建立和管理 EMR Studio 的系統管理員權限 - Amazon EMR
管理EMR工作室所需的權限

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

建立和管理 EMR Studio 的系統管理員權限

此頁面上描述的IAM權限允許您創建和管理 EMR Studio。如需有關每個所需許可的詳細資訊,請參閱 管理EMR工作室所需的權限

管理EMR工作室所需的權限

下表列出了與創建和管理 EMR Studio 的操作。此資料表也會顯示每項操作所需的許可。

注意

使用IAM身分識別中心驗證模式時,只需要IAM身分識別中心和 Studio SessionMapping 動作。

建立和管理EMR工作室的權限
作業 許可
建立 Studio 
"elasticmapreduce:CreateStudio", 
"sso:CreateApplication",
"sso:PutApplicationAuthenticationMethod",
"sso:PutApplicationGrant",
"sso:PutApplicationAccessScope",
"sso:PutApplicationAssignmentConfiguration",
"iam:PassRole"
描述 Studio 
"elasticmapreduce:DescribeStudio",
"sso:GetManagedApplicationInstance"
列出 Studio 
"elasticmapreduce:ListStudios"
刪除 Studio 
"elasticmapreduce:DeleteStudio",
"sso:DeleteApplication",
"sso:DeleteApplicationAuthenticationMethod",
"sso:DeleteApplicationAccessScope",
"sso:DeleteApplicationGrant"
Additional permissions required when you use IAM Identity Center mode

將使用者或群組指派給 Studio

 
"elasticmapreduce:CreateStudioSessionMapping",
"sso:GetProfile",
"sso:ListDirectoryAssociations",
"sso:ListProfiles",
"sso:AssociateProfile",
"sso-directory:SearchUsers",
"sso-directory:SearchGroups",
"sso-directory:DescribeUser",
"sso-directory:DescribeGroup",
"sso:ListInstances",
"sso:CreateApplicationAssignment",
"sso:DescribeInstance",
"organizations:DescribeOrganization",
"organizations:ListDelegatedAdministrators",
"sso:CreateInstance",
"sso:DescribeRegisteredRegions",
"sso:GetSharedSsoConfiguration",
"iam:ListPolicies"

擷取特定使用者或群組的 Studio 指派詳細資訊

 
"sso-directory:SearchUsers",
"sso-directory:SearchGroups",
"sso-directory:DescribeUser",
"sso-directory:DescribeGroup",
"sso:DescribeApplication",
"elasticmapreduce:GetStudioSessionMapping"
列出指派給 Studio 的所有使用者和群組 
"elasticmapreduce:ListStudioSessionMappings"
更新附接至指派給 Studio 的使用者或群組的工作階段政策 
"sso-directory:SearchUsers",
"sso-directory:SearchGroups",
"sso-directory:DescribeUser",
"sso-directory:DescribeGroup",
"sso:DescribeApplication",
"sso:DescribeInstance",
"elasticmapreduce:UpdateStudioSessionMapping"
從 Studio 中移除使用者或群組 
"elasticmapreduce:DeleteStudioSessionMapping",
"sso-directory:SearchUsers",
"sso-directory:SearchGroups",
"sso-directory:DescribeUser",
"sso-directory:DescribeGroup",
"sso:ListDirectoryAssociations",
"sso:GetProfile",
"sso:DescribeApplication",
"sso:DescribeInstance",
"sso:ListProfiles",
"sso:DisassociateProfile",
"sso:DeleteApplicationAssignment",
"sso:ListApplicationAssignments"
若要建立具有 EMR Studio 管理員權限的原則

  1. 請遵循建立IAM原則中的指示,使用下列其中一個範例建立原則。您需要的權限取決於您的 EMRStudio 驗證模式

    為這些項目插入您自己的值:

    • Replace (取代) < 您的資源-> ARN 以指定陳述式針對您的使用案例所涵蓋的物件或物件的 Amazon 資源名稱 (ARN)。

    • Replace (取代) <region> 與您計劃創建工作室的代碼。 AWS 區域

    • Replace (取代) <aws-account_id> 與工作室的 AWS 帳戶的 ID。

    • Replace (取代) <EMRStudio-Service-Role> 以及 <EMRStudio-User-Role> 使用您的EMR工作室服務角色EMRStudio 用戶角色的名稱。

