All Products
Search
Document Center

E-MapReduce:Assign roles

Last Updated:Aug 01, 2023

When you run components such as Hadoop and Spark in your E-MapReduce (EMR) cluster, you must grant the components the permissions to access other Alibaba Cloud services and perform related operations. Each EMR cluster must be configured with service roles and ECS application roles. This topic describes how to assign roles to EMR and also describes the roles that are associated with EMR.

Background information

EMR provides default system roles and default system policies. System policies are created and maintained by Alibaba Cloud. If service requirements change, the system policies are accordingly updated.

When you use EMR for the first time, you must use your Alibaba Cloud account to assign the AliyunEMRDefaultRole and AliyunECSInstanceForEMRRole or AliyunEmrEcsDefaultRole roles to EMR. After the roles are assigned, you can view the roles in the RAM console and attach policies to the roles. For more information about the roles, see RAM role overview.
Important
  • Roles that are required for EMR vary based on the EMR version.
    • In EMR V3.32.0 or an earlier minor version, or EMR V4.5.0 or an earlier minor version: AliyunEmrEcsDefaultRole
    • In a minor version later than EMR V3.32.0 or EMR V4.5.0: AliyunECSInstanceForEMRRole
  • When you use EMR for the first time, you must use your Alibaba Cloud account to assign default system roles to EMR. Otherwise, your Alibaba Cloud account and the RAM users within your Alibaba Cloud account cannot use EMR.
  • If you want to delete a service role, make sure that the resources that use the role are released. Otherwise, the use of the resources is affected.
  • If only some roles are assigned, the EMR console sends you a notification. You can create a cluster only after all roles are assigned.

Procedure

EMR V3.30 is used in this example.

  1. On the EMR on ECS page in the EMR console, click Authorize in RAM.

    Note

    When you use EMR for the first time, you must assign default system roles to EMR. Then, you do not need to repeat the assignment operation when you use EMR again.

    When you create an EMR cluster or create an execution plan as required with a new cluster, if default roles are not assigned to EMR, prompt information appears.

  2. On the page that appears, click Confirm Authorization Policy to assign default roles to EMR.

  3. Refresh the EMR console to use the services.

    To view policy details for the roles, log on to the RAM console.

  4. Refresh the EMR console to use the services.

    To view policy details for the roles, log on to the RAM console.

Service roles

The following table describes the RAM roles that are associated with EMR.

Attribute

Default role

Description

System policy

EMR service role

AliyunEMRDefaultRole

This role allows you to use EMR to access other Alibaba Cloud services when you configure resources and perform service-level operations on your EMR cluster. This role is required for all clusters and cannot be changed.

For more information, see EMR service role.

AliyunEMRRolePolicy

AliyunEMRManagedCostRole

This role is used when you use the auto scaling cost analysis feature for the first time. This role allows you to view bill details on the billing management page.

AliyunEMRManagedCostRolePolicy

ECS application role (used in EMR V3.32.0 or an earlier minor version, or EMR V4.5.0 or an earlier minor version)

AliyunEmrEcsDefaultRole

This role allows application processes that run on your cluster to access other Alibaba Cloud services. When you create a cluster, you can use this service role or use a custom role.

For more information about this role, see ECS application role (used in EMR V3.32.0 or an earlier minor version, or EMR V4.5.0 or an earlier minor version).

AliyunEMRECSRolePolicy

ECS application role (used in a minor version later than EMR V3.32.0 or EMR V4.5.0)

AliyunECSInstanceForEMRRole

This role allows application processes that run on your cluster to access other Alibaba Cloud services. When you create a cluster, you can use this service role or use a custom role.

For more information about this role, see ECS application role (used in a minor version later than EMR V3.32.0 or EMR V4.5.0).

AliyunECSInstanceForEMRRolePolicy

ECS application role (used in EMR Studio by default)

AliyunECSInstanceForEMRStudioRole

This role allows you to use EMR Studio to access your resources in other Alibaba Cloud services.

If this role is not assigned to your account, a window appears, which prompts you to assign this role when you create an EMR Studio cluster for the first time. To assign this role, use your Alibaba Cloud account.

AliyunECSInstanceForEMRStudioRolePolicy