本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# 設定 Amazon EC2 或 Amazon EKS 的 EMR Studio 使用者許可
必須為 Amazon EMR Studio 設定使用者許可政策,才能設定精細的使用者和群組許可。有關使用者許可如何在 EMR Studio 中運作的資訊,請參閱 [Amazon EMR Studio 運作方式](how-emr-studio-works.md) 中的 [存取控制](how-emr-studio-works.md#emr-studio-access-control)。
**注意**
本章節涵蓋的許可不會強制執行資料存取控制。若要管理輸入資料集的存取權限,應該為 Studio 使用的叢集設定許可。如需詳細資訊,請參閱[Amazon EMR 中的安全](emr-security.md)。
## 為 IAM Identity Center 身分驗證模式建立 EMR Studio 使用者角色
使用 IAM Identity Center 身分驗證模式時,必須建立 EMR Studio 使用者角色。
**若要建立 EMR Studio 的使用者角色**
1. 遵循*AWS Identity and Access Management 《 使用者指南*》中[建立角色以將許可委派給 AWS 服務](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html)中的指示來建立使用者角色。
建立角色時,請使用下列信任關係政策。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole",
"sts:SetContext"
],
"Resource": "arn:aws:iam::123456789012:role/EMRStudioServiceRole",
"Sid": "AllowSTSAssumerole"
}
]
}
```
------
1. 移除預設角色許可和政策。
1. 將使用者和群組指派給 Studio 之前,請將 EMR Studio 工作階段政策連接至使用者角色。如需有關如何建立工作階段政策的指示,請參閱 [建立 EMR Studio 使用者的許可政策](#emr-studio-permissions-policies)。
## 建立 EMR Studio 使用者的許可政策
如需為 EMR Studio 建立許可政策,請參閱下列各節。
**Topics**
+ [
### 建立許可政策
](#emr-studio-permissions-policies-create)
+ [
### 設定工作區協同合作的擁有權
](#emr-studio-workspace-collaboration-permissions)
+ [
### 建立使用者層級 Git 密碼政策
](#emr-studio-permissions-policies-git)
+ [
### 將許可政策連接至 IAM 身分
](#emr-studio-permissions-policies-attach)
**注意**
若要設定用於存放筆記本檔案的 Amazon S3 存取許可,以及設定在將工作區連結至 Git 儲存庫時讀取密碼所需的 AWS Secrets Manager 存取許可,請使用 EMR Studio 服務角色。
### 建立許可政策
建立一個或多個 IAM 許可政策,指定使用者可以在您的 Studio 中執行的動作。例如,可以使用此頁面上的範例政策,為[基礎]()、[中級]()和[進階]() Studio 使用者類型建立三個獨立的政策。
如需有關使用者可能執行的每個 Studio 操作的詳細資訊,以及執行每個操作所需的最少 IAM 動作,請參閱 [AWS Identity and Access Management EMR Studio 使用者的 許可](#emr-studio-iam-permissions-table)。如需了解建立政策的步驟,請參閱《IAM 使用者指南》**中的[建立 IAM 政策](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create-console.html)。
許可政策必須包含下列陳述式。
```
{
"Sid": "AllowAddingTagsOnSecretsWithEMRStudioPrefix",
"Effect": "Allow",
"Action": "secretsmanager:TagResource",
"Resource": "arn:aws:secretsmanager:*:*:secret:emr-studio-*"
},
{
"Sid": "AllowPassingServiceRoleForWorkspaceCreation",
"Action": "iam:PassRole",
"Resource": [
"arn:aws:iam::*:role/your-emr-studio-service-role"
],
"Effect": "Allow"
}
```
### 設定工作區協同合作的擁有權
工作區協同合作可讓多位使用者同時在相同工作區中工作,並且可以使用工作區 UI 中的**協同合作**面板進行設定。若要查看和使用**協同合作**面板,使用者必須擁有下列許可。任何具有這些許可的使用者都可以查看和使用**協同合作**面板。
```
"elasticmapreduce:UpdateEditor",
"elasticmapreduce:PutWorkspaceAccess",
"elasticmapreduce:DeleteWorkspaceAccess",
"elasticmapreduce:ListWorkspaceAccessIdentities"
```
若要限制存取**協同合作**面板,可以使用標籤型存取控制。當使用者建立工作區時,EMR Studio 會套用具有 `creatorUserId` 金鑰的預設標籤,其值為建立工作區之使用者的 ID。
**注意**
EMR Studio 將 `creatorUserId` 標籤新增至 2021 年 11 月 16 日之後建立的工作區。若要限制誰可為您在此日期之前建立的工作區設定協作,建議您手動將 `creatorUserId` 標籤新增至您的工作區,然後在使用者許可政策中使用標籤型存取控制。
下列範例陳述式可讓使用者為具有標籤金鑰 `creatorUserId` 的任何工作區設定協同合作,該標籤金鑰的值與使用者 ID (由政策變數 `aws:userId` 表示) 進行比對。換句話說,該陳述式可讓使用者為他們所建立的工作區設定協同合作。若要進一步了解政策變數,請參閱《IAM 使用者指南》**中的 [IAM 政策元素:變數和標籤](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html)。
```
{
"Sid": "UserRolePermissionsForCollaboration",
"Action": [
"elasticmapreduce:UpdateEditor",
"elasticmapreduce:PutWorkspaceAccess",
"elasticmapreduce:DeleteWorkspaceAccess",
"elasticmapreduce:ListWorkspaceAccessIdentities"
],
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"elasticmapreduce:ResourceTag/creatorUserId": "${aws:userid}"
}
}
}
```
### 建立使用者層級 Git 密碼政策
**Topics**
+ [
#### 使用使用者層級許可
](#emr-studio-permissions-policies-user)
+ [
#### 從服務層級許可轉換為使用者層級許可
](#emr-studio-permissions-policies-transition)
+ [
#### 使用服務層級許可
](#emr-studio-permissions-policies-service)
#### 使用使用者層級許可
EMR Studio 會在建立 Git 密碼時自動新增 `for-use-with-amazon-emr-managed-user-policies` 標籤。如果您想要在使用者層級控制 Git 密碼的存取,請使用 `secretsmanager:GetSecretValue` 將標籤型許可新增至 EMR Studio **使用者角色政策**,如下方 [從服務層級許可轉換為使用者層級許可](#emr-studio-permissions-policies-transition) 一節中所示。
