# Integrate Amazon EMR with AWS IAM Identity Center
With Amazon EMR releases 6.15.0 and higher, you can use identities from AWS IAM Identity Center to authenticate with an Amazon EMR cluster. The following sections provides a conceptual overview, prerequisites, and steps required to launch an EMR cluster with Identity Center integration.
**Topics**
+ [Overview](#emr-idc-overview)
+ [Features and benefits](#emr-idc-features)
+ [Getting started with AWS IAM Identity Center and Amazon EMR](emr-idc-start.md)
+ [User background sessions](user-background-sessions.md)
+ [Considerations and limitations for Amazon EMR with the Identity Center integration](emr-idc-considerations.md)
## Overview
[Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html) is the recommended approach for workforce authentication and authorization on AWS for organizations of any size and type. With Identity Center, you can create and manage user identities in AWS, or connect your existing identity source, including Microsoft Active Directory, Okta, Ping Identity, JumpCloud, Google Workspace, and Microsoft Entra ID (formerly Azure AD).
[Trusted identity propagation](https://docs.aws.amazon.com//singlesignon/latest/userguide/trustedidentitypropagation-overview.html) is an AWS IAM Identity Center feature that administrators of connected AWS services can use to grant and audit access to service data. Access to this data is based on user attributes such as group associations. Setting up trusted identity propagation requires collaboration between the administrators of connected AWS services and the IAM Identity Center administrators. For more information, see [Prerequisites and considerations](https://docs.aws.amazon.com//singlesignon/latest/userguide/trustedidentitypropagation-overall-prerequisites.html).
## Features and benefits
The Amazon EMR integration with IAM Identity Center provides the following benefits:
+ Amazon EMR provides credentials to relay your Identity Center Identity to an EMR cluster.
+ Amazon EMR configures all supported applications to authenticate with the cluster credentials.
+ Amazon EMR configures and maintains the supported application security with the Kerberos protocol and no commands or scripts required by you.
+ The ability to enforce Amazon S3 prefix-level authorization with Identity Center identities on S3 Access Grants-managed S3 prefixes.
+ The ability to enforce table-level authorization with Identity Center identities on AWS Lake Formation managed AWS Glue tables.
# Getting started with AWS IAM Identity Center and Amazon EMR
This section helps you configure Amazon EMR to integrate with AWS IAM Identity Center.
**Topics**
+ [Create an Identity Center instance](#emr-idc-start-instance)
+ [Create an IAM role for Identity Center](#emr-idc-start-role)
+ [Add permissions for services not integrated with IAM Identity Center](#emr-idc-start-securityconfig-nonidc)
+ [Create an Identity Center enabled security configuration](#emr-idc-start-securityconfig)
+ [Create and launch an Identity Center enabled cluster](#emr-idc-cluster)
+ [Configure Lake Formation for an IAM Identity Center enabled EMR cluster](emr-idc-lf.md)
+ [Working with S3 Access Grants on an IAM Identity Center enabled EMR cluster](emr-idc-s3ag.md)
**Note**
In order to use Identity Center integration with EMR, Lake Formation or S3 Access Grants must be enabled. You can also use both. If neither is enabled, Identity Center integration isn't supported.
## Create an Identity Center instance
If you don't already have one, create an Identity Center instance in the AWS Region where you want to launch your EMR cluster. An Identity Center instance can only exist in a single Region for an AWS account.
Use the following AWS CLI command to create a new instance named `MyInstance`:
```
aws sso-admin create-instance --name MyInstance
```
## Create an IAM role for Identity Center
To integrate Amazon EMR with AWS IAM Identity Center, create an IAM role that authenticates with Identity Center from the EMR cluster. Under the hood, Amazon EMR uses SigV4 credentials to relay the Identity Center identity to downstream services such as AWS Lake Formation. Your role should also have the respective permissions to invoke the downstream services.
When you create the role, use the following permissions policy:
```
{
"Statement": [
{
"Sid": "IdCPermissions",
"Effect": "Allow",
"Action": [
"sso-oauth:*"
],
"Resource": "*"
},
{
"Sid": "GlueandLakePermissions",
"Effect": "Allow",
"Action": [
"glue:*",
"lakeformation:GetDataAccess"
],
"Resource": "*"
},
{
"Sid": "AccessGrantsPermissions",
"Effect": "Allow",
"Action": [
"s3:GetDataAccess",
"s3:GetAccessGrantsInstanceForPrefix"
],
"Resource": "*"
}
]
}
```
The trust policy for this role allows the InstanceProfile role to let it assume the role.
