Before you use E-MapReduce (EMR) on ACK, your Alibaba Cloud account must be granted the AliyunEMROnACKDefaultRole default role. This topic describes two ways to grant the role.
Automated authorization
In most cases, you are prompted to perform automated authorization the first time you use EMR on ACK.
Log on to the E-MapReduce console.
In the navigation pane on the left, click EMR on ACK.
On the EMR on ACK page, click Authorize Now.
On the RAM Quick Authorization page, click Authorize at the bottom of the page.
The AliyunEMROnACKDefaultRole role is selected by default.
Manual authorization
If you accidentally delete the AliyunEMROnACKDefaultRole role or a change to an authorization policy makes EMR on ACK unavailable, follow these steps to re-create the role and grant the required permissions.
Create a RAM role.
Log on to the Resource Access Management (RAM) console.
In the navigation pane on the left, choose .
On the Roles page, click Create Role.
In the Create Role panel, set Principal Type to Cloud Service and Principal Name to Elastic Compute Service / ECS. Then, click OK.
For more information about trusted entities, see Create a RAM role and attach the required policies to the role.
Enter the role information and click OK.
Set Role Name to AliyunEMROnACKDefaultRole. If the AliyunEMROnACKDefaultRole role already exists, you do not need to create it again.
Add authorization policies.
On the Permissions tab, click Precise Permission.
In the Precise Permission panel, select a permission type, enter a policy name, and click OK.
Attach the following three authorization policies to the AliyunEMROnACKDefaultRole role:
Policy 1: System policy (AliyunEMROnACKDefaultRolePolicy)
{ "Version": "1", "Statement": [ { "Action": [ "cs:CreateCluster", "cs:GetClusterById", "cs:GetClusters", "cs:GetUserConfig", "cs:DeleteCluster", "cs:AttachInstances", "cs:DescribeClusterLogsRequest", "cs:GetClusterLogs", "cs:GetUserQuota", "cs:DescribeClusterNodes", "cs:GetNodepoolDetail", "cs:GetNodepools", "cs:UpdateNodepool", "cs:ScaleNodepools", "cs:DescribeClusterInnerServiceKubeconfig", "cs:RevokeClusterInnerServiceKubeconfig", "ecs:DescribeInstances" ], "Resource": "*", "Effect": "Allow" } ] }
Policy 2: System policy (AliyunEMRFullAccess)
{ "Version": "1", "Statement": [ { "Action": "emr:*", "Resource": "*", "Effect": "Allow" }, { "Action": [ "cms:QueryMetricList", "ram:GetRole", "ram:ListRoles", "ram:ListUserBasicInfos", "ecs:DescribeZones", "ecs:DescribeInstanceTypes", "ecs:DescribeKeyPairs", "ecs:DescribeAvailableResource", "ecs:DescribeInstances", "ecs:DescribeSpotPriceHistory", "ecs:DescribeSpotAdvice", "ecs:DescribeInstanceStatus", "ecs:DescribeDeploymentSets", "vpc:DescribeVpcs", "vpc:DescribeVSwitches", "oss:ListBuckets", "dlf:DescribeRegions", "dlf:GetRegionStatus", "dlf:ListCatalogs" ], "Resource": "*", "Effect": "Allow" }, { "Action": "ram:PassRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "acs:Service": "emr.aliyuncs.com" } } }, { "Action": "quotas:ListProductQuotas", "Resource": "acs:quotas:*:*:quota/ecs/*", "Effect": "Allow" }, { "Action": "kms:DescribeAccountKmsStatus", "Resource": "*", "Effect": "Allow" } ] }Policy 3: Custom policy (EmrOnAckPolicyV2)
{ "Version": "1", "Statement": [ { "Action": [ "ram:*" ], "Resource": [ "acs:ram:*:*:domain/*", "acs:ram:*:*:application/*" ], "Effect": "Allow" } ] }
NoteAfter you create the RAM role and attach the preceding policies, you can use EMR on ACK.