All Products
Search
Document Center

E-MapReduce:Assign roles to an Alibaba Cloud account

Last Updated:Jan 22, 2024

When you run components such as Hadoop and Spark in your E-MapReduce (EMR) cluster, you must grant the components the permissions to access other Alibaba Cloud services and perform related operations. Each EMR cluster must be configured with service roles and ECS application roles. This topic describes how to assign roles to EMR and also describes the roles that are associated with EMR.

Background information

EMR provides default system roles and default system policies. System policies are created and maintained by Alibaba Cloud. If service requirements change, the system policies are accordingly updated.

When you use EMR for the first time, you must use your Alibaba Cloud account to assign the AliyunEMRDefaultRole and AliyunECSInstanceForEMRRole or AliyunEmrEcsDefaultRole roles to EMR. After the roles are assigned, you can view the roles in the RAM console and attach policies to the roles. For more information about the roles, see RAM role overview.
Important
  • Roles that are required for EMR vary based on the EMR version.
    • In EMR V3.32.0 or an earlier minor version, or EMR V4.5.0 or an earlier minor version: AliyunEmrEcsDefaultRole
    • In a minor version later than EMR V3.32.0 or EMR V4.5.0: AliyunECSInstanceForEMRRole
  • When you use EMR for the first time, you must use your Alibaba Cloud account to assign default system roles to EMR. Otherwise, your Alibaba Cloud account and the RAM users within your Alibaba Cloud account cannot use EMR.
  • If you want to delete a service role, make sure that the resources that use the role are released. Otherwise, the use of the resources is affected.
  • If only some roles are assigned, the EMR console sends you a notification. You can create a cluster only after all roles are assigned.

Procedure

  1. Log on to the EMR console.

  2. Go to the Dependency Check page, find the desired check item, and then click Authorize Now in the Actions column.

    Note

    When you use EMR for the first time, you must assign default system roles to EMR. Then, you do not need to repeat the assignment operation when you use EMR again.

  3. On the Cloud Resource Access Authorization page, click Agree to Authorization in the lower part of the page.

    By default, the AliyunEMRDefaultRole and AliyunECSInstanceForEMRRole roles are selected.

Service roles

The following table describes the RAM roles that are associated with EMR.

Attribute

Default role

Description

System policy

EMR service role

AliyunEMRDefaultRole

This role allows you to use EMR to access other Alibaba Cloud services when you configure resources and perform service-level operations on your EMR cluster. This role is required for all clusters and cannot be changed.

For more information, see EMR service roles.

AliyunEMRRolePolicy

AliyunEMRManagedCostRole 

This role is used when you use the auto scaling cost analysis feature for the first time. This role allows you to view bill details on the billing management page.

AliyunEMRManagedCostRolePolicy

ECS application role (used in EMR V3.32.0 or an earlier minor version, or EMR V4.5.0 or an earlier minor version)

AliyunEmrEcsDefaultRole

This role allows application processes that run on your cluster to access other Alibaba Cloud services. When you create a cluster, you can use this service role or use a custom role.

For more information about this role, see ECS application role (used in EMR V3.32.0 or an earlier minor version, or EMR V4.5.0 or an earlier minor version).

AliyunEMRECSRolePolicy

ECS application role (used in a minor version later than EMR V3.32.0 or EMR V4.5.0)

AliyunECSInstanceForEMRRole

This role allows application processes that run on your cluster to access other Alibaba Cloud services. When you create a cluster, you can use this service role or use a custom role.

For more information about this role, see ECS application role (used in a minor version later than EMR V3.32.0 or EMR V4.5.0).

AliyunECSInstanceForEMRRolePolicy

ECS application role (used in EMR Studio by default)

AliyunECSInstanceForEMRStudioRole

This role allows you to use EMR Studio to access your resources in other Alibaba Cloud services.

If this role is not assigned to your account, a window appears, which prompts you to assign this role when you create an EMR Studio cluster for the first time. To assign this role, use your Alibaba Cloud account.

AliyunECSInstanceForEMRStudioRolePolicy

What to do next

If you want to manage EMR clusters as a RAM user, refer to Create a RAM user and Grant permissions to RAM users to create a RAM user and grant the required collaborative development permissions to the RAM user.