如果您在 EMR Studio **服務角色政策**中擁有 `secretsmanager:GetSecretValue` 的現有許可,則應移除這些許可。
#### 從服務層級許可轉換為使用者層級許可
**注意**
`for-use-with-amazon-emr-managed-user-policies` 標籤可確保下列**步驟 1** 中的許可向工作區的建立者授予對 Git 密碼的存取權限。但是,如果您在 2023 年 9 月 1 日之前連結了 Git 儲存庫,則對應的 Git 密碼將會因其未套用 `for-use-with-amazon-emr-managed-user-policies` 標籤而遭到拒絕存取。若要套用使用者層級許可,您必須從 JupyterLab 重新建立舊密碼,然後再次連結適當的 Git 儲存庫。
如需有關政策變數的詳細資訊,請參閱《IAM 使用者指南》**中的 [IAM 政策元素:變數和標籤](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html)。
1. 將下列許可新增至 [EMR Studio **使用者角色政策**](emr-studio-service-role.md)。其會使用 `for-use-with-amazon-emr-managed-user-policies` 索引鍵,且值為 `"${aws:userid}"`。
```
{
"Sid": "AllowSecretsManagerReadOnlyActionsWithEMRTags",
"Effect": "Allow",
"Action": "secretsmanager:GetSecretValue",
"Resource": "arn:aws:secretsmanager:*:*:secret:*",
"Condition": {
"StringEquals": {
"secretsmanager:ResourceTag/for-use-with-amazon-emr-managed-user-policies": "${aws:userid}"
}
}
}
```
1. 如果存在,請從 [EMR Studio **服務角色政策**](emr-studio-service-role.md)中移除下列許可。由於服務角色政策適用於每個使用者定義的所有密碼,您只需執行此動作一次。
```
{
"Sid": "AllowSecretsManagerReadOnlyActionsWithEMRTags",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": "arn:aws:secretsmanager:*:*:secret:*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/for-use-with-amazon-emr-managed-policies": "true"
}
}
}
```
#### 使用服務層級許可
自 2023 年 9 月 1 日起,EMR Studio 會自動新增用於使用者層級存取控制的 `for-use-with-amazon-emr-managed-user-policies` 標籤。因為這是一項新增功能,您可以繼續使用透過 [EMR Studio 服務角色](emr-studio-service-role.md)中的 `GetSecretValue` 許可所取得的服務層級存取權限。
對於 2023 年 9 月 1 日之前建立的密碼,EMR Studio 未新增 `for-use-with-amazon-emr-managed-user-policies` 標籤。若要繼續使用服務層級許可,只要保留現有的 [EMR Studio 服務角色](emr-studio-service-role.md)和使用者角色許可即可。不過,若要限制可以存取個別密碼的人員,建議您遵循 [使用使用者層級許可](#emr-studio-permissions-policies-user) 中的步驟,手動將 `for-use-with-amazon-emr-managed-user-policies` 標籤新增至密碼,然後在使用者許可政策中使用標籤型存取控制。
如需有關政策變數的詳細資訊,請參閱《IAM 使用者指南》**中的 [IAM 政策元素:變數和標籤](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html)。
### 將許可政策連接至 IAM 身分
下表概述了您將許可政策附接至哪個 IAM 身分,具體取決於 EMR Studio 身分驗證模式。如需有關如何附接政策的指示,請參閱[新增和移除 IAM 身分許可](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html)。
****
| 如果您使用... | 將政策附接至... |
| --- | --- |
| IAM 身分驗證 | 您的 IAM 身分 (使用者、使用者群組或角色)。例如,可以將許可政策附接至 AWS 帳戶的使用者。 |
| 與外部身分提供者 (IdP) 的 IAM 聯合 | 為外部 IdP 建立的 IAM 角色。例如,適用於 SAML 2.0 聯合的 IAM。 對於可聯合存取 Studio 的使用者,EMR Studio 會使用附接至 IAM 角色的許可。 |
| IAM Identity Center | Amazon EMR Studio 使用者角色。 |
## 範例使用者政策
下列基本使用者政策允許大部分 EMR Studio 動作,但不允許使用者建立新的 Amazon EMR 叢集。
### 基本政策
**重要**
範例政策不包含 `CreateStudioPresignedUrl` 許可,在使用 IAM 身分驗證模式時,必須針對使用者允許該許可。如需詳細資訊,請參閱[將使用者或群組指派給 EMR Studio](emr-studio-manage-users.md#emr-studio-assign-users-groups)。
範例政策包含 `Condition` 元素以強制執行標籤型存取控制 (TBAC),以便您可以搭配使用該政策與 EMR Studio 的範例服務角色。如需詳細資訊,請參閱[建立 EMR Studio 服務角色](emr-studio-service-role.md)。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowDefaultEC2SecurityGroupsCreationInVPCWithEMRTags",
"Effect": "Allow",
"Action": [
"ec2:CreateSecurityGroup"
],
"Resource": [
"arn:aws:ec2:*:*:vpc/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/for-use-with-amazon-emr-managed-policies": "true"
}
}
},
{
"Sid": "AllowAddingEMRTagsDuringDefaultSecurityGroupCreation",
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": [
"arn:aws:ec2:*:*:security-group/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/for-use-with-amazon-emr-managed-policies": "true",
"ec2:CreateAction": "CreateSecurityGroup"
}
}
},
{
"Sid": "AllowSecretManagerListSecrets",
"Action": [
"secretsmanager:ListSecrets"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Sid": "AllowSecretCreationWithEMRTagsAndEMRStudioPrefix",
"Effect": "Allow",
"Action": [
"secretsmanager:CreateSecret"
],
"Resource": [
