When you use E-MapReduce (EMR) for the first time, you must assign the default system roles AliyunEMRDefaultRole and AliyunEmrEcsDefaultRole to EMR by using your Alibaba Cloud account.

Background information

For more information about the roles, see RAM role overview.

  • After the AliyunEMRDefaultRole role is assigned, you can use EMR to access other services such as ECS and OSS, create clusters, and store logs. For more information about the permissions of this role, see AliyunEMRDefaultRole.
  • After the AliyunEmrEcsDefaultRole role is assigned, your EMR clusters can access Alibaba Cloud resources (such as OSS) without an AccessKey pair. For more information, see MetaService. After the role authorization is complete, you can use a default role or a custom role to create a cluster. For more information about the permissions of the AliyunEmrEcsDefaultRole role, see AliyunEMREcsDefaultRole.
    Notice When you use EMR for the first time, you must assign default system roles to EMR by using your Alibaba Cloud account. Otherwise, your Alibaba Cloud account and RAM users under this account cannot use EMR.

Procedure

  1. Create an EMR cluster or create an execution plan as required with a new cluster. If default roles are not assigned to EMR, the following information appears.Role authorization
  2. Click Authorize in RAM. On the page that appears, click Confirm Authorization Policy to assign the default roles AliyunEMRDefaultRole and AliyunEmrEcsDefaultRole to EMR.Authorization in the RAM console
  3. Refresh the EMR console to use the services in the console. To view policy details for the AliyunEMRDefaultRole and AliyunEmrEcsDefaultRole roles, log on to the RAM console.

Permissions of the default roles

  • AliyunEMRDefaultRole

    AliyunEMRDefaultRole contains AliyunEMRRolePolicy. The following tables describe the permissions of this role.

    • ECS-related permissions
      Permission (Action) Description
      ecs:CreateInstance Creates an ECS instance.
      ecs:RenewInstance Renews an ECS instance.
      ecs:DescribeRegions Queries the region information of an ECS instance.
      ecs:DescribeZones Queries the zone information of an ECS instance.
      ecs:DescribeImages Queries the image information of an ECS instance.
      ecs:CreateSecurityGroup Creates a security group.
      ecs:AllocatePublicIpAddress Assigns a public IP address to an ECS instance.
      ecs:DeleteInstance Deletes an ECS instance.
      ecs:StartInstance Starts an ECS instance.
      ecs:StopInstance Stops an ECS instance.
      ecs:DescribeInstances Queries ECS instances.
      ecs:DescribeDisks Queries the disk information of an ECS instance.
      ecs:AuthorizeSecurityGroup Sets inbound rules for a security group.
      ecs:AuthorizeSecurityGroupEgress Sets outbound rules for a security group.
      ecs:DescribeSecurityGroupAttribute Views details of a security group.
      ecs:DescribeSecurityGroups Queries security groups.
    • OSS-related permissions
      Permission (Action) Description
      oss:PutObject Uploads a file or folder.
      oss:GetObject Obtains a file or folder.
      oss:ListObjects Queries files.
  • AliyunEmrEcsDefaultRole

    AliyunEmrEcsDefaultRole contains AliyunEMRRolePolicy. The following table describes OSS-related permissions of this role.

    Permission (Action) Description
    oss:PutObject Uploads a file or folder.
    oss:GetObject Obtains a file or folder.
    oss:ListObjects Queries files.
    oss:DeleteObject Deletes a file.
    oss:AbortMultipartUpload Terminates a multipart upload event.
    Note You can attach policies to the role based on your business requirements.