In a minor version later than E-MapReduce (EMR) V3.32.0 or EMR V4.5.0 and EMR 5.X series, the Elastic Compute Service (ECS) application role AliyunECSInstanceForEMRRole is used instead of MetaService. EMR automatically assigns this role to every ECS instance in the cluster at creation or scale-out time. Applications running on the cluster assume this role at runtime to access other Alibaba Cloud services — no AccessKey pair required, and none stored in a configuration file.
Modify or delete AliyunECSInstanceForEMRRole with caution. Otherwise, your cluster fails to be created or jobs fail to be run.
Prerequisites
Before you begin, ensure that you have:
-
Authorized the role. For details, see Assign roles to an Alibaba Cloud account
Permissions
AliyunECSInstanceForEMRRole is attached to the policy AliyunECSInstanceForEMRRolePolicy. The policy grants permissions across three services: Object Storage Service (OSS), Tablestore, and Data Lake Formation (DLF).
OSS permissions
EMR clusters read and write data to OSS using this role. The following permissions cover standard object operations, multipart uploads, versioning, and OSS-HDFS access.
| Permission (action) | Description |
|---|---|
| oss:PutObject | Uploads a file or folder. |
| oss:GetObject | Queries a file or folder. |
| oss:ListObjects | Lists files. |
| oss:DeleteObject | Deletes a file. |
| oss:ListBuckets | Lists buckets. |
| oss:AbortMultipartUpload | Terminates a multipart upload. |
| oss:ListMultipartUploads | Lists all ongoing multipart uploads. |
| oss:RestoreObject | Restores an Archive or Cold Archive object. |
| oss:GetBucketInfo | Queries bucket information. |
| oss:ListObjectVersions | Lists all object versions in a bucket, including delete markers. |
| oss:DeleteObjectVersion | Deletes a specific version of an object. |
| oss:PostDataLakeStorageFileOperation | Accesses OSS-HDFS. |
Tablestore permissions
EMR uses these permissions to read and write structured data in Tablestore, including row operations, range queries, batch access, and local transactions.
| Permission (action) | Description |
|---|---|
| ots:CreateTable | Creates a table based on the specified table schema. |
| ots:DeleteTable | Deletes a table from the current instance. |
| ots:GetRow | Reads a single row by primary key. |
| ots:PutRow | Inserts data into a specific row. |
| ots:UpdateRow | Updates data in a specific row. |
| ots:DeleteRow | Deletes a row of data. |
| ots:GetRange | Reads data within a primary key value range. |
| ots:BatchWriteRow | Inserts, modifies, or deletes multiple rows across one or more tables at a time. |
| ots:BatchGetRow | Reads multiple rows from one or more tables at a time. |
| ots:ComputeSplitPointsBySize | Splits table data into shards of approximately the specified size, and returns split points and partition host information. |
| ots:StartLocalTransaction | Creates a local transaction based on a partition key value and returns the transaction ID. |
| ots:CommitTransaction | Commits a local transaction. |
| ots:AbortTransaction | Aborts a local transaction. |
DLF permissions
EMR uses these permissions to manage metadata in Data Lake Formation, including databases, tables, partitions, functions, catalogs, locks, statistics, and data permissions.
| Permission (action) | Description |
|---|---|
| dlf:BatchCreatePartitions | Creates multiple partitions at a time. |
| dlf:BatchCreateTables | Creates multiple tables at a time. |
| dlf:BatchDeletePartitions | Deletes multiple partitions at a time. |
| dlf:BatchDeleteTables | Deletes multiple tables at a time. |
| dlf:BatchGetPartitions | Queries information about multiple partitions at a time. |
| dlf:BatchGetTables | Queries information about multiple tables at a time. |
| dlf:BatchUpdatePartitions | Updates multiple partitions at a time. |
| dlf:BatchUpdateTables | Updates multiple tables at a time. |
| dlf:CreateDatabase | Creates a database. |
| dlf:CreateFunction | Creates a function. |
| dlf:CreatePartition | Creates a partition. |
| dlf:CreateTable | Creates a table. |
| dlf:DeleteDatabase | Deletes a database. |
| dlf:DeleteFunction | Deletes a function. |
| dlf:DeletePartition | Deletes a partition. |
| dlf:DeleteTable | Deletes a table. |
| dlf:GetDatabase | Queries database information. |
| dlf:GetFunction | Queries function information. |
| dlf:GetPartition | Queries partition information. |
| dlf:GetTable | Queries table information. |
| dlf:ListCatalogs | Lists catalogs. |
| dlf:ListDatabases | Lists databases. |
| dlf:ListFunctionNames | Lists function names. |
| dlf:ListFunctions | Lists functions. |
| dlf:ListPartitionNames | Lists partition names. |
| dlf:ListPartitions | Lists partitions. |
| dlf:ListPartitionsByExpr | Lists metadata table partitions by expression. |
| dlf:ListPartitionsByFilter | Lists metadata table partitions by filter. |
| dlf:ListTableNames | Lists table names. |
| dlf:ListTables | Lists tables. |
| dlf:RenamePartition | Renames a partition. |
| dlf:RenameTable | Renames a table. |
| dlf:UpdateDatabase | Updates a database. |
| dlf:UpdateFunction | Updates a function. |
| dlf:UpdateTable | Updates a table. |
| dlf:UpdateTableColumnStatistics | Updates statistics for a metadata table. |
| dlf:GetTableColumnStatistics | Queries statistics for a metadata table. |
| dlf:DeleteTableColumnStatistics | Deletes statistics for a metadata table. |
| dlf:UpdatePartitionColumnStatistics | Updates statistics for a partition. |
| dlf:GetPartitionColumnStatistics | Queries statistics for a partition. |
| dlf:DeletePartitionColumnStatistics | Deletes statistics for a partition. |
| dlf:BatchGetPartitionColumnStatistics | Queries statistics for multiple partitions at a time. |
| dlf:CreateLock | Creates a metadata lock. |
| dlf:UnLock | Releases a metadata lock. |
| dlf:AbortLock | Aborts a metadata lock. |
| dlf:RefreshLock | Refreshes a metadata lock. |
| dlf:GetLock | Queries metadata lock information. |
| dlf:GetAsyncTaskStatus | Queries the status of an asynchronous task. |
| dlf:DeltaGetPermissions | Queries permissions. |
| dlf:GetPermissions | Queries data permission information. |
| dlf:GetServiceInfo | Queries service information. |
| dlf:GetRoles | Queries role information in data permissions. |
| dlf:CheckPermissions | Verifies data permissions. |
Get an STS temporary credential
You can use a Security Token Service (STS) temporary credential obtained through this role to access other Alibaba Cloud services within your account. For details, see Instance RAM roles.