Use a custom ECS application role to access cloud resources of the same account - Best Practices| Alibaba Cloud Documentation Center

When you create a cluster in the E-MapReduce (EMR) console, you can configure a custom ECS application role in the Advanced Settings section of the Basic Settings step. After the cluster is created, you can access other cloud resources that belong to your Alibaba Cloud account from the cluster in password-free mode. For example, you can access Object Storage Service (OSS) and Log Service.

Background information

You can attach permission policies to a custom ECS application role to control access to external resources from clusters. For example, you can impose the following limits:

A cluster can access only specified OSS data directories.
A cluster can access specified external resources.

The default ECS application role is AliyunEmrEcsDefaultRole. For more information, see MetaService.

Procedure

Step 1: Create a permission policy
Step 2: Create a RAM role
Step 3: Create a cluster and access external resources

Step 1: Create a permission policy

Log on to the RAM console by using an Alibaba Cloud account.
In the left-side navigation pane, choose Permissions > Policies.
On the Policies page, click Create Policy.
On the Create Custom Policy page, specify Policy Name.
In this example, the policy name is test-emr.
Select Script for Configuration Mode.
Enter the following policy content to the script editor:
```
{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "oss:GetObject",
                "oss:ListObjects"
            ],
            "Resource": [
                "acs:oss:*:*:emr-logs2",
                "acs:oss:*:*:emr-logs2/*"
            ],
            "Effect": "Allow"
        }
    ]
}
```
- Action: the permissions on external resources. In this example, the permissions to read and query OSS data are granted.
- Resource: the external resources that can be accessed. In this example, the resources are the OSS bucket emr-logs2 and the objects in this OSS bucket.
Click OK.

Step 2: Create a RAM role

Log on to the RAM console by using an Alibaba Cloud account.
Create a RAM role.
1. In the left-side navigation pane, click RAM Roles.
2. On the RAM Roles page, click Create RAM Role.
3. In the Create RAM Role pane, select Alibaba Cloud Service and click Next.
4. Specify RAM Role Name and select MaxCompute from the Select Trusted Service drop-down list.
5. Click OK.
Change the trusted service.
1. On the RAM Roles page, click the name of the created RAM role.
2. Click the Trust Policy Management tab.
3. Click Edit Trust Policy.
4. Change ecs.aliyuncs.com to emr.aliyuncs.com.
5. Click OK.
Add specific permissions.
1. On the RAM Roles page, find the created RAM role and click Add Permissions in the Actions column.
2. In the Add Permissions panel, click Custom Policy and select the permission policy created in Step 1.
3. Click OK.
4. Click Complete.

Step 3: Create a cluster and access external resources

Log on to the EMR console.
In the top navigation bar, select the region where your cluster resides and select a resource group based on your business requirements.
Click Cluster Wizard to create a cluster. In the Advanced Settings section of the Basic Settings step, enter the name of the role created in Step 2: Create a RAM role to the ECS Role field. For more information, see Create a cluster.
After the cluster is created, log on to the master node of the cluster by using SSH. For more information, see Connect to the master node of an EMR cluster in SSH mode.
- If you are not authorized to access the bucket specified in the permission policy, the following information appears.
- If you are authorized to access the bucket specified in the permission policy, the following information appears.

FAQ

Q: The NoPermission message appears when I create a cluster. What do I do?
A: Check whether the following conditions are met:
1. The RAM user that you used to create the cluster is authorized to create clusters and change ECS application roles. If the permission granted to the RAM user is AliyunEMRDevelopAccess, you must change it to AliyunEMRFullAccess.
2. The name of the ECS application role you specified during cluster creation is correct.
3. The trust policy is changed to emr.aliyuncs.com.
Q: I cannot access an OSS bucket from HDFS. What do I do?
A: Perform the following troubleshooting operations in sequence:
1. Check whether the OSS bucket you want to access resides in the same region as your cluster. If the OSS bucket and your cluster do not reside in the same region, you must add the endpoint of the OSS bucket to the access links.
2. Check whether the OSS bucket you want to access is one of the resources specified in the created permission policy. If the OSS bucket is not one of the resources, modify the policy.
3. Check whether the related permissions on the OSS bucket are configured in the OSS console. If they are, you must cancel the settings in the OSS console and specify Action in the permission policy to configure the permissions.