```
{
"Sid": "AssumeRole",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::12345678912:role/EMR_EC2_DefaultRole"
},
"Action": [
"sts:AssumeRole",
"sts:SetContext"
]
}
```
If the role doesn't have trusted credentials and accesses a Lake Formation-protected table, Amazon EMR automatically sets the `principalId` of the assumed role to `userID-untrusted`. The following is a snippet of a CloudTrail event that displays the `principalId`.
```
{
"eventVersion": "1.09",
"userIdentity": {
"type": "AssumedRole",
"principalId": "ABCDEFGH1JKLMNO2PQR3TU:5000-untrusted",
"arn": "arn:aws:sts::123456789012:assumed-role/EMR_TIP/5000-untrusted",
"accountId": "123456789012",
"accessKeyId": "ABCDEFGH1IJKLMNOPQ7R3"
...
```
## Add permissions for services not integrated with IAM Identity Center
AWS credentials that use Trusted Identity Propagation the IAM policies defined in the IAM role for any calls made to services not integrated with IAM Identity Center. This includes, for example, the AWS Key Management Service. Your role should also define any IAM permissions for any such services you would attempt to access example AWS Key Management Service. Currently supported IAM Identity Center integrated services include AWS Lake Formation and Amazon S3 Access Grants.
To learn more about Trusted Identity Propagation, see [Trusted Identity Propagation across applications](https://docs.aws.amazon.com/singlesignon/latest/userguide/trustedidentitypropagation.html).
## Create an Identity Center enabled security configuration
To launch an EMR cluster with IAM Identity Center integration, use the following example command to create an Amazon EMR security configuration that has Identity Center enabled. Each configuration is explained below.
```
aws emr create-security-configuration --name "IdentityCenterConfiguration-with-lf-accessgrants" --region "us-west-2" --security-configuration '{
"AuthenticationConfiguration":{
"IdentityCenterConfiguration":{
"EnableIdentityCenter":true,
"IdentityCenterApplicationAssigmentRequired":false,
"IdentityCenterInstanceARN": "arn:aws:sso:::instance/ssoins-123xxxxxxxxxx789"
}
},
"AuthorizationConfiguration": {
"LakeFormationConfiguration": {
"AuthorizedSessionTagValue": "Amazon EMR"
},
"IAMConfiguration": {
"EnableApplicationScopedIAMRole": true,
"ApplicationScopedIAMRoleConfiguration": {
"PropagateSourceIdentity": true
}
}
},
"EncryptionConfiguration": {
"EnableInTransitEncryption": true,
"EnableAtRestEncryption": false,
"InTransitEncryptionConfiguration": {
"TLSCertificateConfiguration": {
"CertificateProviderType": "PEM",
"S3Object": "s3://amzn-s3-demo-bucket/cert/my-certs.zip"
}
}
}
}'
```
+ **`EnableIdentityCenter`** – (required) Enables Identity Center integration.
+ **`IdentityCenterInstanceARN`** – (optional) The Identity Center instance ARN. If this isn't included, the existing IAM Identity Center instance ARN is looked up as part of the configuration step.
+ **`IAMRoleForEMRIdentityCenterApplicationARN`** – (required) The IAM role that procures Identity Center tokens from the cluster.
+ **`IdentityCenterApplicationAssignmentRequired `** – (boolean) Governs if an assignment will be required to use the Identity Center application. This field is optional. If a value isn't provided, the default is `false`.
+ **`AuthorizationConfiguration` / `LakeFormationConfiguration`** – Optionally, configure authorization:
+ **`IAMConfiguration`** – Enables EMR Runtimes Roles feature to be used in addition to your TIP identity. If you enable this configuration, then you (or the caller AWS Service) will be required to specify an IAM Runtime Role in each call to the EMR Steps or EMR `GetClusterSessionCredentials` APIs. If the EMR cluster is being used with SageMaker Unified Studio, then this option is required if Trusted Identity Propagation is also enabled.
