The E-MapReduce (EMR) service role allows you to use EMR to access other Alibaba Cloud services when you configure resources or perform service-level operations on your EMR cluster. For example, the service role can be used to create an Elastic Compute Service (ECS) instance when you start an EMR cluster. This topic describes the EMR service role AliyunEMRDefaultRole and the policies of this role.
Usage notes
To avoid impacts on the service stability of EMR, take note of the following points:
- The name of the EMR service role cannot be changed.
- Do not delete or modify system policies of this role in the RAM console.
Permissions
AliyunEMRDefaultRole is the default EMR service role. The AliyunEMRRolePolicy system policy is attached to this role.
| Action | Description |
|---|---|
| ecs:CreateInstance | Creates an ECS instance. |
| ecs:RunInstances | Creates and starts multiple ECS instances at the same time. |
| ecs:RenewInstance | Renews an ECS instance. |
| ecs:DescribeRegions | Queries the region information of an ECS instance. |
| ecs:DescribeZones | Queries the zone information of an ECS instance. |
| ecs:DescribeImages | Queries the image information of an ECS instance. |
| ecs:CreateSecurityGroup | Creates a security group. |
| ecs:AllocatePublicIpAddress | Assigns a public IP address to an ECS instance. |
| ecs:DeleteInstance | Deletes an ECS instance. |
| ecs:StartInstance | Starts an ECS instance. |
| ecs:StopInstance | Stops an ECS instance. |
| ecs:DescribeInstances | Queries an ECS instance. |
| ecs:DescribeDisks | Queries the disk information of an ECS instance. |
| ecs:AuthorizeSecurityGroup | Specifies inbound rules for a security group. |
| ecs:RevokeSecurityGroup | Deletes one or more inbound rules for a security group. After the rules are deleted, the access control implemented based on the rules is removed. |
| ecs:AuthorizeSecurityGroupEgress | Specifies outbound rules for a security group. |
| ecs:DescribeSecurityGroupAttribute | Queries the details about a security group. |
| ecs:DescribeSecurityGroups | Queries security groups. |
| ecs:DescribeInstanceHistoryEvents | Queries the system events of an ECS instance. |
| ecs:DescribeInstancesFullStatus | Queries the full status information of one or more ECS instances. |
| ecs:DescribeDisksFullStatus | Queries the full status information of one or more Elastic Block Storage (EBS) devices. |
| ecs:ModifyInstanceChargeType | Changes the billing method of one or more ECS instances. |
| ecs:ModifyPrepayInstanceSpec | Upgrades the instance type of a subscription ECS instance. |
| ecs:DescribeResourcesModification | Queries available resources within a specific zone when you upgrade instance types or replace system disks. |
| ecs:DescribeAvailableResource | Queries resources within a specific zone. |
| ecs:DescribeBandwidthLimitation | Queries the maximum public bandwidth that you can purchase or upgrade to for different instance types. |
| ecs:CreateNetworkInterface | Creates an elastic network interface (ENI). |
| ecs:DeleteNetworkInterface | Deletes an ENI. |
| ecs:DescribeNetworkInterfaces | Queries the details about one or more ENIs. |
| ecs:CreateNetworkInterfacePermission | Grants permissions to create an ENI. |
| ecs:DescribeNetworkInterfacePermissions | Queries permissions on an ENI. |
| ecs:DeleteNetworkInterfacePermission | Grants permissions to delete an ENI. |
| ecs:DescribeKeyPairs | Queries one or more key pairs. |
| ecs:DescribePrice | Queries the most recent prices of ECS resources. |
| ecs:RebootInstance | Restarts an ECS instance that is in the Running state. |
| ecs:AssignIpv6Addresses | Assigns one or more IPv6 addresses to an ENI. |
| ecs:DescribeInstanceHistoryEvents | Queries the system events of an ECS instance. |
| ecs:AcceptInquiredSystemEvent | Accepts the default operation for a system event in the Inquiring state and authorizes the system to perform the default operation. |
| ecs:RedeployInstance | Redeploys an ECS instance when the instance receives a system event notification. |
| ecs:DescribeTasks | Queries the progress of one or more asynchronous requests of an ECS instance. |
| ecs:TagResources | Creates and adds tags to an ECS instance. |
| ecs:UntagResources | Removes tags from an ECS instance. |
