When you run components such as Hadoop and Spark in your E-MapReduce (EMR) cluster, you must grant the components the permissions to access other Alibaba Cloud resources and perform related operations. Each EMR cluster must be configured with service roles and ECS application roles. This topic describes how to authorize a role and also describes the roles that are associated with EMR.

Background information

EMR provides default system roles and default system policies. System policies are created and maintained by Alibaba Cloud. If service requirements change, the system policies are automatically updated.

When you use EMR for the first time, you must authorize the roles AliyunEMRDefaultRole and AliyunECSInstanceForEMRRole or AliyunEmrEcsDefaultRole to EMR by using your Alibaba Cloud account. After the authorization is complete, you can view the roles in the RAM console and attach policies to the roles. For more information about the roles, see RAM role overview.
Notice
  • When you use EMR for the first time, you must authorize default system roles to EMR by using your Alibaba Cloud account. Otherwise, your Alibaba Cloud account and the RAM users of this account cannot use EMR.
  • If you want to delete a service role, make sure that the resources that use the role are released. Otherwise, the use of the resources is affected.
  • If only some roles are authorized, the EMR console reminds you of the authorization. You can create a cluster only after all roles are authorized.
    • In EMR V3.32.0 and earlier V3.X.X versions as well as in EMR V4.5.0 and earlier V4.X.X versions, jobs use the AliyunEmrEcsDefaultRole role to access external resources.
    • In V3.X.X versions later than EMR V3.32.0 as well as in V4.X.X versions later than EMR V4.5.0, jobs use the AliyunECSInstanceForEMRRole role to access external resources.

Procedure

EMR V3.30 is used in this example.

  1. In the EMR console, click Authorize in RAM.
    When you create an EMR cluster or create an execution plan as required with a new cluster, if default roles are not authorized to EMR, the following information appears.Role authorization
  2. On the page that appears, click Confirm Authorization Policy to authorize the default roles AliyunEMRDefaultRole and AliyunEmrEcsDefaultRole to EMR.
    Authorization in the RAM console
  3. Refresh the EMR console to use the services in the console.
    To view policy details for the AliyunEMRDefaultRole and AliyunEmrEcsDefaultRole roles, log on to the RAM console.

Service roles

The following table describes the RAM roles that are associated with EMR.
Attribute Default role Description System policy
EMR service role AliyunEMRDefaultRole This role allows you to use EMR to access other Alibaba Cloud services when you configure resources and perform service-level operations on your EMR cluster. This role is required for all clusters and cannot be changed.

For more information, see EMR service role.

AliyunEMRRolePolicy
ECS application role (used in EMR V3.32.0 and earlier V3.X.X versions as well as in EMR V4.5.0 and earlier V4.X.X versions) AliyunEmrEcsDefaultRole

This role is used when application processes that run on your cluster access other Alibaba Cloud services. When you create a cluster, you can use this service role or use a custom role.

For more information about this role, see ECS application role (used in EMR V3.32.0 and earlier V3.X.X versions as well as in EMR V4.5.0 and earlier V4.X.X versions).

AliyunEMRECSRolePolicy
ECS application role (used in V3.X.X versions later than EMR V3.32.0 as well as in V4.X.X versions later than EMR V4.5.0) AliyunECSInstanceForEMRRole

This role is used when application processes that run on your cluster access other Alibaba Cloud services. When you create a cluster, you can use this service role or use a custom role.

For more information about this role, see ECS application role (used in V3.X.X versions later than EMR V3.32.0 as well as in V4.X.X versions later than EMR V4.5.0).

AliyunECSInstanceForEMRRolePolicy