All Products
Search

This Product

    E-MapReduce:Assign a role to an Alibaba Cloud account

    Document Center

    E-MapReduce:Assign a role to an Alibaba Cloud account

    Last Updated:Mar 26, 2026

    Before using EMR on ACK, your Alibaba Cloud account must be granted the AliyunEMROnACKDefaultRole default role. This role lets EMR on ACK provision ACK clusters and call ECS, OSS, and DLF APIs on your behalf.

    Two authorization methods are available:

    • Automated authorization: Use this on first-time setup. The console prompts you automatically.

    • Manual re-authorization: Use this if the role is accidentally deleted or a policy change makes EMR on ACK unavailable.

    Automated authorization

    The first time you access EMR on ACK, the console prompts you to authorize automatically.

    1. Log on to the E-MapReduce console.

    2. In the navigation pane on the left, click EMR on ACK.

    3. On the EMR on ACK page, click Authorize Now.

    4. On the RAM Quick Authorization page, click Authorize at the bottom of the page. The AliyunEMROnACKDefaultRole role is selected by default.

    Manual re-authorization (role deleted or policies changed)

    If EMR on ACK becomes unavailable because the AliyunEMROnACKDefaultRole role was deleted or its policies were changed, follow these steps to re-create the role and restore access.

    Step 1: Create a RAM role

    1. Log on to the Resource Access Management (RAM) console.

    2. In the navigation pane on the left, choose Identities > Roles.

    3. On the Roles page, click Create Role.

    4. In the Create Role panel, set Principal Type to Cloud Service and Principal Name to Elastic Compute Service / ECS. Click OK. For more information about trusted entities, see Create a RAM role and attach the required policies to the role.

    5. Set Role Name to AliyunEMROnACKDefaultRole and click OK. If AliyunEMROnACKDefaultRole already exists, skip this step.

    Step 2: Attach authorization policies

    Attach the following three policies to the AliyunEMROnACKDefaultRole role:

    Policy name Type Permissions granted
    AliyunEMROnACKDefaultRolePolicy System policy ACK cluster operations: create, query, and delete clusters; manage node pools; retrieve kubeconfig
    AliyunEMRFullAccess System policy Full EMR access plus read permissions for ECS, VPC, OSS, DLF, Cloud Monitor (CMS), RAM, Quota Center, and Key Management Service (KMS)
    EmrOnAckPolicyV2 Custom policy RAM domain and application management

    To attach each policy:

    1. On the Permissions tab, click Precise Permission.

    2. In the Precise Permission panel, select a permission type, enter the policy name, and click OK.

    Repeat for all three policies.

    AliyunEMROnACKDefaultRolePolicy and AliyunEMRFullAccess are system policies maintained by Alibaba Cloud. The JSON shown below is for reference only and may not reflect the latest version.

    Policy 1: AliyunEMROnACKDefaultRolePolicy (system policy)

    {
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "cs:CreateCluster",
                "cs:GetClusterById",
                "cs:GetClusters",
                "cs:GetUserConfig",
                "cs:DeleteCluster",
                "cs:AttachInstances",
                "cs:DescribeClusterLogsRequest",
                "cs:GetClusterLogs",
                "cs:GetUserQuota",
                "cs:DescribeClusterNodes",
                "cs:GetNodepoolDetail",
                "cs:GetNodepools",
                "cs:UpdateNodepool",
                "cs:ScaleNodepools",
                "cs:DescribeClusterInnerServiceKubeconfig",
                "cs:RevokeClusterInnerServiceKubeconfig",
                "ecs:DescribeInstances"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

    Policy 2: AliyunEMRFullAccess (system policy)

    {
    "Version": "1",
    "Statement": [
        {
            "Action": "emr:*",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "cms:QueryMetricList",
                "ram:GetRole",
                "ram:ListRoles",
                "ram:ListUserBasicInfos",
                "ecs:DescribeZones",
                "ecs:DescribeInstanceTypes",
                "ecs:DescribeKeyPairs",
                "ecs:DescribeAvailableResource",
                "ecs:DescribeInstances",
                "ecs:DescribeSpotPriceHistory",
                "ecs:DescribeSpotAdvice",
                "ecs:DescribeInstanceStatus",
                "ecs:DescribeDeploymentSets",
                "vpc:DescribeVpcs",
                "vpc:DescribeVSwitches",
                "oss:ListBuckets",
                "dlf:DescribeRegions",
                "dlf:GetRegionStatus",
                "dlf:ListCatalogs"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:PassRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "acs:Service": "emr.aliyuncs.com"
                }
            }
        },
        {
            "Action": "quotas:ListProductQuotas",
            "Resource": "acs:quotas:*:*:quota/ecs/*",
            "Effect": "Allow"
        },
        {
            "Action": "kms:DescribeAccountKmsStatus",
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

    Policy 3: EmrOnAckPolicyV2 (custom policy)

    {
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "ram:*"
            ],
            "Resource": [
                "acs:ram:*:*:domain/*",
                "acs:ram:*:*:application/*"
            ],
            "Effect": "Allow"
        }
    ]
}

    After attaching all three policies, EMR on ACK is available.