When you create a cluster in the E-MapReduce (EMR) console, you can configure a custom Elastic Compute Service (ECS) application role in the Advanced Settings section of the Basic Settings step. After the cluster is created, you can access other cloud resources that belong to your Alibaba Cloud account from the cluster in password-free mode. For example, you can access Object Storage Service (OSS) and Log Service.

Background information

You can attach permission policies to a custom ECS application role to control access to external resources from clusters. For example, you can impose the following limits:
  • A cluster can access only specified OSS data directories.
  • A cluster can access specified external resources.

The default ECS application role is AliyunEmrEcsDefaultRole. For more information, see ECS application role (used in EMR V3.32.0 and earlier V3.X.X versions as well as in EMR V4.5.0 and earlier V4.X.X versions).

Procedure

  1. Step 1: Create a permission policy
  2. Step 2: Create a RAM role
  3. Step 3: Create a cluster and access external resources

Step 1: Create a permission policy

  1. Log on to the RAM console by using an Alibaba Cloud account.
  2. In the left-side navigation pane, choose Permissions > Policies.
  3. On the Policies page, click Create Policy.
  4. On the Create Custom Policy page, specify Policy Name.
    In this example, the policy name is test-emr.
  5. Select Script for Configuration Mode.
    Enter the following policy content to the script editor: 
    {
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "oss:GetObject",
                "oss:ListObjects"
            ],
            "Resource": [
                "acs:oss:*:*:emr-logs2",
                "acs:oss:*:*:emr-logs2/*"
            ],
            "Effect": "Allow"
        }
    ]
}
    • Action: the permissions on external resources. In this example, the permissions to read and query OSS data are granted.
    • Resource: the external resources that can be accessed. In this example, the resources are the OSS bucket emr-logs2 and the objects in this OSS bucket.
  6. Click OK.

Step 2: Create a RAM role

  1. Log on to the RAM console by using an Alibaba Cloud account.
  2. Create a RAM role.
    1. In the left-side navigation pane, choose Identities > Roles.
    2. On the Roles page, click Create Role.
    3. In the Create Role panel, select Alibaba Cloud Service.
    4. Click Next.
    5. Specify RAM Role Name and select MaxCompute from the Select Trusted Service drop-down list.
      Create a RAM role
    6. Click OK.
  3. Change the trusted service.
    1. On the Roles page, click the name of the RAM role that you created.
    2. Click the Trust Policy Management tab.
    3. Click Edit Trust Policy.
    4. Change ecs.aliyuncs.com to emr.aliyuncs.com.
      Change the trusted service
    5. Click OK.
  4. Add specific permissions.
    1. On the Roles page, find the RAM role that you created and click Add Permissions in the Actions column.
    2. In the Add Permissions panel, click Custom Policy and select the permission policy created in Step 1.
    3. Click OK.
    4. Click Complete.

Step 3: Create a cluster and access external resources

  1. Log on to the Alibaba Cloud EMR console.
  2. In the top navigation bar, select the region where your cluster resides and select a resource group based on your business requirements.
  3. Click Cluster Wizard to create a cluster. In the Advanced Settings section of the Basic Settings step, enter the name of the role created in Step 2: Create a RAM role to the ECS Role field. For more information, see Create a cluster.
    ECS_authority
  4. After the cluster is created, log on to the master node of the cluster by using SSH. For more information, see Log on to a cluster.
    • If you are not authorized to access the bucket specified in the permission policy, the following information appears. No permission
    • If you are authorized to access the bucket specified in the permission policy, the following information appears. emr-logs2

FAQ

  • Q: The NoPermission message appears when I create a cluster. What do I do?
    A: Check whether the following conditions are met:
    1. The RAM user that you used to create the cluster is authorized to create clusters and change ECS application roles. If the permission granted to the RAM user is AliyunEMRDevelopAccess, you must change it to AliyunEMRFullAccess.
    2. The name of the ECS application role that you specified when you create the cluster is correct.
    3. The trust policy is changed to emr.aliyuncs.com.
  • Q: I cannot access an OSS bucket from a Hadoop Distributed File System (HDFS). What do I do?hdfs_oss
    A: Perform the following troubleshooting operations in sequence:
    1. Check whether the OSS bucket that you want to access resides in the same region as your cluster. If the OSS bucket and your cluster do not reside in the same region, you must add the endpoint of the OSS bucket to the access links.
    2. Check whether the OSS bucket that you want to access is one of the resources specified in the created permission policy. If the OSS bucket is not one of the resources, modify the policy.
    3. Check whether the related permissions on the OSS bucket are configured in the OSS console. If they are, you must cancel the settings in the OSS console and specify Action in the permission policy to configure the permissions.