为 Amazon EMR Studio 配置用户权限策略,这样才能设置精细的用户和群组权限。有关用户权限如何在 EMR Studio 中发挥作用的信息,请参阅访问控制中的Amazon EMR Studio 工作原理。
注意
本部分中介绍的权限不会强制执行数据访问控制。要管理对输入数据集的访问,您应该为 Studio 使用的集群配置权限。有关更多信息,请参阅 亚马逊的安全 EMR。
为IAM身份中心身份验证模式创建 EMR Studio 用户角色
使用IAM身份中心身份验证模式时,必须创建 EMR Studio 用户角色。
为 EMR Studio 创建用户角色
-
按照《AWS Identity and Access Management 用户指南》中创建角色向 AWS 服务委派权限中的说明创建用户角色。
在创建角色时,使用以下信任关系策略。
{ "Version": "2008-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "elasticmapreduce.amazonaws.com" }, "Action": [ "sts:AssumeRole", "sts:SetContext" ] } ] } -
删除默认角色权限和策略。
-
在向 Studio 分配用户和群组之前,请将您的 EMR Studio 会话策略附加到用户角色。有关如何创建会话策略的说明,请参阅 为 EMR Studio 用户创建权限策略。
为 EMR Studio 用户创建权限策略
要为 EMR Studio 创建权限策略,请参阅以下章节。
注意
要设置存储笔记本文件的 Amazon S3 访问权限,以及在将工作空间链接到 Git 存储库时设置读取密钥的 AWS Secrets Manager 访问权限,请使用 EMR Studio 服务角色。
创建权限策略
创建一个或多个IAM权限策略,指定用户可以在您的 Studio 中执行的操作。例如,您可以使用此页面上的示例策略为基本、中间和高级 Studio 用户类型创建三个独立策略。
有关用户可能执行的每个 Studio 操作的明细以及执行每项操作所需的最低限度IAM操作,请参阅AWS Identity and Access Management EMRStudio 用户的权限。有关创建策略的步骤,请参阅《IAM用户指南》中的创建IAM策略。
您的权限策略必须包含以下语句。
{ "Sid": "AllowAddingTagsOnSecretsWithEMRStudioPrefix", "Effect": "Allow", "Action": "secretsmanager:TagResource", "Resource": "arn:aws:secretsmanager:*:*:secret:emr-studio-*" }, { "Sid": "AllowPassingServiceRoleForWorkspaceCreation", "Action": "iam:PassRole", "Resource": [ "arn:aws:iam::*:role/your-emr-studio-service-role" ], "Effect": "Allow" }
设置 Workspace 协作的所有权
借助 Workspace 协作功能,多个用户可以在同一 Workspace 中同时工作,并且可以使用 Workspace UI 中的 Collaboration(协作)面板进行配置。要查看和使用 Collaboration(协作)面板,用户必须具有以下权限。任何拥有这些权限的用户都可以查看和使用 Collaboration(协作)面板。
"elasticmapreduce:UpdateEditor", "elasticmapreduce:PutWorkspaceAccess", "elasticmapreduce:DeleteWorkspaceAccess", "elasticmapreduce:ListWorkspaceAccessIdentities"
要限制对 Collaboration(协作)面板的访问权限,您可以使用基于标签的访问控制。当用户创建工作区时,EMRStudio 会应用默认标签,creatorUserId其键值为创建工作区的用户的 ID。
注意
EMRStudio 将该creatorUserId标签添加到 2021 年 11 月 16 日之后创建的工作区。要限制谁可以为此日期前创建的工作区配置协作,我们建议为您的工作区手动添加 creatorUserId 标签,然后在用户权限策略中使用基于标签的访问控制。
以下示例语句允许用户为任何具有标签键 creatorUserId 并且标签值与该用户的 ID(由策略变量 aws:userId 指示)一致的 WorkSpace 配置协作。换言之,该语句允许用户为他们创建的 Workspace 配置协作。要了解有关策略变量的更多信息,请参阅《IAM用户指南》中的IAM策略元素:变量和标签。
{ "Sid": "UserRolePermissionsForCollaboration", "Action": [ "elasticmapreduce:UpdateEditor", "elasticmapreduce:PutWorkspaceAccess", "elasticmapreduce:DeleteWorkspaceAccess", "elasticmapreduce:ListWorkspaceAccessIdentities" ], "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "elasticmapreduce:ResourceTag/creatorUserId": "${aws:userid}" } } }
创建用户级的 Git 密钥策略
使用用户级权限
EMRStudio 在创建 Git 密钥时会自动添加for-use-with-amazon-emr-managed-user-policies标签。如果要在用户级别控制对 Git 密钥的访问权限,请使用向 EMR Studio 用户角色策略添加基于标签的secretsmanager:GetSecretValue权限,如下从服务级别权限转换为用户级别权限节所示。
如果您在 EMR Studio 服务角色策略secretsmanager:GetSecretValue中拥有现有权限,则应移除这些权限。
从服务级别权限转换为用户级别权限
注意