"arn:aws:secretsmanager:*:*:secret:emr-studio-*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/for-use-with-amazon-emr-managed-policies": "true"
}
}
},
{
"Sid": "AllowAddingTagsOnSecretsWithEMRStudioPrefix",
"Effect": "Allow",
"Action": [
"secretsmanager:TagResource"
],
"Resource": [
"arn:aws:secretsmanager:*:*:secret:emr-studio-*"
]
},
{
"Sid": "AllowPassingServiceRoleForWorkspaceCreation",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/your-emr-studio-service-role>"
],
"Effect": "Allow"
},
{
"Sid": "AllowS3ListAndLocationPermissions",
"Action": [
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::*"
],
"Effect": "Allow"
},
{
"Sid": "AllowS3ReadOnlyAccessToLogs",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::aws-logs-aws-111122223333>-region>/elasticmapreduce/*"
],
"Effect": "Allow"
},
{
"Sid": "AllowConfigurationForWorkspaceCollaboration",
"Action": [
"elasticmapreduce:UpdateEditor",
"elasticmapreduce:PutWorkspaceAccess",
"elasticmapreduce:DeleteWorkspaceAccess",
"elasticmapreduce:ListWorkspaceAccessIdentities"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Condition": {
"StringEquals": {
"elasticmapreduce:ResourceTag/creatorUserId": "${aws:userId}"
}
}
},
{
"Sid": "DescribeNetwork",
"Effect": "Allow",
"Action": [
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups"
],
"Resource": [
"*"
]
},
{
"Sid": "ListIAMRoles",
"Effect": "Allow",
"Action": [
"iam:ListRoles"
],
"Resource": [
"*"
]
}
]
}
```
------
下列中級使用者政策允許大多數 EMR Studio 動作,並可讓使用者使用叢集範本建立新的 Amazon EMR 叢集。
### 中級政策
**重要**
範例政策不包含 `CreateStudioPresignedUrl` 許可,在使用 IAM 身分驗證模式時,必須針對使用者允許該許可。如需詳細資訊,請參閱[將使用者或群組指派給 EMR Studio](emr-studio-manage-users.md#emr-studio-assign-users-groups)。
範例政策包含 `Condition` 元素以強制執行標籤型存取控制 (TBAC),以便您可以搭配使用該政策與 EMR Studio 的範例服務角色。如需詳細資訊,請參閱[建立 EMR Studio 服務角色](emr-studio-service-role.md)。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowEMRBasicActions",
"Action": [
"elasticmapreduce:CreateEditor",
"elasticmapreduce:DescribeEditor",
"elasticmapreduce:ListEditors",
"elasticmapreduce:StartEditor",
"elasticmapreduce:StopEditor",
"elasticmapreduce:DeleteEditor",
"elasticmapreduce:OpenEditorInConsole",
"elasticmapreduce:AttachEditor",
"elasticmapreduce:DetachEditor",
"elasticmapreduce:CreateRepository",
"elasticmapreduce:DescribeRepository",
"elasticmapreduce:DeleteRepository",
"elasticmapreduce:ListRepositories",
"elasticmapreduce:LinkRepository",
"elasticmapreduce:UnlinkRepository",
"elasticmapreduce:DescribeCluster",
"elasticmapreduce:ListInstanceGroups",
"elasticmapreduce:ListBootstrapActions",
"elasticmapreduce:ListClusters",
"elasticmapreduce:ListSteps",
"elasticmapreduce:CreatePersistentAppUI",
"elasticmapreduce:DescribePersistentAppUI",
"elasticmapreduce:GetPersistentAppUIPresignedURL",
"elasticmapreduce:GetOnClusterAppUIPresignedURL"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Sid": "AllowEMRContainersBasicActions",
"Action": [
"emr-containers:DescribeVirtualCluster",
"emr-containers:ListVirtualClusters",
"emr-containers:DescribeManagedEndpoint",
"emr-containers:ListManagedEndpoints",
"emr-containers:DescribeJobRun",
"emr-containers:ListJobRuns"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Sid": "AllowRetrievingManagedEndpointCredentials",
"Effect": "Allow",
"Action": [
"emr-containers:GetManagedEndpointSessionCredentials"
],
"Resource": [
"arn:aws:emr-containers:us-west-1:123456789012:/virtualclusters/virtual-cluster-id/endpoints/managed-endpoint-id"
],
"Condition": {
"StringEquals": {
"emr-containers:ExecutionRoleArn": [
"arn:aws:iam::123456789012:role/emr-on-eks-execution-role"
]
}
}
},
{
"Sid": "AllowSecretManagerListSecrets",
"Action": [
"secretsmanager:ListSecrets"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Sid": "AllowSecretCreationWithEMRTagsAndEMRStudioPrefix",
