When you create a cluster in the E-MapReduce (EMR) console, you can configure a custom ECS application role in the Advanced Settings section of the Basic Settings step. After the cluster is created, you can access other cloud resources that belong to your Alibaba Cloud account from the cluster in password-free mode. For example, you can access Object Storage Service (OSS) and Log Service.
Background information
You can attach permission policies to a custom ECS application role to control access
to external resources from clusters. For example, you can impose the following limits:
- A cluster can access only specified OSS data directories.
- A cluster can access specified external resources.
The default ECS application role is AliyunEmrEcsDefaultRole. For more information, see MetaService.
Procedure
Step 1: Create a permission policy
Step 2: Create a RAM role
- Log on to the RAM console by using an Alibaba Cloud account.
- Create a RAM role.
- Change the trusted service.
- Add specific permissions.
- On the RAM Roles page, find the created RAM role and click Add Permissions in the Actions column.
- In the Add Permissions panel, click Custom Policy and select the permission policy created in Step 1.
- Click OK.
- Click Complete.
Step 3: Create a cluster and access external resources
FAQ
- Q: The NoPermission message appears when I create a cluster. What do I do?
A: Check whether the following conditions are met:
- The RAM user that you used to create the cluster is authorized to create clusters and change ECS application roles. If the permission granted to the RAM user is AliyunEMRDevelopAccess, you must change it to AliyunEMRFullAccess.
- The name of the ECS application role you specified during cluster creation is correct.
- The trust policy is changed to emr.aliyuncs.com.
- Q: I cannot access an OSS bucket from HDFS. What do I do?A: Perform the following troubleshooting operations in sequence:
- Check whether the OSS bucket you want to access resides in the same region as your cluster. If the OSS bucket and your cluster do not reside in the same region, you must add the endpoint of the OSS bucket to the access links.
- Check whether the OSS bucket you want to access is one of the resources specified in the created permission policy. If the OSS bucket is not one of the resources, modify the policy.
- Check whether the related permissions on the OSS bucket are configured in the OSS console. If they are, you must cancel the settings in the OSS console and specify Action in the permission policy to configure the permissions.