    範例 原則範例:使用IAM驗證模式時的管理員權限
    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Resource": "arn:aws:elasticmapreduce:<region>:<aws-account-id>:studio/*",
            "Action": [
                "elasticmapreduce:CreateStudio",
                "elasticmapreduce:DescribeStudio",
                "elasticmapreduce:DeleteStudio"
            ]
        },
        {
            "Effect": "Allow",
            "Resource": "<your-resource-ARN>",
            "Action": [
                "elasticmapreduce:ListStudios"
            ]
        },
        {
            "Effect": "Allow",
            "Resource": [
                "arn:aws:iam::<aws-account-id>:role/<EMRStudio-Service-Role>"
            ],
            "Action": "iam:PassRole"
        }
    ]
}
    範例 原則範例:使用IAM身分識別中心驗證模式時的管理員權限
    注意

    身分識別中心和身分識別中心目錄APIs不支援ARN在IAM原則陳述式的資源元素中指定。若要允許存取IAM身分識別中心和IAM身分識別中心目錄,下列權限會指定身分IAM識別中心動作的所有資源「Resource」: "*"。如需詳細資訊,請參閱IAM身分識別中心目錄的動作、資源和條件金鑰

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Resource": "arn:aws:elasticmapreduce:<region>:<aws-account-id>:studio/*",
            "Action": [
                "elasticmapreduce:CreateStudio",
                "elasticmapreduce:DescribeStudio",
                "elasticmapreduce:DeleteStudio",
                "elasticmapreduce:CreateStudioSessionMapping",
                "elasticmapreduce:GetStudioSessionMapping",
                "elasticmapreduce:UpdateStudioSessionMapping",
                "elasticmapreduce:DeleteStudioSessionMapping"
            ]
        },
        {
            "Effect": "Allow",
            "Resource": "<your-resource-ARN>",
            "Action": [
                "elasticmapreduce:ListStudios",
                "elasticmapreduce:ListStudioSessionMappings"
            ]
        },
        {
            "Effect": "Allow",
            "Resource": [
                "arn:aws:iam::<aws-account-id>:role/<EMRStudio-Service-Role>",
                "arn:aws:iam::<aws-account-id>:role/<EMRStudio-User-Role>"
            ],
            "Action": "iam:PassRole"
        },
        {
            "Effect": "Allow",
            "Resource": "*",
            "Action": [
                "sso:CreateApplication", 
                "sso:PutApplicationAuthenticationMethod", 
                "sso:PutApplicationGrant", 
                "sso:PutApplicationAccessScope",
                "sso:PutApplicationAssignmentConfiguration",
                "sso:DescribeApplication", 
                "sso:DeleteApplication", 
                "sso:DeleteApplicationAuthenticationMethod", 
                "sso:DeleteApplicationAccessScope", 
                "sso:DeleteApplicationGrant", 
                "sso:ListInstances", 
                "sso:CreateApplicationAssignment", 
                "sso:DeleteApplicationAssignment",
                "sso:ListApplicationAssignments", 
                "sso:DescribeInstance",
                "sso:AssociateProfile",
                "sso:DisassociateProfile",
                "sso:GetProfile",
                "sso:ListDirectoryAssociations",
                "sso:ListProfiles",
                "sso-directory:SearchUsers",
                "sso-directory:SearchGroups",
                "sso-directory:DescribeUser",
                "sso-directory:DescribeGroup",
                "organizations:DescribeOrganization",
                "organizations:ListDelegatedAdministrators",
                "sso:CreateInstance",
                "sso:DescribeRegisteredRegions",
                "sso:GetSharedSsoConfiguration",
                "iam:ListPolicies"
            ]
        }
    ]
}

  2. 將原則附加至您的IAM身分識別 (使用者、角色或群組)。如需指示,請參閱新增和移除IAM身分權限