"Effect": "Allow",
"Action": [
"secretsmanager:CreateSecret"
],
"Resource": [
"arn:aws:secretsmanager:*:*:secret:emr-studio-*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/for-use-with-amazon-emr-managed-policies": "true"
}
}
},
{
"Sid": "AllowAddingTagsOnSecretsWithEMRStudioPrefix",
"Effect": "Allow",
"Action": [
"secretsmanager:TagResource"
],
"Resource": [
"arn:aws:secretsmanager:*:*:secret:emr-studio-*"
]
},
{
"Sid": "AllowClusterTemplateRelatedIntermediateActions",
"Action": [
"servicecatalog:DescribeProduct",
"servicecatalog:DescribeProductView",
"servicecatalog:DescribeProvisioningParameters",
"servicecatalog:ProvisionProduct",
"servicecatalog:SearchProducts",
"servicecatalog:UpdateProvisionedProduct",
"servicecatalog:ListProvisioningArtifacts",
"servicecatalog:ListLaunchPaths",
"servicecatalog:DescribeRecord",
"cloudformation:DescribeStackResources"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Sid": "AllowPassingServiceRoleForWorkspaceCreation",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/your-emr-studio-service-role"
],
"Effect": "Allow"
},
{
"Sid": "AllowS3ListAndLocationPermissions",
"Action": [
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::*"
],
"Effect": "Allow"
},
{
"Sid": "AllowS3ReadOnlyAccessToLogs",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::aws-logs-123456789012-us-east-1/elasticmapreduce/*"
],
"Effect": "Allow"
},
{
"Sid": "AllowConfigurationForWorkspaceCollaboration",
"Action": [
"elasticmapreduce:UpdateEditor",
"elasticmapreduce:PutWorkspaceAccess",
"elasticmapreduce:DeleteWorkspaceAccess",
"elasticmapreduce:ListWorkspaceAccessIdentities"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Condition": {
"StringEquals": {
"elasticmapreduce:ResourceTag/creatorUserId": "${aws:userId}"
}
}
},
{
"Sid": "DescribeNetwork",
"Effect": "Allow",
"Action": [
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups"
],
"Resource": [
"*"
]
},
{
"Sid": "ListIAMRoles",
"Effect": "Allow",
"Action": [
"iam:ListRoles"
],
"Resource": [
"*"
]
},
{
"Sid": "AllowServerlessActions",
"Action": [
"emr-serverless:CreateApplication",
"emr-serverless:UpdateApplication",
"emr-serverless:DeleteApplication",
"emr-serverless:ListApplications",
"emr-serverless:GetApplication",
"emr-serverless:StartApplication",
"emr-serverless:StopApplication",
"emr-serverless:StartJobRun",
"emr-serverless:CancelJobRun",
"emr-serverless:ListJobRuns",
"emr-serverless:GetJobRun",
"emr-serverless:GetDashboardForJobRun",
"emr-serverless:AccessInteractiveEndpoints"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Sid": "AllowPassingRuntimeRoleForRunningServerlessJob",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/serverless-runtime-role"
],
"Effect": "Allow"
}
]
}
```
------
下列進階使用者政策允許所有 EMR Studio 動作,並允許使用者使用叢集範本或透過提供叢集組態來建立新的 Amazon EMR 叢集。
### 進階政策
**重要**
範例政策不包含 `CreateStudioPresignedUrl` 許可,在使用 IAM 身分驗證模式時,必須針對使用者允許該許可。如需詳細資訊,請參閱[將使用者或群組指派給 EMR Studio](emr-studio-manage-users.md#emr-studio-assign-users-groups)。
範例政策包含 `Condition` 元素以強制執行標籤型存取控制 (TBAC),以便您可以搭配使用該政策與 EMR Studio 的範例服務角色。如需詳細資訊,請參閱[建立 EMR Studio 服務角色](emr-studio-service-role.md)。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowEMRBasicActions",
"Action": [
"elasticmapreduce:CreateEditor",
"elasticmapreduce:DescribeEditor",
"elasticmapreduce:ListEditors",
"elasticmapreduce:StartEditor",
"elasticmapreduce:StopEditor",
"elasticmapreduce:DeleteEditor",
"elasticmapreduce:OpenEditorInConsole",
"elasticmapreduce:AttachEditor",
"elasticmapreduce:DetachEditor",
"elasticmapreduce:CreateRepository",
"elasticmapreduce:DescribeRepository",
"elasticmapreduce:DeleteRepository",
"elasticmapreduce:ListRepositories",
"elasticmapreduce:LinkRepository",
"elasticmapreduce:UnlinkRepository",
"elasticmapreduce:DescribeCluster",
