Before you use E-MapReduce (EMR) Workbench Workflow for the first time, your Alibaba Cloud account must be assigned the required default RAM roles. Without this one-time authorization, neither your Alibaba Cloud account nor any RAM users under it can use EMR Workbench Workflow.
Default roles
Two RAM roles are assigned during authorization. The table below summarizes their names, the service they support, and the attached policies.
| Role | Used by | Attached policy |
|---|---|---|
| AliyunEMRWorkflowDefaultRole | EMR Workbench Workflow | AliyunEMRWorkflowDefaultRolePolicy |
| AliyunStreamAsiDefaultRole | Fully managed Flink service | AliyunStreamAsiDefaultRolePolicy |
Prerequisites
Before you begin, make sure that:
-
You are logged on as the Alibaba Cloud account (root account). RAM users cannot complete role assignment.
-
If you plan to delete a default role later, release all resources that depend on that role first. Deleting the role while resources still use it will disrupt EMR Workbench Workflow.
Assign the default roles
Role assignment is required only once. After completing these steps, you do not need to repeat them when you use EMR Workbench Workflow again.
-
Log on to the EMR console using your Alibaba Cloud account.
-
In the left-side navigation pane, choose EMR Workbench > Workflow.
-
On the Dependency Check page, find the authorization check item, and click Authorize Now in the Actions column.
-
On the page that appears, click Agree to Authorization.
After authorization is complete, EMR Workbench Workflow can access your cloud resources.
Policies
AliyunEMRWorkflowDefaultRolePolicy
This policy is attached to the AliyunEMRWorkflowDefaultRole role. It grants EMR Workbench Workflow permissions across four service areas:
| Service area | Permissions granted |
|---|---|
| ECS | Manage network interfaces and security groups |
| VPC | Create, delete, and configure route tables and route entries |
| EMR | Read cluster metadata, flow projects, and application configurations |
| Data Lake Formation (DLF) | Full catalog operations: databases, tables, partitions, functions, locks, and statistics |
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:CreateNetworkInterface",
"ecs:DeleteNetworkInterface",
"ecs:DescribeNetworkInterfaces",
"ecs:CreateNetworkInterfacePermission",
"ecs:DescribeNetworkInterfacePermissions",
"ecs:DeleteNetworkInterfacePermission",
"ecs:DescribeSecurityGroupAttribute",
"ecs:DescribeSecurityGroups",
"vpc:DescribeVSwitchAttributes",
"vpc:DescribeVSwitches",
"vpc:CreateRouteTable",
"vpc:DeleteRouteTable",
"vpc:UnassociateRouteTable",
"vpc:AssociateRouteTable",
"vpc:DescribeRouteTableList",
"vpc:CreateRouteEntry",
"vpc:DeleteRouteEntry",
"vpc:DescribeRouteEntryList",
"emr:ListClusterHost",
"emr:DescribeCluster",
"emr:DescribeClusterV2",
"emr:ListClusters",
"emr:DescribeFlowAgentToken",
"emr:ListClusterServiceQuickLink",
"emr:DescribeClusterServiceConfig",
"emr:ListClusterHostComponent",
"emr:DescribeClusterServiceConfig",
"emr:GetClusterClientMeta",
"emr:ListApplicationConfigFiles",
"emr:GetApplicationConfigFile",
"emr:ListNodeGroups",
"emr:ListNodes",
"emr:ListClusterTemplates",
"emr:DescribeClusterTemplate",
"emr:DescribeFlowProject",
"emr:ListFlow",
"emr:DescribeFlow",
"emr:DescribeFlowJob",
"emr:ListFlowJob",