for-use-with-amazon-emr-managed-user-policies 标签可确保以下步骤 1 中的权限为工作区的创建者授予对 Git 密钥的访问权。但是,如果您在 2023 年 9 月 1 日之前链接 Git 存储库,则相应的 Git 密钥将被拒绝访问,因为它们没有应用 for-use-with-amazon-emr-managed-user-policies 标签。要应用用户级权限,必须从中重新创建旧密钥 JupyterLab 并重新链接相应的 Git 存储库。
有关策略变量的更多信息,请参阅《IAM用户指南》中的IAM策略元素:变量和标签。
-
在 EMRStudio 用户角色策略中添加以下权限。它会使用
for-use-with-amazon-emr-managed-user-policies密钥和值"${aws:。userid}"{ "Sid": "AllowSecretsManagerReadOnlyActionsWithEMRTags", "Effect": "Allow", "Action": "secretsmanager:GetSecretValue", "Resource": "arn:aws:secretsmanager:*:*:secret:*", "Condition": { "StringEquals": { "secretsmanager:ResourceTag/for-use-with-amazon-emr-managed-user-policies": "${aws:userid}" } } } -
如果存在,请从 EMRStudio 服务角色策略中移除以下权限。由于服务角色策略适用于各个用户定义的所有密钥,您只需执行一次即可。
{ "Sid": "AllowSecretsManagerReadOnlyActionsWithEMRTags", "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue" ], "Resource": "arn:aws:secretsmanager:*:*:secret:*", "Condition": { "StringEquals": { "aws:ResourceTag/for-use-with-amazon-emr-managed-policies": "true" } } }
要使用服务级别权限
自 2023 年 9 月 1 日起,EMRStudio 会自动添加用于用户级访问控制的for-use-with-amazon-emr-managed-user-policies标签。由于这是一项附加功能,因此您可以继续使用通过 EMRStudio 服务角色中的GetSecretValue权限提供的服务级别访问权限。
对于 2023 年 9 月 1 日之前创建的机密,EMRStudio 没有添加for-use-with-amazon-emr-managed-user-policies标签。要继续使用服务级别权限,只需保留现有的 EMRStudio 服务角色和用户角色权限即可。但是,要限制可访问某个单独密钥的人员,建议按照 使用用户级权限 中的步骤手动将 for-use-with-amazon-emr-managed-user-policies 标签到密钥中,然后在用户权限策略中使用基于标签的访问控制。
有关策略变量的更多信息,请参阅《IAM用户指南》中的IAM策略元素:变量和标签。
将权限策略附加到您的IAM身份
下表汇总了根据您的 EMR Studio IAM 身份验证模式将权限策略附加到哪个身份。有关如何附加策略的说明,请参阅添加和删除IAM身份权限。
| 如果您使用... | 将策略附加到… |
|---|---|
| IAM认证 | 您的IAM身份(用户、用户组或角色)。例如,您可以将权限策略附加到 AWS 账户中的用户。 |
| IAM与外部身份提供商 (IdP) 联合 |
您为IAM外部 IdP 创建的一个或多个角色。例如,适用IAM于 SAML 2.0 的联合。 EMRStudio 使用您附加到IAM角色的权限来授予对 Studio 具有联合访问权限的用户。 |
| IAM身份中心 | 您的亚马逊 EMR Studio 用户角色。 |
示例用户策略
以下基本用户策略允许大多数 EMR Studio 操作,但不允许用户创建新的 Amazon EMR 集群。
重要
示例策略不包括CreateStudioPresignedUrl权限,在使用IAM身份验证模式时,必须允许用户使用该权限。有关更多信息,请参阅 将用户或群组分配给 EMR Studio。
示例策略包括用于强制执行基于标签的访问控制 (TBAC) 的Condition元素,以便您可以将该策略与 EMR Studio 的示例服务角色一起使用。有关更多信息,请参阅 创建 EMR Studio 服务角色。
{ "Version":"2012-10-17", "Statement":[ { "Sid":"AllowDefaultEC2SecurityGroupsCreationInVPCWithEMRTags", "Effect":"Allow", "Action":[ "ec2:CreateSecurityGroup" ], "Resource":[ "arn:aws:ec2:*:*:vpc/*" ], "Condition":{ "StringEquals":{ "aws:ResourceTag/for-use-with-amazon-emr-managed-policies":"true" } } }, { "Sid":"AllowAddingEMRTagsDuringDefaultSecurityGroupCreation", "Effect":"Allow", "Action":[ "ec2:CreateTags" ], "Resource":"arn:aws:ec2:*:*:security-group/*", "Condition":{ "StringEquals":{ "aws:RequestTag/for-use-with-amazon-emr-managed-policies":"true", "ec2:CreateAction":"CreateSecurityGroup" } } }, { "Sid":"AllowSecretManagerListSecrets", "Action":[ "secretsmanager:ListSecrets" ], "Resource":"*", "Effect":"Allow" }, { "Sid":"AllowSecretCreationWithEMRTagsAndEMRStudioPrefix", "Effect":"Allow", "Action":"secretsmanager:CreateSecret", "Resource":"arn:aws:secretsmanager:*:*:secret:emr-studio-*", "Condition":{ "StringEquals":{ "aws:RequestTag/for-use-with-amazon-emr-managed-policies":"true" } } }, { "Sid":"AllowAddingTagsOnSecretsWithEMRStudioPrefix", "Effect":"Allow", "Action":"secretsmanager:TagResource", "Resource":"arn:aws:secretsmanager:*:*:secret:emr-studio-*" }, { "Sid":"AllowPassingServiceRoleForWorkspaceCreation", "Action":"iam:PassRole", "Resource":[ "arn:aws:iam::*:role/<your-emr-studio-service-role>" ], "Effect":"Allow" }, { "Sid":"AllowS3ListAndLocationPermissions", "Action":[ "s3:ListAllMyBuckets", "s3:ListBucket", "s3:GetBucketLocation" ], "Resource":"arn:aws:s3:::*", "Effect":"Allow" }, { "Sid":"AllowS3ReadOnlyAccessToLogs", "Action":[ "s3:GetObject" ], "Resource":[ "arn:aws:s3:::aws-logs-<aws-account-id>-<region>/elasticmapreduce/*" ], "Effect":"Allow" }, { "Sid":"AllowConfigurationForWorkspaceCollaboration", "Action":[ "elasticmapreduce:UpdateEditor", "elasticmapreduce:PutWorkspaceAccess", "elasticmapreduce:DeleteWorkspaceAccess", "elasticmapreduce:ListWorkspaceAccessIdentities" ], "Resource":"*", "Effect":"Allow", "Condition":{ "StringEquals":{ "elasticmapreduce:ResourceTag/creatorUserId":"${aws:userId}" } } }, { "Sid":"DescribeNetwork", "Effect":"Allow", "Action":[ "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups" ], "Resource":"*" }, { "Sid":"ListIAMRoles", "Effect":"Allow", "Action":[ "iam:ListRoles" ], "Resource":"*" } ] }
以下中间用户策略允许大多数 EMR Studio 操作,并允许用户使用EMR集群模板创建新的 Amazon 集群。
重要
示例策略不包括CreateStudioPresignedUrl权限,在使用IAM身份验证模式时,必须允许用户使用该权限。有关更多信息,请参阅 将用户或群组分配给 EMR Studio。
示例策略包括用于强制执行基于标签的访问控制 (TBAC) 的Condition元素,以便您可以将该策略与 EMR Studio 的示例服务角色一起使用。有关更多信息,请参阅 创建 EMR Studio 服务角色。
{ "Version":"2012-10-17", "Statement":[ { "Sid":"AllowEMRBasicActions", "Action":[ "elasticmapreduce:CreateEditor", "elasticmapreduce:DescribeEditor", "elasticmapreduce:ListEditors", "elasticmapreduce:StartEditor", "elasticmapreduce:StopEditor", "elasticmapreduce:DeleteEditor", "elasticmapreduce:OpenEditorInConsole", "elasticmapreduce:AttachEditor", "elasticmapreduce:DetachEditor", "elasticmapreduce:CreateRepository", "elasticmapreduce:DescribeRepository", "elasticmapreduce:DeleteRepository", "elasticmapreduce:ListRepositories", "elasticmapreduce:LinkRepository", "elasticmapreduce:UnlinkRepository", "elasticmapreduce:DescribeCluster", "elasticmapreduce:ListInstanceGroups", "elasticmapreduce:ListBootstrapActions", "elasticmapreduce:ListClusters", "elasticmapreduce:ListSteps", "elasticmapreduce:CreatePersistentAppUI", "elasticmapreduce:DescribePersistentAppUI", "elasticmapreduce:GetPersistentAppUIPresignedURL", "elasticmapreduce:GetOnClusterAppUIPresignedURL" ], "Resource":"*", "Effect":"Allow" }, { "Sid":"AllowEMRContainersBasicActions", "Action":[ "emr-containers:DescribeVirtualCluster", "emr-containers:ListVirtualClusters", "emr-containers:DescribeManagedEndpoint", "emr-containers:ListManagedEndpoints", "emr-containers:DescribeJobRun", "emr-containers:ListJobRuns" ], "Resource":"*", "Effect":"Allow" }, { "Sid": "AllowRetrievingManagedEndpointCredentials", "Effect": "Allow", "Action": [ "emr-containers:GetManagedEndpointSessionCredentials" ], "Resource": [ "arn:aws:emr-containers:<region>:<account-id>:/virtualclusters/<virtual-cluster-id>/endpoints/<managed-endpoint-id>" ], "Condition": { "StringEquals": { "emr-containers:ExecutionRoleArn": [ "arn:aws:iam::<account-id>:role/<emr-on-eks-execution-role>" ] } } }, { "Sid":"AllowSecretManagerListSecrets", "Action":[ "secretsmanager:ListSecrets" ], "Resource":"*", "Effect":"Allow" }, { "Sid":"AllowSecretCreationWithEMRTagsAndEMRStudioPrefix", "Effect":"Allow", "Action":"secretsmanager:CreateSecret", "Resource":"arn:aws:secretsmanager:*:*:secret:emr-studio-*", "Condition":{ "StringEquals":{ "aws:RequestTag/for-use-with-amazon-emr-managed-policies":"true" } } }, { "Sid":"AllowAddingTagsOnSecretsWithEMRStudioPrefix", "Effect":"Allow", "Action":"secretsmanager:TagResource", "Resource":"arn:aws:secretsmanager:*:*:secret:emr-studio-*" }, { "Sid":"AllowClusterTemplateRelatedIntermediateActions", "Action":[ "servicecatalog:DescribeProduct", "servicecatalog:DescribeProductView", "servicecatalog:DescribeProvisioningParameters", "servicecatalog:ProvisionProduct", "servicecatalog:SearchProducts", "servicecatalog:UpdateProvisionedProduct", "servicecatalog:ListProvisioningArtifacts", "servicecatalog:ListLaunchPaths", "servicecatalog:DescribeRecord", "cloudformation:DescribeStackResources" ], "Resource":"*", "Effect":"Allow" }, { "Sid":"AllowPassingServiceRoleForWorkspaceCreation", "Action":"iam:PassRole", "Resource":[ "arn:aws:iam::*:role/<your-emr-studio-service-role>" ], "Effect":"Allow" }, { "Sid":"AllowS3ListAndLocationPermissions", "Action":[ "s3:ListAllMyBuckets", "s3:ListBucket", "s3:GetBucketLocation" ], "Resource":"arn:aws:s3:::*", "Effect":"Allow" }, { "Sid":"AllowS3ReadOnlyAccessToLogs", "Action":[ "s3:GetObject" ], "Resource":[ "arn:aws:s3:::aws-logs-<aws-account-id>-<region>/elasticmapreduce/*" ], "Effect":"Allow" }, { "Sid":"AllowConfigurationForWorkspaceCollaboration", "Action":[ "elasticmapreduce:UpdateEditor", "elasticmapreduce:PutWorkspaceAccess", "elasticmapreduce:DeleteWorkspaceAccess", "elasticmapreduce:ListWorkspaceAccessIdentities" ], "Resource":"*", "Effect":"Allow", "Condition":{ "StringEquals":{ "elasticmapreduce:ResourceTag/creatorUserId":"${aws:userId}" } } }, { "Sid":"DescribeNetwork", "Effect":"Allow", "Action":[ "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups" ], "Resource":"*" }, { "Sid":"ListIAMRoles", "Effect":"Allow", "Action":[ "iam:ListRoles" ], "Resource":"*" }, { "Sid": "AllowServerlessActions", "Action": [ "emr-serverless:CreateApplication", "emr-serverless:UpdateApplication", "emr-serverless:DeleteApplication", "emr-serverless:ListApplications", "emr-serverless:GetApplication", "emr-serverless:StartApplication", "emr-serverless:StopApplication", "emr-serverless:StartJobRun", "emr-serverless:CancelJobRun", "emr-serverless:ListJobRuns", "emr-serverless:GetJobRun", "emr-serverless:GetDashboardForJobRun", "emr-serverless:AccessInteractiveEndpoints" ], "Resource": "*", "Effect": "Allow" }, { "Sid": "AllowPassingRuntimeRoleForRunningServerlessJob", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/serverless-runtime-role", "Effect": "Allow" } ] }
以下高级用户策略允许所有 EMR Studio 操作,并允许用户使用EMR集群模板或通过提供集群配置来创建新的 Amazon 集群。
重要
示例策略不包括CreateStudioPresignedUrl权限,在使用IAM身份验证模式时,必须允许用户使用该权限。有关更多信息,请参阅 将用户或群组分配给 EMR Studio。
示例策略包括用于强制执行基于标签的访问控制 (TBAC) 的Condition元素,以便您可以将该策略与 EMR Studio 的示例服务角色一起使用。有关更多信息,请参阅 创建 EMR Studio 服务角色。
{ "Version":"2012-10-17", "Statement":[ { "Sid":"AllowEMRBasicActions", "Action":[ "elasticmapreduce:CreateEditor", "elasticmapreduce:DescribeEditor", "elasticmapreduce:ListEditors", "elasticmapreduce:StartEditor", "elasticmapreduce:StopEditor", "elasticmapreduce:DeleteEditor", "elasticmapreduce:OpenEditorInConsole", "elasticmapreduce:AttachEditor", "elasticmapreduce:DetachEditor", "elasticmapreduce:CreateRepository", "elasticmapreduce:DescribeRepository", "elasticmapreduce:DeleteRepository", "elasticmapreduce:ListRepositories", "elasticmapreduce:LinkRepository", "elasticmapreduce:UnlinkRepository", "elasticmapreduce:DescribeCluster", "elasticmapreduce:ListInstanceGroups", "elasticmapreduce:ListBootstrapActions", "elasticmapreduce:ListClusters", "elasticmapreduce:ListSteps", "elasticmapreduce:CreatePersistentAppUI", "elasticmapreduce:DescribePersistentAppUI", "elasticmapreduce:GetPersistentAppUIPresignedURL", "elasticmapreduce:GetOnClusterAppUIPresignedURL" ], "Resource":"*", "Effect":"Allow" }, { "Sid":"AllowEMRContainersBasicActions", "Action":[ "emr-containers:DescribeVirtualCluster", "emr-containers:ListVirtualClusters", "emr-containers:DescribeManagedEndpoint", "emr-containers:ListManagedEndpoints", "emr-containers:DescribeJobRun", "emr-containers:ListJobRuns" ], "Resource":"*", "Effect":"Allow" }, { "Sid": "AllowRetrievingManagedEndpointCredentials", "Effect": "Allow", "Action": [ "emr-containers:GetManagedEndpointSessionCredentials" ], "Resource": [ "arn:aws:emr-containers:<region>:<account-id>:/virtualclusters/<virtual-cluster-id>/endpoints/<managed-endpoint-id>" ], "Condition": { "StringEquals": { "emr-containers:ExecutionRoleArn": [ "arn:aws:iam::<account-id>:role/<emr-on-eks-execution-role>" ] } } }, { "Sid":"AllowSecretManagerListSecrets", "Action":[ "secretsmanager:ListSecrets" ], "Resource":"*", "Effect":"Allow" }, { "Sid":"AllowSecretCreationWithEMRTagsAndEMRStudioPrefix", "Effect":"Allow", "Action":"secretsmanager:CreateSecret", "Resource":"arn:aws:secretsmanager:*:*:secret:emr-studio-*", "Condition":{ "StringEquals":{ "aws:RequestTag/for-use-with-amazon-emr-managed-policies":"true" } } }, { "Sid":"AllowAddingTagsOnSecretsWithEMRStudioPrefix", "Effect":"Allow", "Action":"secretsmanager:TagResource", "Resource":"arn:aws:secretsmanager:*:*:secret:emr-studio-*" }, { "Sid":"AllowClusterTemplateRelatedIntermediateActions", "Action":[ "servicecatalog:DescribeProduct", "servicecatalog:DescribeProductView", "servicecatalog:DescribeProvisioningParameters", "servicecatalog:ProvisionProduct", "servicecatalog:SearchProducts", "servicecatalog:UpdateProvisionedProduct", "servicecatalog:ListProvisioningArtifacts", "servicecatalog:ListLaunchPaths", "servicecatalog:DescribeRecord", "cloudformation:DescribeStackResources" ], "Resource":"*", "Effect":"Allow" }, { "Sid":"AllowEMRCreateClusterAdvancedActions", "Action":[ "elasticmapreduce:RunJobFlow" ], "Resource":"*", "Effect":"Allow" }, { "Sid":"AllowPassingServiceRoleForWorkspaceCreation", "Action":"iam:PassRole", "Resource":[ "arn:aws:iam::*:role/<your-emr-studio-service-role>", "arn:aws:iam::*:role/EMR_DefaultRole_V2", "arn:aws:iam::*:role/EMR_EC2_DefaultRole" ], "Effect":"Allow" }, { "Sid":"AllowS3ListAndLocationPermissions", "Action":[ "s3:ListAllMyBuckets", "s3:ListBucket", "s3:GetBucketLocation" ], "Resource":"arn:aws:s3:::*", "Effect":"Allow" }, { "Sid":"AllowS3ReadOnlyAccessToLogs", "Action":[ "s3:GetObject" ], "Resource":[ "arn:aws:s3:::aws-logs-<aws-account-id>-<region>/elasticmapreduce/*" ], "Effect":"Allow" }, { "Sid":"AllowConfigurationForWorkspaceCollaboration", "Action":[ "elasticmapreduce:UpdateEditor", "elasticmapreduce:PutWorkspaceAccess", "elasticmapreduce:DeleteWorkspaceAccess", "elasticmapreduce:ListWorkspaceAccessIdentities" ], "Resource":"*", "Effect":"Allow", "Condition":{ "StringEquals":{ "elasticmapreduce:ResourceTag/creatorUserId":"${aws:userId}" } } }, { "Sid" : "SageMakerDataWranglerForEMRStudio", "Effect" : "Allow", "Action" : [ "sagemaker:CreatePresignedDomainUrl", "sagemaker:DescribeDomain", "sagemaker:ListDomains", "sagemaker:ListUserProfiles" ], "Resource":"*" }, { "Sid":"DescribeNetwork", "Effect":"Allow", "Action":[ "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups" ], "Resource":"*" }, { "Sid":"ListIAMRoles", "Effect":"Allow", "Action":[ "iam:ListRoles" ], "Resource":"*" }, { "Sid": "AllowServerlessActions", "Action": [ "emr-serverless:CreateApplication", "emr-serverless:UpdateApplication", "emr-serverless:DeleteApplication", "emr-serverless:ListApplications", "emr-serverless:GetApplication", "emr-serverless:StartApplication", "emr-serverless:StopApplication", "emr-serverless:StartJobRun", "emr-serverless:CancelJobRun", "emr-serverless:ListJobRuns", "emr-serverless:GetJobRun", "emr-serverless:GetDashboardForJobRun", "emr-serverless:AccessInteractiveEndpoints" ], "Resource": "*", "Effect": "Allow" }, { "Sid": "AllowPassingRuntimeRoleForRunningServerlessJob", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/serverless-runtime-role", "Effect": "Allow" }, { "Sid": "AllowCodeWhisperer", "Effect": "Allow", "Action": [ "codewhisperer:GenerateRecommendations" ], "Resource": "*" }, { "Sid": "AllowAthenaSQL", "Action": [ "athena:StartQueryExecution", "athena:StopQueryExecution", "athena:GetQueryExecution", "athena:GetQueryRuntimeStatistics", "athena:GetQueryResults", "athena:ListQueryExecutions", "athena:BatchGetQueryExecution", "athena:GetNamedQuery", "athena:ListNamedQueries", "athena:BatchGetNamedQuery", "athena:UpdateNamedQuery", "athena:DeleteNamedQuery", "athena:ListDataCatalogs", "athena:GetDataCatalog", "athena:ListDatabases", "athena:GetDatabase", "athena:ListTableMetadata", "athena:GetTableMetadata", "athena:ListWorkGroups", "athena:GetWorkGroup", "athena:CreateNamedQuery", "athena:GetPreparedStatement", "glue:CreateDatabase", "glue:DeleteDatabase", "glue:GetDatabase", "glue:GetDatabases", "glue:UpdateDatabase", "glue:CreateTable", "glue:DeleteTable", "glue:BatchDeleteTable", "glue:UpdateTable", "glue:GetTable", "glue:GetTables", "glue:BatchCreatePartition", "glue:CreatePartition", "glue:DeletePartition", "glue:BatchDeletePartition", "glue:UpdatePartition", "glue:GetPartition", "glue:GetPartitions", "glue:BatchGetPartition", "kms:ListAliases", "kms:ListKeys", "kms:DescribeKey", "lakeformation:GetDataAccess", "s3:GetBucketLocation", "s3:GetBucketLocation", "s3:GetObject", "s3:ListBucket", "s3:ListBucketMultipartUploads", "s3:ListMultipartUploadParts", "s3:AbortMultipartUpload", "s3:PutObject", "s3:PutBucketPublicAccessBlock", "s3:ListAllMyBuckets" ], "Resource": "*", "Effect": "Allow" } ] }
以下用户策略包含在 EMR Studio Workspaces 中使用EMR无服务器交互式应用程序所需的最低用户权限。
在此示例策略中,使用 EMR Studio具有EMR无服务器交互式应用程序的用户权限,请将占位符替换为 serverless-runtime-role 以及 emr-studio-service-role 使用正确的 EMRStudio 服务角色和EMR无服务器运行时角色。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowServerlessActions", "Action": [ "emr-serverless:CreateApplication", "emr-serverless:UpdateApplication", "emr-serverless:DeleteApplication", "emr-serverless:ListApplications", "emr-serverless:GetApplication", "emr-serverless:StartApplication", "emr-serverless:StopApplication", "emr-serverless:StartJobRun", "emr-serverless:CancelJobRun", "emr-serverless:ListJobRuns", "emr-serverless:GetJobRun", "emr-serverless:GetDashboardForJobRun", "emr-serverless:AccessInteractiveEndpoints" ], "Resource": "*", "Effect": "Allow" }, { "Sid": "AllowEMRBasicActions", "Action": [ "elasticmapreduce:CreateEditor", "elasticmapreduce:DescribeEditor", "elasticmapreduce:ListEditors", "elasticmapreduce:UpdateStudio", "elasticmapreduce:StartEditor", "elasticmapreduce:StopEditor", "elasticmapreduce:DeleteEditor", "elasticmapreduce:OpenEditorInConsole", "elasticmapreduce:AttachEditor", "elasticmapreduce:DetachEditor", "elasticmapreduce:CreateStudio", "elasticmapreduce:DescribeStudio", "elasticmapreduce:DeleteStudio", "elasticmapreduce:ListStudios", "elasticmapreduce:CreateStudioPresignedUrl" ], "Resource": "*", "Effect": "Allow" }, { "Sid": "AllowPassingRuntimeRoleForRunningEMRServerlessJob", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/serverless-runtime-role", "Effect": "Allow" }, { "Sid": "AllowPassingServiceRoleForWorkspaceCreation", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/emr-studio-service-role", "Effect": "Allow" }, { "Sid": "AllowS3ListAndGetPermissions", "Action": [ "s3:ListAllMyBuckets", "s3:ListBucket", "s3:GetBucketLocation", "s3:GetObject" ], "Resource": "arn:aws:s3:::*", "Effect": "Allow" }, { "Sid":"DescribeNetwork", "Effect":"Allow", "Action":[ "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups" ], "Resource":"*" }, { "Sid": "ListIAMRoles", "Effect": "Allow", "Action": [ "iam:ListRoles" ], "Resource": "*" } ] }
AWS Identity and Access Management EMRStudio 用户的权限
下表列出了用户可能执行的每个 Amazon EMR Studio IAM 操作,并列出了执行该操作所需的最低限度操作。您可以在 Studio 的IAM权限策略(使用IAM身份验证时)或 EMR Studio 的用户角色会话策略(当您使用 Identity Center IAM 身份验证时)中允许这些操作。
该表还显示了 EMR Studio 的每个示例权限策略中允许的操作。有关示例权限策略的更多信息,请参阅 为 EMR Studio 用户创建权限策略。
| 操作 | 基本 | 中间 | 高级 | 关联操作 |
|---|---|---|---|---|
| 创建和删除 Workspaces | 是 | 是 | 是 |
|
| 查看协作面板、启用 Workspace 协作并添加协作者。有关更多信息,请参阅设置 Workspace 协作的所有权。 | 是 | 是 | 是 |
|
| 创建新EMR集群时查看与 Studio 相同账户中的 Amazon S3 Control 存储桶列表,使用 Web UI 调试应用程序时访问容器日志 | 是 | 是 | 是 |
|
| 访问 Workspaces | 是 | 是 | 是 |
|
| 连接或分离与工作区关联的现有 Amazon EMR 集群 | 是 | 是 | 是 |
|
| 在集群上连接或分离 Amaz EMR on EKS | 是 | 是 | 是 |
|
| 连接或分离与工作区关联的EMR无服务器应用程序 | 否 | 是 | 是 |
传递EMR无服务器作业运行时角色需要该 |
| 在具有永久应用程序用户界面的EC2作业EMR上调试 Amazon | 是 | 是 | 是 |
|
| 使用集群应用程序用户界EMR面在EC2作业上调试 Amazon | 是 | 是 | 是 |
|
| 使用 Spark 历史服务器EMR在EKS作业运行时调试 Amazon | 是 | 是 | 是 |
|
| 创建和删除 Git 存储库 | 是 | 是 | 是 |
|
| 链接和取消链接 Git 存储库 | 是 | 是 | 是 |
|
| 根据预定义的集群模板创建新集群 | 否 | 是 | 是 |
|
| 请提供集群配置以创建新集群。 | 否 | 否 | 是 |
|
| 使用IAM身份验证模式时,将用户分配给 Studio。 | 否 | 否 | 否 |
|
| 描述网络对象。 | 是 | 是 | 是 |
|
| 列出IAM角色。 | 是 | 是 | 是 |
|
| 从 Amazon EMR Studio 连接到 SageMaker Studio 并使用 Data Wrangler 可视化界面。 |
否 | 否 | 是 |
|
| CodeWhisperer 在您的EMR工作室中使用 Amazon。 | 否 | 否 | 是 |
|
| 从您的工作室访问亚马逊 SQL Athena 编辑器。EMR此列表可能不包括使用所有 Athena 功能所需的所有权限。要了解更多 up-to-date 列表,请参阅 Athena 完全访问政策。 | 否 | 否 | 是 |
|
