The E-MapReduce (EMR) service role allows you to use EMR to access other Alibaba Cloud services when you configure resources or perform service-level operations on your EMR cluster. For example, the service role can be used to create an ECS instance when you start an EMR cluster. This topic describes the EMR service role AliyunEMRDefaultRole and policies of this role.

Background information

Notice The EMR service role cannot be changed. This avoids impacts on the service stability of EMR. In addition, do not delete or modify system policies of this role in the RAM console.


The default role AliyunEMRDefaultRole is configured with the policy AliyunEMRRolePolicy.

The following tables describe the permissions of this role.
  • ECS-related permissions
    Permission (Action) Description
    ecs:CreateInstance Creates an ECS instance.
    ecs:RenewInstance Renews an ECS instance.
    ecs:DescribeRegions Queries the region information of an ECS instance.
    ecs:DescribeZones Queries the zone information of an ECS instance.
    ecs:DescribeImages Queries the image information of an ECS instance.
    ecs:CreateSecurityGroup Creates a security group.
    ecs:AllocatePublicIpAddress Assigns a public IP address to an ECS instance.
    ecs:DeleteInstance Deletes an ECS instance.
    ecs:StartInstance Starts an ECS instance.
    ecs:StopInstance Stops an ECS instance.
    ecs:DescribeInstances Queries ECS instances.
    ecs:DescribeDisks Queries the disk information of an ECS instance.
    ecs:AuthorizeSecurityGroup Specifies inbound rules for a security group.
    ecs:AuthorizeSecurityGroupEgress Specifies outbound rules for a security group.
    ecs:DescribeSecurityGroupAttribute Queries details of a security group.
    ecs:DescribeSecurityGroups Queries security groups.
  • OSS-related permissions
    Permission (Action) Description
    oss:PutObject Uploads a file or folder.
    oss:GetObject Obtains a file or folder.
    oss:ListObjects Queries files.