All Products
Search

This Product

    E-MapReduce:EMR service roles

    Document Center

    E-MapReduce:EMR service roles

    Last Updated:Mar 26, 2026

    EMR service roles allow EMR to call other Alibaba Cloud services on your behalf when provisioning cluster resources or performing service-level operations. For example, when you start an EMR cluster, the AliyunEMRDefaultRole service role creates ECS instances automatically. This topic describes the two EMR service roles and their permission policies.

    Service roles at a glance

    Service rolePurpose
    AliyunEMRDefaultRoleManages cluster infrastructure across ECS, VPC, OSS, Auto Scaling, CloudMonitor, Simple Log Service, ACK, and ApsaraDB RDS
    AliyunEMRManagedCostRoleReads billing data to support cost analysis features

    Usage notes

    Warning

    Do not rename, delete, or modify the system policies of EMR service roles in the RAM console.

    Service roles and policies

    AliyunEMRDefaultRole

    ECS permissions

    ActionDescription
    ecs:CreateInstanceCreates an ECS instance
    ecs:RunInstancesCreates and starts multiple ECS instances at the same time
    ecs:RenewInstanceRenews an ECS instance
    ecs:DescribeRegionsQueries region information
    ecs:DescribeZonesQueries zone information
    ecs:DescribeImagesQueries image information
    ecs:CreateSecurityGroupCreates a security group
    ecs:AllocatePublicIpAddressAssigns a public IP address to an ECS instance
    ecs:DeleteInstanceDeletes an ECS instance
    ecs:StartInstanceStarts an ECS instance
    ecs:StopInstanceStops an ECS instance
    ecs:DescribeInstancesQueries ECS instances
    ecs:DescribeDisksQueries disk information
    ecs:AuthorizeSecurityGroupConfigures inbound rules for a security group
    ecs:AuthorizeSecurityGroupEgressConfigures outbound rules for a security group
    ecs:DescribeSecurityGroupAttributeQueries the details of a security group
    ecs:DescribeSecurityGroupsQueries security groups
    ecs:DescribeInstanceHistoryEventsQueries system events of an ECS instance
    ecs:DescribeInstancesFullStatusQueries the full status of one or more ECS instances
    ecs:DescribeDisksFullStatusQueries the full status of one or more Elastic Block Storage (EBS) devices
    ecs:ModifyInstanceChargeTypeChanges the billing method of one or more ECS instances
    ecs:ModifyPrepayInstanceSpecUpgrades the instance type of a subscription ECS instance
    ecs:DescribeResourcesModificationQueries available resources in a zone when upgrading instance types or replacing system disks
    ecs:DescribeAvailableResourceQueries resources available in a zone
    ecs:DescribeBandwidthLimitationQueries the maximum public bandwidth available for different instance types
    ecs:CreateNetworkInterfaceCreates an elastic network interface (ENI)
    ecs:DeleteNetworkInterfaceDeletes an ENI
    ecs:DescribeNetworkInterfacesQueries the details of one or more ENIs
    ecs:CreateNetworkInterfacePermissionGrants permissions to create an ENI
    ecs:DescribeNetworkInterfacePermissionsQueries permissions on an ENI
    ecs:DeleteNetworkInterfacePermissionGrants permissions to delete an ENI
    ecs:DescribeKeyPairsQueries one or more key pairs
    ecs:DescribePriceQueries the most recent prices of ECS resources
    ecs:RebootInstanceRestarts an ECS instance in the Running state
    ecs:AssignIpv6AddressesAssigns one or more IPv6 addresses to an ENI
    ecs:AcceptInquiredSystemEventAccepts the default operation for a system event in the Inquiring state
    ecs:RedeployInstanceRedeploys an ECS instance when it receives a system event notification
    ecs:DescribeTasksQueries the progress of one or more asynchronous requests of an ECS instance
    ecs:TagResourcesCreates and adds tags to an ECS instance
    ecs:UntagResourcesRemoves tags from an ECS instance
    ecs:ListTagResourcesQueries tags added to an ECS instance
    ecs:JoinResourceGroupAdds an ECS instance to a resource group
    ecs:ReportInstancesStatusReports an exception on one or more ECS instances
    ecs:ModifyInstanceAttributeModifies the attributes of an ECS instance
    ecs:DeleteInstancesReleases one or more pay-as-you-go ECS instances
    ecs:RebootInstancesRestarts one or more ECS instances in the Running state
    ecs:StartInstancesStarts one or more ECS instances in the Stopped state
    ecs:StopInstancesStops one or more ECS instances in the Running state
    ecs:AttachInstanceRamRoleAttaches an instance RAM role to one or more ECS instances
    ecs:DescribeLocalDiskRepairActivitiesQueries the repair activities of a local disk
    ecs:CreateAutoProvisioningGroupCreates an auto provisioning group
    ecs:DescribeDeploymentSetsQueries the attributes of one or more deployment sets
    ecs:ResizeDiskResizes a disk