"elasticmapreduce:ListInstanceGroups",
"elasticmapreduce:ListBootstrapActions",
"elasticmapreduce:ListClusters",
"elasticmapreduce:ListSteps",
"elasticmapreduce:CreatePersistentAppUI",
"elasticmapreduce:DescribePersistentAppUI",
"elasticmapreduce:GetPersistentAppUIPresignedURL",
"elasticmapreduce:GetOnClusterAppUIPresignedURL"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Sid": "AllowEMRContainersBasicActions",
"Action": [
"emr-containers:DescribeVirtualCluster",
"emr-containers:ListVirtualClusters",
"emr-containers:DescribeManagedEndpoint",
"emr-containers:ListManagedEndpoints",
"emr-containers:DescribeJobRun",
"emr-containers:ListJobRuns"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Sid": "AllowRetrievingManagedEndpointCredentials",
"Effect": "Allow",
"Action": [
"emr-containers:GetManagedEndpointSessionCredentials"
],
"Resource": [
"arn:aws:emr-containers:*:123456789012:/virtualclusters/virtual-cluster-id/endpoints/managed-endpoint-id"
],
"Condition": {
"StringEquals": {
"emr-containers:ExecutionRoleArn": [
"arn:aws:iam::123456789012:role/emr-on-eks-execution-role"
]
}
}
},
{
"Sid": "AllowSecretManagerListSecrets",
"Action": [
"secretsmanager:ListSecrets"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Sid": "AllowSecretCreationWithEMRTagsAndEMRStudioPrefix",
"Effect": "Allow",
"Action": [
"secretsmanager:CreateSecret"
],
"Resource": [
"arn:aws:secretsmanager:*:*:secret:emr-studio-*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/for-use-with-amazon-emr-managed-policies": "true"
}
}
},
{
"Sid": "AllowAddingTagsOnSecretsWithEMRStudioPrefix",
"Effect": "Allow",
"Action": [
"secretsmanager:TagResource"
],
"Resource": [
"arn:aws:secretsmanager:*:*:secret:emr-studio-*"
]
},
{
"Sid": "AllowClusterTemplateRelatedIntermediateActions",
"Action": [
"servicecatalog:DescribeProduct",
"servicecatalog:DescribeProductView",
"servicecatalog:DescribeProvisioningParameters",
"servicecatalog:ProvisionProduct",
"servicecatalog:SearchProducts",
"servicecatalog:UpdateProvisionedProduct",
"servicecatalog:ListProvisioningArtifacts",
"servicecatalog:ListLaunchPaths",
"servicecatalog:DescribeRecord",
"cloudformation:DescribeStackResources"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Sid": "AllowEMRCreateClusterAdvancedActions",
"Action": [
"elasticmapreduce:RunJobFlow"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Sid": "AllowPassingServiceRoleForWorkspaceCreation",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/your-emr-studio-service-role",
"arn:aws:iam::*:role/EMR_DefaultRole_V2",
"arn:aws:iam::*:role/EMR_EC2_DefaultRole"
],
"Effect": "Allow"
},
{
"Sid": "AllowS3ListAndLocationPermissions",
"Action": [
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::*"
],
"Effect": "Allow"
},
{
"Sid": "AllowS3ReadOnlyAccessToLogs",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::aws-logs-123456789012-us-east-1/elasticmapreduce/*"
],
"Effect": "Allow"
},
{
"Sid": "AllowConfigurationForWorkspaceCollaboration",
"Action": [
"elasticmapreduce:UpdateEditor",
"elasticmapreduce:PutWorkspaceAccess",
"elasticmapreduce:DeleteWorkspaceAccess",
"elasticmapreduce:ListWorkspaceAccessIdentities"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Condition": {
"StringEquals": {
"elasticmapreduce:ResourceTag/creatorUserId": "${aws:userId}"
}
}
},
{
"Sid": "SageMakerDataWranglerForEMRStudio",
"Effect": "Allow",
"Action": [
"sagemaker:CreatePresignedDomainUrl",
"sagemaker:DescribeDomain",
"sagemaker:ListDomains",
"sagemaker:ListUserProfiles"
],
"Resource": [
"*"
]
},
{
"Sid": "DescribeNetwork",
"Effect": "Allow",
"Action": [
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups"
],
"Resource": [
"*"
]
},
{
"Sid": "ListIAMRoles",
"Effect": "Allow",
"Action": [
"iam:ListRoles"
],
"Resource": [
"*"
]