+ **`EnableLakeFormation`** – Enable Lake Formation authorization on the cluster.
To enable Identity Center integration with Amazon EMR, you must specify `EncryptionConfiguration` and `IntransitEncryptionConfiguration`.
## Create and launch an Identity Center enabled cluster
Now that you've set up the IAM role that authenticates with Identity Center, and created an Amazon EMR security configuration that has Identity Center enabled, you can create and launch your identity-aware cluster. For steps to launch your cluster with the required security configuration, see [Specify a security configuration for an Amazon EMR cluster](emr-specify-security-configuration.md).
The following sections describe how to configure your Identity Center enabled cluster with security options that Amazon EMR supports:
+ [Working with S3 Access Grants on an IAM Identity Center enabled EMR cluster](emr-idc-s3ag.md)
+ [Configure Lake Formation for an IAM Identity Center enabled EMR cluster](emr-idc-lf.md)
# Configure Lake Formation for an IAM Identity Center enabled EMR cluster
You can integrate [AWS Lake Formation](https://docs.aws.amazon.com/lake-formation/latest/dg/) with your AWS IAM Identity Center enabled EMR cluster.
First, be sure you have an Identity Center instance set up in the same Region as your cluster. For more information, see [Create an Identity Center instance](emr-idc-start.md#emr-idc-start-instance). You can find the instance ARN in the IAM Identity Center console when you view the instance details, or use the following command to view details for all your instances from the CLI:
```
aws sso-admin list-instances
```
Then use the ARN and your AWS account ID with the following command to configure Lake Formation to be compatible with IAM Identity Center:
```
aws lakeformation create-lake-formation-identity-center-configuration --cli-input-json file://create-lake-fromation-idc-config.json
json input:
{
"CatalogId": "account-id/org-account-id",
"InstanceArn": "identity-center-instance-arn"
}
```
Now, call `put-data-lake-settings` and enable `AllowFullTableExternalDataAccess` with Lake Formation:
```
aws lakeformation put-data-lake-settings --cli-input-json file://put-data-lake-settings.json
json input:
{
"DataLakeSettings": {
"DataLakeAdmins": [
{
"DataLakePrincipalIdentifier": "admin-ARN"
}
],
"CreateDatabaseDefaultPermissions": [...],
"CreateTableDefaultPermissions": [...],
"AllowExternalDataFiltering": true,
"AllowFullTableExternalDataAccess": true
}
}
```
Finally, grant full table permissions to the identity ARN for the user that accesses the EMR cluster. The ARN contains the user ID from Identity Center. Navigate to Identity Center in the console, select **Users**, and then select the user to view their **General information** settings.
Copy the User ID and paste it into the following ARN for `user-id`:
```
arn:aws:identitystore:::user/user-id
```
**Note**
Queries on the EMR cluster only work if the IAM Identity Center identity has full table access on the Lake Formation protected table. If the identity doesn't have full table access, then the query will fail.
Use the following command to grant the user full table access:
```
aws lakeformation grant-permissions --cli-input-json file://grantpermissions.json
json input:
{
"Principal": {
"DataLakePrincipalIdentifier": "arn:aws:identitystore:::user/user-id"
},
"Resource": {
"Table": {
"DatabaseName": "tip_db",
"Name": "tip_table"
}
},
"Permissions": [
"ALL"
],
"PermissionsWithGrantOption": [
"ALL"
]
}
```
## Adding the application ARN to IDC for Lake Formation integration
In order to query Lake Formation enabled resources, the Application ARN of the IDC application needs to be added. To do this, follow these steps:
1. On the console, choose **AWS Lake Formation**.
1. Select **IAM Identity Center integration** and **Lake Formation application integration** by matching the application ARN. The ARN will appear in the **Application ID** list.
# Working with S3 Access Grants on an IAM Identity Center enabled EMR cluster
You can integrate [S3 Access Grants](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-grants.html) with your AWS IAM Identity Center enabled EMR cluster.
Use S3 Access Grants to authorize access to your data sets from clusters that use Identity Center. Create grants to augment the permissions that you set for IAM users, groups, roles, or for a corporate directory. For more information, see [Using S3 Access Grants with Amazon EMR](https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-access-grants.html).