| ecs:ListTagResources | Queries tags that are added to an ECS instance. |
| ecs:JoinResourceGroup | Adds an ECS instance to a resource group. |
| ecs:ReportInstancesStatus | Reports an exception on one or more ECS instances. |
| ecs:ModifyInstanceAttribute | Modifies the information about an ECS instance. |
| ecs:DeleteInstances | Releases one or more pay-as-you-go ECS instances. |
| ecs:RebootInstances | Restarts one or more ECS instances that are in the Running state. |
| ecs:StartInstances | Starts one or more ECS instances that are in the Stopped state. |
| ecs:StopInstances | Stops one or more ECS instances that are in the Running state. |
| ecs:AttachInstanceRamRole | Attaches an instance RAM role to one or more ECS instances. |
| ecs:DescribeLocalDiskRepairActivities | Queries the repair activities of a local disk. |
| ecs:CreateAutoProvisioningGroup | Creates an auto provisioning group. |
| ecs:DescribeDeploymentSets | Queries the attributes of one or more deployment sets. |
| oss:PutObject | Uploads a file or folder. |
| oss:GetObject | Queries a file or folder. |
| oss:ListObjects | Queries the information about all objects in a bucket. |
| vpc:DescribeVSwitches | Queries vSwitches in a VPC. |
| vpc:DescribeVpcs | Queries a specified VPC. |
| vpc:AllocateEipAddress | Applies for an elastic IP address (EIP). |
| vpc:AssociateEipAddress | Associates an EIP with a cloud resource that is deployed in the same region as the EIP. |
| vpc:UnassociateEipAddress | Disassociates an EIP from a cloud resource. |
| vpc:ReleaseEipAddress | Releases an EIP. |
| vpc:DescribeEipAddresses | Queries EIPs in a region. |
| cms:CreateAlarm | Creates an event-triggered task. |
| cms:DeleteAlarm | Deletes an event-triggered task. |
| cms:QueryAlarm | Queries an alert. |
| cms:QueryAlarmHistory | Queries historical alerts. |
| cms:QueryMetricList | Queries the monitoring data of an instance over a specific period of time. |
| cms:CreateAlert | Creates an alert. |
| cms:CreateDimensions | Creates monitoring metric configurations. |
| cms:DeleteAlert | Deletes an alert. |
| cms:QueryAlert | Queries an alert. |
| cms:QueryNotifyHistory | Queries notification records. |
| cms:DisableAlarm | Disables an event-triggered task. |
| cms:UpdateAlarm | Updates an alert. |
| cms:DeleteAlarm | Deletes an alert. |
| cms:EnableAlarm | Enables an event-triggered task. |
| cms:ListAlarmHistory | Queries the historical settings of a specified alert rule or all alert rules. |
| cms:DescribeMonitorGroups | Queries application groups. |
| cms:CreateMonitorGroup | Creates an application group. |
| cms:DeleteMonitorGroup | Deletes an application group. |
| cms:ApplyMetricRuleTemplate | Applies an alert template to an application group to generate an alert rule. |
| cms:ModifyMonitorGroupInstances | Changes the resources that are added to an application group. |
| cms:DescribeMetricRuleTemplateList | Queries alert templates. |
| cms:CreateMonitoringTemplate | Creates a monitoring template. |
| cms:DescribeEventRuleList | Queries event-triggered alert rules. |
| cms:DescribeMetricRuleList | Queries alert rules. |
| ess:CreateScalingGroup | Creates a scaling group. |
| ess:ModifyScalingGroup | Modifies a scaling group. |
| ess:EnableScalingGroup | Enables a scaling group. |
| ess:DisableScalingGroup | Disables a scaling group. |
| ess:DeleteScalingGroup | Deletes a scaling group. |
| ess:DescribeScalingGroups | Queries scaling groups. |
| ess:DescribeScalingInstances | Queries information about the ECS instances in a scaling group. |
| ess:DescribeScalingActivities | Queries scaling activities. |
| ess:CreateScalingConfiguration | Creates a scaling configuration. |
| ess:DescribeScalingConfigurations | Queries scaling configurations. |
| ess:DeleteScalingConfiguration | Deletes a scaling configuration. |
| ess:CreateScalingRule | Creates a scaling rule. |
| ess:ModifyScalingRule | Modifies a scaling rule. |
| ess:DescribeScalingRules | Queries information about the scaling rules in a scaling group. |
| ess:DeleteScalingRule | Deletes a scaling rule. |
| ess:CreateScheduledTask | Creates a scheduled task. |
| ess:ModifyScheduledTask | Modifies a scheduled task. |
| ess:DescribeScheduledTasks | Queries scheduled tasks. |
