用於建立和管理 EMR Studio 的管理員許可

本頁所述的 IAM 許可允許您建立和管理 EMR Studio。如需有關每個所需許可的詳細資訊，請參閱管理 EMR Studio 所需的許可。

管理 EMR Studio 所需的許可

下表列出了與建立和管理 EMR Studio 相關的操作。此資料表也會顯示每項操作所需的許可。

注意

使用 IAM Identity Center 身分驗證模式時，只需要 IAM Identity Center 和 Studio SessionMapping 動作。

用於建立和管理 EMR Studio 的許可
作業	許可
建立 Studio	`"elasticmapreduce:CreateStudio", "sso:CreateApplication", "sso:PutApplicationAuthenticationMethod", "sso:PutApplicationGrant", "sso:PutApplicationAccessScope", "sso:PutApplicationAssignmentConfiguration", "iam:PassRole"`
描述 Studio	`"elasticmapreduce:DescribeStudio", "sso:GetManagedApplicationInstance"`
列出 Studio	`"elasticmapreduce:ListStudios"`
刪除 Studio	`"elasticmapreduce:DeleteStudio", "sso:DeleteApplication", "sso:DeleteApplicationAuthenticationMethod", "sso:DeleteApplicationAccessScope", "sso:DeleteApplicationGrant"`
Additional permissions required when you use IAM Identity Center mode
將使用者或群組指派給 Studio	"elasticmapreduce:CreateStudioSessionMapping", "sso:GetProfile", "sso:ListDirectoryAssociations", "sso:ListProfiles", "sso:AssociateProfile", "sso-directory:SearchUsers", "sso-directory:SearchGroups", "sso-directory:DescribeUser", "sso-directory:DescribeGroup", "sso:ListInstances", "sso:CreateApplicationAssignment", "sso:DescribeInstance", "organizations:DescribeOrganization", "organizations:ListDelegatedAdministrators", "sso:CreateInstance", "sso:DescribeRegisteredRegions", "sso:GetSharedSsoConfiguration", "iam:ListPolicies"
擷取特定使用者或群組的 Studio 指派詳細資訊	`"sso-directory:SearchUsers", "sso-directory:SearchGroups", "sso-directory:DescribeUser", "sso-directory:DescribeGroup", "sso:DescribeApplication", "elasticmapreduce:GetStudioSessionMapping"`
列出指派給 Studio 的所有使用者和群組	`"elasticmapreduce:ListStudioSessionMappings"`
更新附接至指派給 Studio 的使用者或群組的工作階段政策	`"sso-directory:SearchUsers", "sso-directory:SearchGroups", "sso-directory:DescribeUser", "sso-directory:DescribeGroup", "sso:DescribeApplication", "sso:DescribeInstance", "elasticmapreduce:UpdateStudioSessionMapping"`
從 Studio 中移除使用者或群組	`"elasticmapreduce:DeleteStudioSessionMapping", "sso-directory:SearchUsers", "sso-directory:SearchGroups", "sso-directory:DescribeUser", "sso-directory:DescribeGroup", "sso:ListDirectoryAssociations", "sso:GetProfile", "sso:DescribeApplication", "sso:DescribeInstance", "sso:ListProfiles", "sso:DisassociateProfile", "sso:DeleteApplicationAssignment", "sso:ListApplicationAssignments"`

若要建立具有 EMR Studio 管理員許可的政策

遵循建立 IAM 政策中的指示，使用下列其中一個範例來建立政策。您需要的許可取決於 EMR Studio 的身分驗證模式。

為這些項目插入您自己的值：

取代 <your-resource-ARN> 以指定陳述式針對您的使用案例所涵蓋物件的 Amazon Resource Name (ARN)。
將 <region> 取代為您計劃在其中建立 Studio 的 AWS 區域代碼。
將 <aws-account_id> 取代為 Studio 的 AWS 帳戶 ID。
將 <EMRStudio-Service-Role> 和 <EMRStudio-User-Role> 取代為 EMR Studio 服務角色和 EMR Studio 使用者角色的名稱。

範例政策：使用 IAM 身分驗證模式時的管理員許可

範例政策：使用 IAM Identity Center 身分驗證模式時的管理員許可

注意

Identity Center 和 Identity Center Directory API 不支援在 IAM 政策陳述式的資源元素中指定 ARN。若要允許存取 IAM Identity Center 和 IAM Identity Center Directory，下列許可能夠指定 IAM Identity Center 動作的所有資源 ("Resource":"*")。如需詳細資訊，請參閱適用於 IAM Identity Center Directory 的動作、資源和條件索引鍵。

JSON


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Resource": [
        "arn:aws:elasticmapreduce:*:123456789012:studio/*"
      ],
      "Action": [
        "elasticmapreduce:CreateStudio",
        "elasticmapreduce:DescribeStudio",
        "elasticmapreduce:DeleteStudio",
        "elasticmapreduce:CreateStudioSessionMapping",
        "elasticmapreduce:GetStudioSessionMapping",
        "elasticmapreduce:UpdateStudioSessionMapping",
        "elasticmapreduce:DeleteStudioSessionMapping"
      ],
      "Sid": "AllowELASTICMAPREDUCECreatestudio"
    },
    {
      "Effect": "Allow",
      "Resource": [
        "*"
      ],
      "Action": [
        "elasticmapreduce:ListStudios",
        "elasticmapreduce:ListStudioSessionMappings"
      ],
      "Sid": "AllowELASTICMAPREDUCEListstudios"
    },
    {
      "Effect": "Allow",
      "Resource": [
        "arn:aws:iam::123456789012:role/EMRStudio-SvcRole",
        "arn:aws:iam::123456789012:role/EMRStudio-User-Role"
      ],
      "Action": [
        "iam:PassRole"
      ],
      "Sid": "AllowIAMPassrole"
    },
    {
      "Effect": "Allow",
      "Resource": [
        "*"
      ],
      "Action": [
        "sso:CreateApplication",
        "sso:PutApplicationAuthenticationMethod",
        "sso:PutApplicationGrant",
        "sso:PutApplicationAccessScope",
        "sso:PutApplicationAssignmentConfiguration",
        "sso:DescribeApplication",
        "sso:DeleteApplication",
        "sso:DeleteApplicationAuthenticationMethod",
        "sso:DeleteApplicationAccessScope",
        "sso:DeleteApplicationGrant",
        "sso:ListInstances",
        "sso:CreateApplicationAssignment",
        "sso:DeleteApplicationAssignment",
        "sso:ListApplicationAssignments",
        "sso:DescribeInstance",
        "sso:AssociateProfile",
        "sso:DisassociateProfile",
        "sso:GetProfile",
        "sso:ListDirectoryAssociations",
        "sso:ListProfiles",
        "sso-directory:SearchUsers",
        "sso-directory:SearchGroups",
        "sso-directory:DescribeUser",
        "sso-directory:DescribeGroup",
        "organizations:DescribeOrganization",
        "organizations:ListDelegatedAdministrators",
        "sso:CreateInstance",
        "sso:DescribeRegisteredRegions",
        "sso:GetSharedSsoConfiguration",
        "iam:ListPolicies"
      ],
      "Sid": "AllowSSOCreateapplication"
    }
  ]
}

將政策附接至 IAM 身分 (使用者、角色或群組)。如需相關指示，請參閱新增和移除 IAM 身分許可。

您的瀏覽器已停用或無法使用 Javascript。

您必須啟用 Javascript，才能使用 AWS 文件。請參閱您的瀏覽器說明頁以取得說明。

文件慣用形式

設定 EMR Studio