**Topics**
+ [Create an S3 Access Grants instance and location](#emr-idc-s3ag-instance)
+ [Create grants for Identity Center identities](#emr-idc-s3ag-identities)
## Create an S3 Access Grants instance and location
If you don't already have one, create an S3 Access Grants instance in the AWS Region where you want to launch your EMR cluster.
Use the following AWS CLI command to create a new instance named `MyInstance`:
```
aws s3control-access-grants create-access-grants-instance \
--account-id 12345678912 \
--identity-center-arn "identity-center-instance-arn" \
```
Then, create an S3 Access Grants location, replacing the red values with your own:
```
aws s3control-access-grants create-access-grants-location \
--account-id 12345678912 \
--location-scope s3:// \
--iam-role-arn "access-grant-role-arn" \
--region aa-example-1
```
**Note**
Define the `iam-role-arn` parameter as the `accessGrantRole` ARN.
## Create grants for Identity Center identities
Finally, create the grants for the identities that have access to your cluster:
```
aws s3control-access-grants create-access-grant \
--account-id 12345678912 \
--access-grants-location-id "default" \
--access-grants-location-configuration S3SubPrefix="s3-bucket-prefix"
--permission READ \
--grantee GranteeType=DIRECTORY_USER,GranteeIdentifier="your-identity-center-user-id"
```
Example Output:
```
{
"CreatedAt": "2023-09-21T23:47:24.870000+00:00",
"AccessGrantId": "1234-12345-1234-1234567",
"AccessGrantArn": "arn:aws:s3:aa-example-1-1:123456789012:access-grants/default/grant/xxxx1234-1234-5678-1234-1234567890",
"Grantee": {
"GranteeType": "DIRECTORY_USER",
"GranteeIdentifier": "5678-56789-5678-567890"
},
"AccessGrantsLocationId": "default",
"AccessGrantsLocationConfiguration": {
"S3SubPrefix": "myprefix/*"
},
"Permission": "READ",
"GrantScope": "s3://myprefix/*"
}
```
# User background sessions
User background sessions enable long-running analytics and machine learning workloads to continue even after the user has logged off from their notebook interface. Starting with EMR on EC2 release 7.11, this capability is available through EMR-EC2's trusted identity propagation feature. The following sections explains the configuration options and behaviors for user background sessions.
**Note**
User background session settings only affect Spark workloads launched through SageMaker Unified Studio. Changes to this setting apply to new Livy sessions—existing active sessions remain unaffected.
## Configure user background sessions
User background sessions must be enabled at two levels for proper functionality:
1. **IAM Identity Center instance level** (configured by IdC administrators)
1. **EMR cluster level** (configured by EMR cluster administrators)
### Enable user background sessions for Amazon EMR
To enable user background sessions for you must set the `userBackgroundSessionsEnabled` parameter to `true` in the `identityCenterConfiguration` when creating EMR security configuration.
**Prerequisites:**
+ The IAM role used to create or update EMR Security Configuration requires the `sso:PutApplicationSessionConfiguration` permission. This permission enables user background sessions for Amazon EMR managed IAM Identity Center application.
+ Create an IAM role for IAM Identity Center
+ To integrate Amazon EMR with IAM Identity Center, create an IAM role that authenticates with IAM Identity Center from the EMR cluster. Amazon EMR uses SigV4 credentials to relay the IAM Identity Center identity to downstream services such as AWS Lake Formation. Your role should also have the required permissions to invoke the downstream services.
+ [Configure Lake Formation for an IAM Identity Center enabled EMR cluster](https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-idc-lf.html). For required role permissions see: [Create an IAM role for Identity Center.](https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-idc-start.html#emr-idc-start-role)
+ Launch your EMR cluster with release 7.11 or later and enable Trusted-Identity Propagation.
**Step 1 - Create an Identity Center UserBackgroundSession enabled EMR security configuration**
Users need to set `EnableUserBackgroundSession`** flag to `true` **, which will allow EMR service to enable UserBackgourndSession at EMR managed IDC application level. If this flag is set to `false` or not set, EMR will disable IDC UserBackgroundSession by default.