| ess:DeleteScheduledTask | Deletes a scheduled task. |
| ess:EnableScheduledTask | Enables a scheduled task. |
| ess:DisableScheduledTask | Disables a scheduled task. |
| ess:RemoveInstances | Removes one or more ECS instances from a scaling group. |
| ess:CreateLifecycleHook | Creates one or more lifecycle hooks for a scaling group. |
| ess:DescribeLifecycleHooks | Queries lifecycle hooks. |
| ess:ModifyLifecycleHook | Modifies a lifecycle hook. |
| ess:DeleteLifecycleHook | Deletes a lifecycle hook. |
| ess:CompleteLifecycleAction | Takes a scaling activity out of the wait state in advance. |
| ess:RecordLifecycleActionHeartbeat | Extends the timeout period of the lifecycle hook that is triggered for an ECS instance. |
| ess:CreateNotificationConfiguration | Creates a notification for scaling activities and resource changes. |
| ess:DescribeNotificationConfigurations | Queries notifications that you create for scaling activities and resource changes. |
| ess:VerifyAuthentication | Checks whether Auto Scaling is authorized to manage ECS resources. |
| ess:DescribeRegions | Queries the regions in which Auto Scaling is available. |
| ess:SetInstancesProtection | Enables or disables protection for one or more ECS instances in a scaling group. |
| ecs:ResizeDisk | Resizes a disk. |
| ess:ExecuteScalingRule | Executes a scaling rule. |
| ess:DetachInstances | Disassociates one or more ECS instances from a scaling group. |
| ess:ModifyScalingConfiguration | Modifies a scaling configuration. |
| ess:DescribeScalingActivityDetail | Queries the details about a scaling activity. |
| ess:ScaleWithAdjustment | Scales instances in a scaling group based on the specified scaling policy. |
| ram:GetUser | Queries the information about a RAM user. |
| ram:GetRole | Queries the information about a RAM role. |
| ram:CreateServiceLinkedRole | Creates a service-linked role. |
| ram:ListRoles | Queries RAM roles. |
| ram:ListPoliciesForRole | Queries the policies that are attached to a RAM role. |
| ram:AttachPolicyToRole | Attaches a policy to a RAM role. |
| ram:DetachPolicyFromRole | Detaches a policy from a RAM role. |
| log:ListProject | Queries the projects that meet specified conditions. |
| log:GetProject | Queries the details about a project. |
| log:CreateProject | Creates a project. |
| log:GetLogStore | Queries the details about a Logstore. |
| log:CreateLogStore | Creates a Logstore. |
| log:GetConfig | Retrieves the details about a Logtail configuration file. |
| log:CreateConfig | Creates a Logtail configuration file. |
| log:GetIndex | Queries the indexes of a specified Logstore. |
| log:CreateIndex | Creates indexes for a specified Logstore. |
| log:GetAppliedMachineGroups | Retrieves the list of the machine groups to which a Logtail configuration file is applied. |
| log:ApplyConfigToMachineGroup | Applies a Logtail configuration file to a machine group. |
| log:ApplyConfigToGroup | Applies a Logtail configuration file to a machine group. |
| cs:CreateCluster | Creates a Container Service for Kubernetes (ACK) cluster. |
| cs:GetClusterById | Queries the details about an ACK cluster. |
| cs:GetClusters | Queries the details about all ACK clusters. |
| cs:DeleteCluster | Deletes an ACK cluster. |
| cs:AttachInstances | Adds existing ECS instances to an ACK cluster. |
| cs:GetClusterLogs | Queries the logs of an ACK cluster. |
| arms:AddIntegration | Integrates the dashboard and collection rules of Prometheus Service. |
| arms:AddGrafana | Integrates the dashboard of Prometheus Service. |
| arms:ListDashboards | Queries the Grafana dashboards of an ACK cluster. |
| arms:GetPrometheusApiToken | Queries the token required for integrating Prometheus Service. |
| rds:DescribeDBInstances | Queries the ApsaraDB RDS instances that meet specified conditions or the ApsaraDB RDS instances on which a specified RAM user has permissions. |
| rds:DescribeDBInstanceAttribute | Queries the details about one or more ApsaraDB RDS instances. |
| rds:DescribeDatabase | Queries the details about the databases that are created on an ApsaraDB RDS instance. |
| quotas:ListProductQuotas | Queries the quotas of ECS. |
| kms:ListKeys | Queries all customer master keys (CMKs) of the current Alibaba Cloud account. |