},
{
"Sid": "AllowServerlessActions",
"Action": [
"emr-serverless:CreateApplication",
"emr-serverless:UpdateApplication",
"emr-serverless:DeleteApplication",
"emr-serverless:ListApplications",
"emr-serverless:GetApplication",
"emr-serverless:StartApplication",
"emr-serverless:StopApplication",
"emr-serverless:StartJobRun",
"emr-serverless:CancelJobRun",
"emr-serverless:ListJobRuns",
"emr-serverless:GetJobRun",
"emr-serverless:GetDashboardForJobRun",
"emr-serverless:AccessInteractiveEndpoints"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Sid": "AllowPassingRuntimeRoleForRunningServerlessJob",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/serverless-runtime-role"
],
"Effect": "Allow"
},
{
"Sid": "AllowCodeWhisperer",
"Effect": "Allow",
"Action": [
"codewhisperer:GenerateRecommendations"
],
"Resource": [
"*"
]
},
{
"Sid": "AllowAthenaSQL",
"Action": [
"athena:StartQueryExecution",
"athena:StopQueryExecution",
"athena:GetQueryExecution",
"athena:GetQueryRuntimeStatistics",
"athena:GetQueryResults",
"athena:ListQueryExecutions",
"athena:BatchGetQueryExecution",
"athena:GetNamedQuery",
"athena:ListNamedQueries",
"athena:BatchGetNamedQuery",
"athena:UpdateNamedQuery",
"athena:DeleteNamedQuery",
"athena:ListDataCatalogs",
"athena:GetDataCatalog",
"athena:ListDatabases",
"athena:GetDatabase",
"athena:ListTableMetadata",
"athena:GetTableMetadata",
"athena:ListWorkGroups",
"athena:GetWorkGroup",
"athena:CreateNamedQuery",
"athena:GetPreparedStatement",
"glue:CreateDatabase",
"glue:DeleteDatabase",
"glue:GetDatabase",
"glue:GetDatabases",
"glue:UpdateDatabase",
"glue:CreateTable",
"glue:DeleteTable",
"glue:BatchDeleteTable",
"glue:UpdateTable",
"glue:GetTable",
"glue:GetTables",
"glue:BatchCreatePartition",
"glue:CreatePartition",
"glue:DeletePartition",
"glue:BatchDeletePartition",
"glue:UpdatePartition",
"glue:GetPartition",
"glue:GetPartitions",
"glue:BatchGetPartition",
"kms:ListAliases",
"kms:ListKeys",
"kms:DescribeKey",
"lakeformation:GetDataAccess",
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListMultipartUploadParts",
"s3:AbortMultipartUpload",
"s3:PutObject",
"s3:PutBucketPublicAccessBlock",
"s3:ListAllMyBuckets"
],
"Resource": [
"*"
],
"Effect": "Allow"
}
]
}
```
------
下列使用者政策包含搭配使用 EMR Serverless 互動式應用程式與 EMR Studio 工作區所需的最低使用者許可。
### EMR Serverless 互動政策
在此範例政策中具有 EMR Studio 之 EMR Serverless 互動式應用程式的使用者許可,請將 *serverless-runtime-role* 和 *emr-studio-service-role* 取代為正確的 [EMR Studio 服務角色](emr-studio-service-role.md)和 [EMR Serverless 執行期角色](https://docs.aws.amazon.com/emr/latest/EMR-Serverless-UserGuide/security-iam-runtime-role.html)。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowServerlessActions",
"Action": [
"emr-serverless:CreateApplication",
"emr-serverless:UpdateApplication",
"emr-serverless:DeleteApplication",
"emr-serverless:ListApplications",
"emr-serverless:GetApplication",
"emr-serverless:StartApplication",
"emr-serverless:StopApplication",
"emr-serverless:StartJobRun",
"emr-serverless:CancelJobRun",
"emr-serverless:ListJobRuns",
"emr-serverless:GetJobRun",
"emr-serverless:GetDashboardForJobRun",
"emr-serverless:AccessInteractiveEndpoints"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Sid": "AllowEMRBasicActions",
"Action": [
"elasticmapreduce:CreateEditor",
"elasticmapreduce:DescribeEditor",
"elasticmapreduce:ListEditors",
"elasticmapreduce:UpdateStudio",
"elasticmapreduce:StartEditor",
"elasticmapreduce:StopEditor",
"elasticmapreduce:DeleteEditor",
"elasticmapreduce:OpenEditorInConsole",
"elasticmapreduce:AttachEditor",
"elasticmapreduce:DetachEditor",
"elasticmapreduce:CreateStudio",
"elasticmapreduce:DescribeStudio",
"elasticmapreduce:DeleteStudio",
"elasticmapreduce:ListStudios",