**Example of using the AWS CLI:**
```
aws emr create-security-configuration --name "idc-userBackgroundSession-enabled-secConfig" \
--region AWS_REGION \
--security-configuration ' \
{
"AuthenticationConfiguration":{
"IdentityCenterConfiguration":{
"EnableIdentityCenter":true,
"IdentityCenterInstanceARN": "arn:aws:sso:::instance/ssoins-123xxxxxxxxxx789",
"IdentityCenterApplicationAssigmentRequired": false,
"EnableUserBackgroundSession": true,
"IAMRoleForEMRIdentityCenterApplicationARN": "arn:aws:iam::12345678912:role/YOUR_ROLE"
}
},\
"AuthorizationConfiguration": {
"IAMConfiguration": {
"EnableApplicationScopedIAMRole": true,
"ApplicationScopedIAMRoleConfiguration": {
"PropagateSourceIdentity": true
}
},\
"LakeFormationConfiguration": {
"AuthorizedSessionTagValue": "Amazon EMR"
}
},\
"EncryptionConfiguration": {
"EnableInTransitEncryption": true,
"EnableAtRestEncryption": false,
"InTransitEncryptionConfiguration": {
"TLSCertificateConfiguration": {
"CertificateProviderType": "PEM",
"S3Object": "s3://amzn-s3-demo-bucket/cert/my-certs.zip"
}
}
}
}'
```
** Step 2 - Create and launch an Identity Center enabled cluster**
Now that you've set up the IAM role that authenticates with Identity Center, and created an Amazon EMR security configuration that has Identity Center enabled, you can create and launch your identity-aware cluster. For steps to launch your cluster with the required security configuration, see Specify a security configuration for an Amazon EMR cluster.
### Configuration Matrix
The user background session behavior depends on both the EMR-EC2 setting and the IAM Identity Center instance-level settings:
**User Background Session Configuration Matrix**
| IAM Identity Center userBackgroundSession Enabled | Amazon EMR userBackgroundSessionsEnabled | Behavior |
| --- | --- | --- |
| Yes | TRUE | User background session enabled |
| Yes | FALSE | Session expires with user logout |
| No | TRUE | Session expires with user logout |
| No | FALSE | Session expires with user logout |
### Default user background session duration
By default, all user background sessions have a duration limit of 7 days in IAM Identity Center. Administrators can modify this duration in the IAM Identity Center console. This setting applies at the IAM Identity Center instance level, affecting all supported IAM Identity Center applications within that instance.
+ Duration can be set to any value from 15 minutes up to 90 days.
+ This setting is configured in the IAM Identity Center console under **Settings** → **Authentication** → **Configure** (See Non-Interactive Jobs section)
### Impact of disabling user background sessions
When user background sessions are disabled in IAM Identity Center:
Existing Livy sessions
+ Continue to run without interruption if they were started with user background sessions enabled. These sessions will continue using their existing background session tokens until they terminate naturally or are explicitly stopped.
New Livy sessions
+ Will use the standard trusted identity propagation flow and will terminate when the user logs out or their interactive session expires (such as when closing a Amazon SageMaker Unified Studio JupyterLab notebook).
### Changing user background sessions duration
When the duration setting for user background sessions is modified in IAM Identity Center:
Existing Livy sessions
+ Continue to run with the same background session duration with which they were started.
New Livy sessions
+ Will use the new session duration for background sessions.
### Considerations
#### Feature Availability
User background sessions for Amazon EMR are available for:
+ Spark engine only (Hive engine is not supported)
+ Livy interactive sessions only (batch jobs and streaming jobs are not supported)
+ Amazon EMR release labels 7.11 and later. With EMR release 7.11, you need to install a bootstrap action script to enable user background sessions when creating a cluster. Please contact AWS Support for additional details.
**Note**
If you are using SageMaker Unified Studio provisioned cluster, you do not need the bootstrap action script to use this feature.
#### Cost Implications
+ Jobs will continue to run to completion even after users end their Amazon SageMaker Unified Studio JupyterLab session and will incur charges for the entire duration of the completed run.
+ Monitor your active background sessions to avoid unnecessary costs from forgotten or abandoned sessions.
#### Livy Session Termination Conditions
When using user background sessions, a Livy session will continue running until one of the following occurs:
+ The user background session expires (based on IdC configuration, up to 90 days).
