How to assign the system default role AliyunEMROnACKDefaultRole - E-MapReduce

Before you use Alibaba Cloud E-MapReduce (EMR) on ACK, your Alibaba Cloud account must be assigned the system default role AliyunEMROnACKDefaultRole. This topic describes the methods that can be used to assign the system default role AliyunEMROnACKDefaultRole to an Alibaba Cloud account.

Automated authorization

In most cases, you are required to perform automated authorization when you use EMR on ACK for the first time.

Log on to the EMR console.
In the left-side navigation pane, click EMR on ACK.
On the EMR on ACK page, click Authorize Now.
On the Cloud Resource Access Authorization page, click Agree to Authorization in the lower part of the page.
The AliyunEMROnACKDefaultRole role is selected by default.

Manual authorization

If EMR on ACK is unavailable after you delete the AliyunEMROnACKDefaultRole role by mistake or change the authorization policy, perform the following steps to create and grant permissions to the role:

Create a RAM role.
1. Log on to the Resource Access Management (RAM) console.
2. In the left-side navigation pane, choose Identities > Roles.
3. On the Roles page, click Create Role.
4. In the Create Role panel, select a trusted entity and click Next.
  The following trusted entities are supported:
  - Alibaba Cloud Account: A RAM user of a trusted Alibaba Cloud account can assume a RAM role to access your cloud resources. You can select your current Alibaba Cloud account or another account as a trusted entity.
  - Alibaba Cloud Service: A trusted Alibaba Cloud service can assume a RAM role to access your cloud resources.
  - IdP: The identity provider (IdP) allows you to log on to the Alibaba Cloud Management Console from your user account system by configuring single sign-on (SSO). This feature meets the requirements for unified authentication.
  For more information, see Create a RAM role for a trusted Alibaba Cloud account, Create a RAM role for a trusted Alibaba Cloud service, or Create a RAM role for a trusted IdP.
5. Enter the information about the role that you want to create and click OK.
  Enter AliyunEMROnACKDefaultRole in the RAM Role Name field. If the AliyunEMROnACKDefaultRole role exists, you do not need to create again.

Attach policies to the RAM role.

On the Roles page, find the AliyunEMROnACKDefaultRole role and click Input and Attach in the Actions column.

In the Add Permissions panel, configure the Type and Policy Name parameters, and then click OK.

You need to attach the following policies to the AliyunEMROnACKDefaultRole role.

Policy 1: System policy AliyunEMROnACKDefaultRolePolicy

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "cs:CreateCluster",
                "cs:GetClusterById",
                "cs:GetClusters",
                "cs:GetUserConfig",
                "cs:DeleteCluster",
                "cs:AttachInstances",
                "cs:DescribeClusterLogsRequest",
                "cs:GetClusterLogs",
                "cs:GetUserQuota",
                "cs:DescribeClusterNodes",
                "cs:GetNodepoolDetail",
                "cs:GetNodepools",
                "cs:UpdateNodepool",
                "cs:ScaleNodepools",
                "cs:DescribeClusterInnerServiceKubeconfig",
                "cs:RevokeClusterInnerServiceKubeconfig",
                "ecs:DescribeInstances"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

Policy 2: System policy AliyunEMRFullAccess

{
    "Version": "1",
    "Statement": [
        {
            "Action": "emr:*",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "cms:QueryMetricList",
                "ram:GetRole",
                "ram:ListRoles",
                "ram:ListUserBasicInfos",
                "ecs:DescribeZones",
                "ecs:DescribeInstanceTypes",
                "ecs:DescribeKeyPairs",
                "ecs:DescribeAvailableResource",
                "ecs:DescribeInstances",
                "ecs:DescribeSpotPriceHistory",
                "ecs:DescribeSpotAdvice",
                "ecs:DescribeInstanceStatus",
                "ecs:DescribeDeploymentSets",
                "vpc:DescribeVpcs",
                "vpc:DescribeVSwitches",
                "oss:ListBuckets",
                "dlf:DescribeRegions",
                "dlf:GetRegionStatus",
                "dlf:ListCatalogs"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:PassRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "acs:Service": "emr.aliyuncs.com"
                }
            }
        },
        {
            "Action": "quotas:ListProductQuotas",
            "Resource": "acs:quotas:*:*:quota/ecs/*",
            "Effect": "Allow"
        },
        {
            "Action": "kms:DescribeAccountKmsStatus",
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

Policy 3: Custom policy EmrOnAckPolicyV2

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ram:*"
            ],
            "Resource": [
                "acs:ram:*:*:domain/*",
                "acs:ram:*:*:application/*"
            ],
            "Effect": "Allow"
        }
    ]
}

Note

After you create a RAM role and attach the preceding policies, you can use EMR on ACK.