"elasticmapreduce:CreateStudioPresignedUrl"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Sid": "AllowPassingRuntimeRoleForRunningEMRServerlessJob",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/serverless-runtime-role"
],
"Effect": "Allow"
},
{
"Sid": "AllowPassingServiceRoleForWorkspaceCreation",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::*:role/emr-studio-service-role"
],
"Effect": "Allow"
},
{
"Sid": "AllowS3ListAndGetPermissions",
"Action": [
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::*"
],
"Effect": "Allow"
},
{
"Sid": "DescribeNetwork",
"Effect": "Allow",
"Action": [
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups"
],
"Resource": [
"*"
]
},
{
"Sid": "ListIAMRoles",
"Effect": "Allow",
"Action": [
"iam:ListRoles"
],
"Resource": [
"*"
]
}
]
}
```
------
## AWS Identity and Access Management EMR Studio 使用者的 許可
下表會細分使用者可能執行的每個 Amazon EMR Studio 操作,並列出執行該操作所需的最低 IAM 動作。在 EMR Studio 的 IAM 許可政策 (當您使用 IAM 身分驗證時) 或您的使用者角色工作階段政策 (當您使用 IAM Identity Center 身分驗證時) 中允許這些動作。
此資料表也會顯示 EMR Studio 的每個範例許可政策中允許的操作。如需有關範例許可政策的詳細資訊,請參閱 [建立 EMR Studio 使用者的許可政策](#emr-studio-permissions-policies)。
| Action | 基本 | 中級 | Advanced (進階) | 關聯動作 |
| --- | --- | --- | --- | --- |
| 建立和刪除工作區 | 是 | 是 | 是 | "elasticmapreduce:CreateEditor",
"elasticmapreduce:DescribeEditor",
"elasticmapreduce:ListEditors",
"elasticmapreduce:DeleteEditor"
|
| 檢視協同合作面板,啟用工作區協同合作,以及新增協同合作者。如需詳細資訊,請參閱[設定工作區協同合作的擁有權](#emr-studio-workspace-collaboration-permissions)。 | 是 | 是 | 是 | "elasticmapreduce:UpdateEditor",
"elasticmapreduce:PutWorkspaceAccess",
"elasticmapreduce:DeleteWorkspaceAccess",
"elasticmapreduce:ListWorkspaceAccessIdentities"
|
| 在建立新的 EMR 叢集時,查看與 Studio 相同帳戶中的 Amazon S3 Control 儲存貯體清單,並在使用 Web UI 偵錯應用程式時存取容器日誌 | 是 | 是 | 是 | "s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:GetObject"
|
| 存取工作區 | 是 | 是 | 是 | "elasticmapreduce:DescribeEditor",
"elasticmapreduce:ListEditors",
"elasticmapreduce:StartEditor",
"elasticmapreduce:StopEditor",
"elasticmapreduce:OpenEditorInConsole"
|
| 附接或分離與工作區相關聯的現有 Amazon EMR 叢集 | 是 | 是 | 是 | "elasticmapreduce:AttachEditor",
"elasticmapreduce:DetachEditor",
"elasticmapreduce:ListClusters",
"elasticmapreduce:DescribeCluster",
"elasticmapreduce:ListInstanceGroups",
"elasticmapreduce:ListBootstrapActions"
|
| 附接或分離 Amazon EMR on EKS 叢集 | 是 | 是 | 是 | "elasticmapreduce:AttachEditor",
"elasticmapreduce:DetachEditor",
"emr-containers:ListVirtualClusters",
"emr-containers:DescribeVirtualCluster",
"emr-containers:ListManagedEndpoints",
"emr-containers:DescribeManagedEndpoint",
"emr-containers:GetManagedEndpointSessionCredentials"
|
| 附接或分離與工作區相關聯的 EMR Serverless 應用程式 | 否 | 是 | 是 | "elasticmapreduce:AttachEditor",
"elasticmapreduce:DetachEditor",
"emr-serverless:GetApplication",
"emr-serverless:StartApplication",
"emr-serverless:ListApplications",
"emr-serverless:GetDashboardForJobRun",
"emr-serverless:AccessInteractiveEndpoints",
"iam:PassRole"
需要 `PassRole` 許可才能傳遞 EMR Serverless 作業執行期角色。如需詳細資訊,請參閱《Amazon EMR Serverless 使用者指南》**中的[作業執行期角色](https://docs.aws.amazon.com/emr/latest/EMR-Serverless-UserGuide/security-iam-runtime-role.html)。 |
| 使用持久性應用程式使用者介面對 EC2 上的 Amazon EMR 作業進行偵錯 | 是 | 是 | 是 | "elasticmapreduce:CreatePersistentAppUI",
"elasticmapreduce:DescribePersistentAppUI",
"elasticmapreduce:GetPersistentAppUIPresignedURL",
"elasticmapreduce:ListClusters",
"elasticmapreduce:ListSteps",
"elasticmapreduce:DescribeCluster",
"s3:ListBucket",
"s3:GetObject"
|
| 使用叢集上的應用程式使用者介面對 EC2 上的 Amazon EMR 作業進行偵錯 | 是 | 是 | 是 | "elasticmapreduce:GetOnClusterAppUIPresignedURL"
|
| 使用 Spark 歷史記錄伺服器,對 Amazon EMR on EKS 作業執行進行偵錯 | 是 | 是 | 是 | "elasticmapreduce:CreatePersistentAppUI",
"elasticmapreduce:DescribePersistentAppUI",
"elasticmapreduce:GetPersistentAppUIPresignedURL",
"emr-containers:ListVirtualClusters",
"emr-containers:DescribeVirtualCluster",