    OSS permissions

    ActionDescription
    oss:PutObjectUploads a file or folder
    oss:GetObjectRetrieves a file or folder
    oss:ListObjectsLists all objects in a bucket

    VPC permissions

    ActionDescription
    vpc:DescribeVSwitchesQueries vSwitches in a VPC
    vpc:DescribeVpcsQueries VPC details
    vpc:AllocateEipAddressApplies for an elastic IP address (EIP)
    vpc:AssociateEipAddressAssociates an EIP with a cloud resource in the same region
    vpc:UnassociateEipAddressDisassociates an EIP from a cloud resource
    vpc:ReleaseEipAddressReleases an EIP
    vpc:DescribeEipAddressesQueries EIPs in a region

    CloudMonitor permissions

    ActionDescription
    cms:CreateAlarmCreates an event-triggered task
    cms:DeleteAlarmDeletes an event-triggered task
    cms:QueryAlarmQueries an alert
    cms:QueryMetricListQueries monitoring data for an instance over a specified period
    cms:CreateAlertCreates an alert
    cms:CreateDimensionsCreates monitoring metric configurations
    cms:DeleteAlertDeletes an alert
    cms:DisableAlarmDisables an event-triggered task
    cms:UpdateAlarmUpdates an alert
    cms:ListAlarmHistoryQueries the history of a specified alert rule or all alert rules
    cms:DescribeMonitorGroupsQueries application groups
    cms:CreateMonitorGroupCreates an application group
    cms:DeleteMonitorGroupDeletes an application group
    cms:ApplyMetricRuleTemplateApplies an alert template to an application group to generate an alert rule
    cms:ModifyMonitorGroupInstancesUpdates the resources in an application group
    cms:DescribeMetricRuleTemplateListQueries alert templates
    cms:CreateMonitoringTemplateCreates a monitoring template
    cms:DescribeEventRuleListQueries event-triggered alert rules
    cms:DescribeMetricRuleListQueries alert rules