+ The user background session is manually revoked by an administrator.
+ The Livy session reaches its idle timeout (default: 8 hours after the last executed statement).
+ The user explicitly stops or restarts the notebook kernel.
# Considerations and limitations for Amazon EMR with the Identity Center integration
Consider the following points when you use IAM Identity Center with Amazon EMR:
+ Trusted Identity Propagation through Identity Center is supported on Amazon EMR 6.15.0 and higher, and only with Apache Spark. Also, Trusted Identity Propagation through Identity Center using EMR Runtime Roles feature is supported on Amazon EMR 7.8.0 and higher, and only with Apache Spark.
+ To enable EMR clusters with trusted identity propagation, you must use the AWS CLI to create a security configuration that has trusted identity propagation enabled, and use that security configuration when you launch your cluster. For more information, see [Create an Identity Center enabled security configuration](emr-idc-start.md#emr-idc-start-securityconfig).
+ Fine-grained access controls using AWS Lake Formation that use Trusted Identity Propagation are available for Amazon EMR clusters on EMR version 7.2.0 and higher. Between EMR versions 6.15.0 and 7.1.0, only table-level access control, based on AWS Lake Formation, is available.
+ With Amazon EMR clusters that use Trusted Identity Propagation, operations that support access control based on Lake Formation with Apache Spark include SELECT, ALTER TABLE, INSERT INTO, and DROP TABLE.
+ Fine-grained access controls using AWS Lake Formation that use Trusted Identity Propagation will need to update Lake Formation Identity Center configuration by adding EMR managed IAM Identity application arn as authorized target. You can find Amazon EMR managed IAM Identity application ARN by calling EMR `describe-security-configure` API and look for field `IdCApplicationARN`. More details: [Updating IAM Identity Center integration](https://docs.aws.amazon.com/lake-formation/latest/dg/update-lf-identity-center-connection.html) on how to setup Lake Formation with IAM Identity Center configuration.
+ To use Fine-grained access controls using AWS Lake Formation that use Trusted Identity Propagation, IAM Identity users should be granted Lake Formation permissions on default database. More details: [Configure Lake Formation for an IAM Identity Center enabled EMR cluster](https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-idc-lf.html).
+ Trusted Identity Propagation with Amazon EMR is supported in the following AWS Regions:
+ `af-south-1` – Africa (Cape Town)
+ `ap-east-1` – Asia Pacific (Hong Kong)
+ `ap-northeast-1` – Asia Pacific (Tokyo)
+ `ap-northeast-2` – Asia Pacific (Seoul)
+ `ap-northeast-3` – Asia Pacific (Osaka)
+ `ap-south-1` – Asia Pacific (Mumbai)
+ `ap-south-2` – Asia Pacific (Hyderabad)
+ `ap-southeast-1` – Asia Pacific (Singapore)
+ `ap-southeast-2` – Asia Pacific (Sydney)
+ `ap-southeast-3` – Asia Pacific (Jakarta)
+ `ap-southeast-4` – Asia Pacific (Melbourne)
+ `ca-central-1` – Canada (Central)
+ `eu-central-1` – Europe (Frankfurt)
+ `eu-central-2` – Europe (Zurich)
+ `eu-north-1` – Europe (Stockholm)
+ `eu-south-1` – Europe (Milan)
+ `eu-south-2` – Europe (Spain)
+ `eu-west-1` – Europe (Ireland)
+ `eu-west-2` – Europe (London)
+ `eu-west-3` – Europe (Paris)
+ `il-central-1` – Israel (Tel Aviv)
+ `me-central-1` – Middle East (UAE)
+ `me-south-1` – Middle East (Bahrain)
+ `sa-east-1` – South America (São Paulo)
+ `us-east-1` – US East (N. Virginia)
+ `us-east-2` – US East (Ohio)
+ `us-west-1` – US West (N. California)
+ `us-west-2` – US West (Oregon)
+ If the IAM Role for identity center role is accidentally deleted and recreated, the principal will have a different principal-id. Example *NewRole* would have principal-id *456* which would not match the recorded principal-id *123*. The only way to resolve this at this point is to re-set the principal in the downstream resource policies in every downstream account.