"emr:ListFlowProject",
"emr:ListFlowCategory",
"emr:DescribeFlowVariableCollection",
"dlf:BatchCreatePartitions",
"dlf:BatchCreateTables",
"dlf:BatchDeletePartitions",
"dlf:BatchDeleteTables",
"dlf:BatchGetPartitions",
"dlf:BatchGetTables",
"dlf:BatchUpdatePartitions",
"dlf:BatchUpdateTables",
"dlf:CreateDatabase",
"dlf:CreateFunction",
"dlf:CreatePartition",
"dlf:CreateTable",
"dlf:DeleteDatabase",
"dlf:DeleteFunction",
"dlf:DeletePartition",
"dlf:DeleteTable",
"dlf:GetDatabase",
"dlf:GetFunction",
"dlf:GetPartition",
"dlf:GetTable",
"dlf:ListCatalogs",
"dlf:ListDatabases",
"dlf:ListFunctionNames",
"dlf:ListFunctions",
"dlf:ListPartitionNames",
"dlf:ListPartitions",
"dlf:ListPartitionsByExpr",
"dlf:ListPartitionsByFilter",
"dlf:ListTableNames",
"dlf:ListTables",
"dlf:RenamePartition",
"dlf:RenameTable",
"dlf:UpdateDatabase",
"dlf:UpdateFunction",
"dlf:UpdateTable",
"dlf:UpdateTableColumnStatistics",
"dlf:GetTableColumnStatistics",
"dlf:DeleteTableColumnStatistics",
"dlf:UpdatePartitionColumnStatistics",
"dlf:GetPartitionColumnStatistics",
"dlf:DeletePartitionColumnStatistics",
"dlf:BatchGetPartitionColumnStatistics",
"dlf:CreateLock",
"dlf:UnLock",
"dlf:AbortLock",
"dlf:RefreshLock",
"dlf:GetLock",
"dlf:GetAsyncTaskStatus"
],
"Resource": "*",
"Effect": "Allow"
}
]
}AliyunStreamAsiDefaultRolePolicy
This policy is attached to the AliyunStreamAsiDefaultRole role and is required by the fully managed Flink service. It grants permissions across seven service areas to support Flink job execution and monitoring:
| Service area | Permissions granted |
|---|---|
| OSS | Read and write objects, manage multipart uploads, configure CORS |
| ECS | Manage network interfaces, security groups, and EIP associations |
| SLB | Create and manage load balancers, listeners, and server groups |
| ARMS | Manage contacts, alert rules, webhooks, and dispatch rules |
| VPC | Read VPC, vSwitch, route table, and router interface attributes |
| IMS | List user basic information |
| TAG | List tag resources, keys, and values |
{
"Version": "1",
"Statement": [
{
"Action": [
"oss:ListBuckets",
"oss:GetBucketInfo",
"oss:GetObjectMetadata",
"oss:GetObject",
"oss:ListObjects",
"oss:PutObject",
"oss:CopyObject",
"oss:CompleteMultipartUpload",
"oss:AbortMultipartUpload",
"oss:InitiateMultipartUpload",
"oss:UploadPartCopy",
"oss:UploadPart",
"oss:DeleteObject",
"oss:PutBucketcors",
"oss:GetBucketCors"
],
"Resource": "acs:oss:*:*:*",
"Effect": "Allow"
},
{
"Action": [
"ecs:AssociateEipAddress",
"ecs:AttachNetworkInterface",
"ecs:AuthorizeSecurityGroup",
"ecs:AuthorizeSecurityGroupEgress",
"ecs:CreateNetworkInterface",
"ecs:CreateNetworkInterfacePermission",
"ecs:CreateSecurityGroup",
"ecs:DeleteNetworkInterface",
"ecs:DeleteNetworkInterfacePermission",
"ecs:DeleteSecurityGroup",
"ecs:DescribeNetworkInterfacePermissions",
"ecs:DescribeNetworkInterfaces",
"ecs:DescribeSecurityGroupAttribute",
"ecs:DescribeSecurityGroupReferences",
"ecs:DescribeSecurityGroups",
"ecs:DetachNetworkInterface",
"ecs:JoinSecurityGroup",
"ecs:LeaveSecurityGroup",
"ecs:ModifyNetworkInterfaceAttribute",
"ecs:ModifySecurityGroupAttribute",
"ecs:ModifySecurityGroupPolicy",
"ecs:ModifySecurityGroupPolicy",
"ecs:ModifySecurityGroupRule",
"ecs:RevokeSecurityGroup",
"ecs:RevokeSecurityGroupEgress",