    Auto Scaling permissions

    ActionDescription
    ess:CreateScalingGroupCreates a scaling group
    ess:ModifyScalingGroupModifies a scaling group
    ess:EnableScalingGroupEnables a scaling group
    ess:DisableScalingGroupDisables a scaling group
    ess:DeleteScalingGroupDeletes a scaling group
    ess:DescribeScalingGroupsQueries scaling groups
    ess:DescribeScalingInstancesQueries ECS instances in a scaling group
    ess:DescribeScalingActivitiesQueries scaling activities
    ess:CreateScalingConfigurationCreates a scaling configuration
    ess:DescribeScalingConfigurationsQueries scaling configurations
    ess:DeleteScalingConfigurationDeletes a scaling configuration
    ess:CreateScalingRuleCreates a scaling rule
    ess:ModifyScalingRuleModifies a scaling rule
    ess:DescribeScalingRulesQueries scaling rules in a scaling group
    ess:DeleteScalingRuleDeletes a scaling rule
    ess:CreateScheduledTaskCreates a scheduled task
    ess:ModifyScheduledTaskModifies a scheduled task
    ess:DescribeScheduledTasksQueries scheduled tasks
    ess:DeleteScheduledTaskDeletes a scheduled task
    ess:RemoveInstancesRemoves one or more ECS instances from a scaling group
    ess:CreateLifecycleHookCreates one or more lifecycle hooks for a scaling group
    ess:DescribeLifecycleHooksQueries lifecycle hooks
    ess:ModifyLifecycleHookModifies a lifecycle hook
    ess:DeleteLifecycleHookDeletes a lifecycle hook
    ess:CompleteLifecycleActionEnds the wait state of a scaling activity early
    ess:RecordLifecycleActionHeartbeatExtends the timeout period of a lifecycle hook for an ECS instance
    ess:CreateNotificationConfigurationCreates a notification for scaling activities and resource changes
    ess:DescribeNotificationConfigurationsQueries notifications for scaling activities and resource changes
    ess:DescribeRegionsQueries the regions where Auto Scaling is available
    ess:SetInstancesProtectionEnables or disables protection for one or more ECS instances in a scaling group
    ess:ExecuteScalingRuleExecutes a scaling rule
    ess:DetachInstancesDetaches one or more ECS instances from a scaling group
    ess:ModifyScalingConfigurationModifies a scaling configuration
    ess:DescribeScalingActivityDetailQueries the details of a scaling activity
    ess:ScaleWithAdjustmentScales instances in a scaling group based on a specified scaling policy

    RAM permissions

    ActionDescription
    ram:GetUserQueries information about a RAM user
    ram:GetRoleQueries information about a RAM role

    Simple Log Service permissions

    ActionDescription
    log:ListProjectQueries projects matching specified conditions
    log:GetProjectQueries the details of a project
    log:CreateProjectCreates a project
    log:GetLogStoreQueries the details of a Logstore
    log:CreateLogStoreCreates a Logstore
    log:GetConfigQueries the details of a Logtail configuration file
    log:CreateConfigCreates a Logtail configuration file
    log:GetIndexQueries the indexes of a Logstore
    log:CreateIndexCreates indexes for a Logstore
    log:GetAppliedMachineGroupsQueries the machine groups that a Logtail configuration file is applied to
    log:ApplyConfigToMachineGroupApplies a Logtail configuration file to a machine group
    log:ApplyConfigToGroupApplies a Logtail configuration file to a machine group

    ACK permissions

    ActionDescription
    cs:CreateClusterCreates a Container Service for Kubernetes (ACK) cluster
    cs:GetClustersQueries the details of all ACK clusters
    cs:AttachInstancesAdds existing ECS instances to an ACK cluster

    Managed Service for Prometheus permissions

    ActionDescription
    arms:AddIntegrationIntegrates the dashboard and collection rules of Managed Service for Prometheus
    arms:AddGrafanaIntegrates the dashboard of Managed Service for Prometheus
    arms:ListDashboardsQueries the Grafana dashboards of an ACK cluster
    arms:GetPrometheusApiTokenRetrieves the token required for integrating Managed Service for Prometheus

    ApsaraDB RDS permissions

    ActionDescription
    rds:DescribeDBInstancesQueries ApsaraDB RDS instances matching specified conditions, or instances a RAM user has permissions to
    rds:DescribeDBInstanceAttributeQueries the details of one or more ApsaraDB RDS instances
    rds:DescribeDatabaseQueries the details of databases on an ApsaraDB RDS instance

    Quota and KMS permissions

    ActionDescription
    quotas:ListProductQuotasQueries ECS quotas
    kms:ListKeysLists all customer master keys (CMKs) in the current Alibaba Cloud account

    AliyunEMRManagedCostRole

    ActionDescription
    bssapi:DescribeInstanceBillQueries bill details from the billing management center