"emr-containers:ListJobRuns",
"emr-containers:DescribeJobRun",
"s3:ListBucket",
"s3:GetObject"
|
| 建立和刪除 Git 儲存庫 | 是 | 是 | 是 | "elasticmapreduce:CreateRepository",
"elasticmapreduce:DeleteRepository",
"elasticmapreduce:ListRepositories",
"elasticmapreduce:DescribeRepository",
"secretsmanager:CreateSecret",
"secretsmanager:ListSecrets",
"secretsmanager:TagResource"
|
| 連結和解除連結 Git 儲存庫 | 是 | 是 | 是 | "elasticmapreduce:LinkRepository",
"elasticmapreduce:UnlinkRepository",
"elasticmapreduce:ListRepositories",
"elasticmapreduce:DescribeRepository"
|
| 從預先定義的叢集範本中建立新叢集 | 否 | 是 | 是 | "servicecatalog:SearchProducts",
"servicecatalog:DescribeProduct",
"servicecatalog:DescribeProductView",
"servicecatalog:DescribeProvisioningParameters",
"servicecatalog:ProvisionProduct",
"servicecatalog:UpdateProvisionedProduct",
"servicecatalog:ListProvisioningArtifacts",
"servicecatalog:DescribeRecord",
"servicecatalog:ListLaunchPaths",
"cloudformation:DescribeStackResources",
"elasticmapreduce:ListClusters",
"elasticmapreduce:DescribeCluster"
|
| 提供叢集組態以建立新叢集。 | 否 | 否 | 是 | "elasticmapreduce:RunJobFlow",
"iam:PassRole",
"elasticmapreduce:ListClusters",
"elasticmapreduce:DescribeCluster"
|
| [使用 IAM 身分驗證模式時,將使用者指派給 Studio。](emr-studio-manage-users.md#emr-studio-assign-users-groups) | 否 | 否 | 否 | "elasticmapreduce:CreateStudioPresignedUrl"
|
| 描述網路物件。 | 是 | 是 | 是 | JSON
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "DescribeNetwork",
"Effect": "Allow",
"Action": [
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups"
],
"Resource": [
"*"
]
}
]
}
``` |
| 列出 IAM 角色。 | 是 | 是 | 是 | JSON
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ListIAMRoles",
"Effect": "Allow",
"Action": [
"iam:ListRoles"
],
"Resource": [
"*"
]
}
]
}
``` |
| [從 Amazon SageMaker AI Studio 連線至 EMR Studio,並使用 Data Wrangler 視覺化界面。](https://aws.amazon.com/blogs/machine-learning/prepare-data-from-amazon-emr-for-machine-learning-using-amazon-sagemaker-data-wrangler/) | 否 | 否 | 是 | "sagemaker:CreatePresignedDomainUrl",
"sagemaker:DescribeDomain",
"sagemaker:ListDomains",
"sagemaker:ListUserProfiles"
|
| [在 EMR Studio 中使用 Amazon CodeWhisperer。](emr-studio-codewhisperer.md) | 否 | 否 | 是 | "codewhisperer:GenerateRecommendations"
|
| [從 EMR Studio 存取 Amazon Athena SQL 編輯器。](emr-studio-athena.md)此清單可能不包含使用所有 Athena 功能所需的所有許可。如需最新清單,請參閱 [Athena 完整存取政策](https://docs.aws.amazon.com/athena/latest/ug/managed-policies.html#amazonathenafullaccess-managed-policy)。 | 否 | 否 | 是 | "athena:StartQueryExecution",
"athena:StopQueryExecution",
"athena:GetQueryExecution",
"athena:GetQueryRuntimeStatistics",
"athena:GetQueryResults",
"athena:ListQueryExecutions",
"athena:BatchGetQueryExecution",
"athena:GetNamedQuery",
"athena:ListNamedQueries",
"athena:BatchGetNamedQuery",
"athena:UpdateNamedQuery",
"athena:DeleteNamedQuery",
"athena:ListDataCatalogs",
"athena:GetDataCatalog",
"athena:ListDatabases",
"athena:GetDatabase",
"athena:ListTableMetadata",
"athena:GetTableMetadata",
"athena:ListWorkGroups",
"athena:GetWorkGroup",
"athena:CreateNamedQuery",
"athena:GetPreparedStatement",
"glue:CreateDatabase",
"glue:DeleteDatabase",
"glue:GetDatabase",
"glue:GetDatabases",
"glue:UpdateDatabase",
"glue:CreateTable",
"glue:DeleteTable",
"glue:BatchDeleteTable",
"glue:UpdateTable",
"glue:GetTable",
"glue:GetTables",
"glue:BatchCreatePartition",
"glue:CreatePartition",
"glue:DeletePartition",
"glue:BatchDeletePartition",
"glue:UpdatePartition",
"glue:GetPartition",
"glue:GetPartitions",
"glue:BatchGetPartition",
"kms:ListAliases",
"kms:ListKeys",
"kms:DescribeKey",
"lakeformation:GetDataAccess",
"s3:GetBucketLocation",
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListMultipartUploadParts",
"s3:AbortMultipartUpload",
"s3:PutObject",
"s3:PutBucketPublicAccessBlock",
"s3:ListAllMyBuckets"
|