"ecs:UnassociateEipAddress"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"slb:AddBackendServers",
"slb:AddListenerWhiteListItem",
"slb:AddTags",
"slb:AddVServerGroupBackendServers",
"slb:CreateLoadBalancer",
"slb:CreateLoadBalancerHTTPListener",
"slb:CreateLoadBalancerHTTPSListener",
"slb:CreateLoadBalancerTCPListener",
"slb:CreateLoadBalancerUDPListener",
"slb:CreateRules",
"slb:CreateVServerGroup",
"slb:DeleteLoadBalancer",
"slb:DeleteLoadBalancerListener",
"slb:DeleteRules",
"slb:DeleteVServerGroup",
"slb:DescribeHealthStatus",
"slb:DescribeListenerAccessControlAttribute",
"slb:DescribeLoadBalancerAttribute",
"slb:DescribeLoadBalancerHTTPListenerAttribute",
"slb:DescribeLoadBalancerHTTPListenerAttributes",
"slb:DescribeLoadBalancerHTTPSListenerAttribute",
"slb:DescribeLoadBalancerTCPListenerAttribute",
"slb:DescribeLoadBalancerUDPListenerAttribute",
"slb:DescribeLoadBalancers",
"slb:DescribeRegions",
"slb:DescribeRules",
"slb:DescribeTags",
"slb:DescribeVServerGroupAttribute",
"slb:DescribeVServerGroups",
"slb:ModifyLoadBalancerInstanceSpec",
"slb:ModifyLoadBalancerInternetSpec",
"slb:ModifyLoadBalancerInstanceChargeType",
"slb:ModifyLoadBalancerPayType",
"slb:RemoveBackendServers",
"slb:RemoveListenerWhiteListItem",
"slb:RemoveVServerGroupBackendServers",
"slb:SetBackendServers",
"slb:SetListenerAccessControlStatus",
"slb:SetLoadBalancerHTTPListenerAttribute",
"slb:SetLoadBalancerHTTPSListenerAttribute",
"slb:SetLoadBalancerName",
"slb:SetLoadBalancerStatus",
"slb:SetLoadBalancerTCPListenerAttribute",
"slb:SetLoadBalancerUDPListenerAttribute",
"slb:SetRule",
"slb:SetServerCertificateName",
"slb:SetVServerGroupAttribute",
"slb:StartLoadBalancerListener",
"slb:StopLoadBalancerListener",
"slb:SetLoadBalancerDeleteProtection",
"slb:RemoveTags",
"slb:DescribeLoadBalancerListeners",
"slb:ModifyVServerGroupBackendServers",
"slb:SetLoadBalancerModificationProtection",
"slb:CreateLoadBalancerForCloudService"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"arms:ListDashboards",
"arms:CreateContact",
"arms:DeleteContact",
"arms:SearchContact",
"arms:UpdateContact",
"arms:CreateContactGroup",
"arms:DeleteContactGroup",
"arms:SearchContactGroup",
"arms:UpdateContactGroup",
"arms:SearchAlertRules",
"arms:CreateAlertRules",
"arms:UpdateAlertRules",
"arms:DeleteAlertRules",
"arms:StartAlertRule",
"arms:StopAlertRule",
"arms:SearchAlarmHistories",
"arms:OpenArmsService",
"arms:CreateWehook",
"arms:UpdateWebhook",
"arms:CreateDispatchRule",
"arms:ListDispatchRule",
"arms:DeleteDispatchRule",
"arms:UpdateDispatchRule",
"arms:DescribeDispatchRule",
"arms:GetAlarmHistories",
"arms:SendCustomIncidents",
"arms:SaveAlert",
"arms:DeleteAlert",
"arms:GetAlert"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"vpc:DescribeVpcAttribute",
"vpc:DescribeVpcs",
"vpc:DescribeVSwitchAttributes",
"vpc:DescribeVSwitches",
"vpc:DescribeRouteTableList",
"vpc:DescribeRouteTables",
"vpc:DescribeRouteEntryList",
"vpc:DescribeRouterInterfaceAttribute",
"vpc:DescribeRouterInterfaces",
"vpc:DescribeVRouters",
"vpc:ModifyBypassToaAttribute"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ims:ListUserBasicInfos"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"tag:ListTagResources",
"tag:ListTagKeys",
"tag:ListTagValues"
],
"Resource": "*",
"Effect": "Allow"
}
]
}