         | Did this page help you? Yes No Tell us about it... |
Configuring User Permissions
You can use AWS Identity and Access Management (IAM) to control the ability of users to perform Amazon Elastic MapReduce (Amazon EMR) API actions. IAM is automatically available with Amazon EMR. You do not need to sign up to use IAM.
When you log on to Amazon EMR using an IAM account, the job flows you see in the CLI and on the Amazon EMR console are limited to only those you have created. This can be useful when several users are sharing an AWS account, yet working on independent projects.
This user-level filtering does not provide any user-level resource isolation of the underlying Amazon EC2 resources. For more information about how Amazon EC2 resources (including instances and security groups) behave under IAM, go to AWS Identity and Access Management in the Amazon Elastic Compute Cloud User Guide.
Using IAM with Amazon EMR is available through the Amazon EMR console, the Amazon EMR Ruby client and programatically through the API. The Ruby-based Amazon EMR CLI is available for download at Amazon Elastic MapReduce Ruby Client.
In the IAM console, you can select an Amazon EMR policy template to set IAM account permissions for access to Amazon EMR. Or you can create a custom policy using the following examples as guidelines. Amazon EMR provides the following policy templates:
Amazon Elastic MapReduce Full Access—Provides access to all Amazon EMR functionality.
Amazon Elastic MapReduce Read Only Access—Provides access to view details and debugging information about job flows.
For more information, go to Creating and Listing Groups in Using AWS Identity and Access Management.
To add a permission to a user or group, write
a policy that contains the permission and attach the policy to the
user or group. You cannot specify a specific Amazon EMR resource
in a policy, such as a specific job flow. You can only
specify Allow or Deny access to
Amazon EMR API actions.
In an IAM policy, to specify Amazon EMR actions, the action
name must be prefixed with the lowercase string
elasticmapreduce. You use wildcards to specify all actions
related to Amazon EMR. The wildcard "*" matches zero
or multiple characters.
For a complete list of Amazon EMR actions, refer to the API action names in the Amazon EMR API Reference. For more information about permissions and policies go to Permissions and Policies in the Using AWS Identity and Access Management guide.
Users with permission to use Amazon EMR API actions can create and manage job flows as described elsewhere in this guide. Users must use their own AWS Access ID and secret key to authenticate Amazon EMR commands. For more information on creating job flows, go to Using Amazon EMR.
Example Policies for Amazon EMR
This section shows several sample policies for controlling user access to Amazon EMR. For information about attaching policies to users, go to Managing IAM Policies in the Using AWS Identity and Access Management Guide.
Example 1: Deny a group use of Amazon EMR
The following policy denies permissions to run any Amazon EMR API .
{
"Statement":[{
"Action":["elasticmapreduce:*"],
"Effect":"Deny",
"Resource":"*"
}]
}Example 2: Allow read-only access to Amazon EMR
The following policy permits viewing details and debugging information about job flows, but does not permit the user to make changes.
{
"Statement": [
{
"Action": [
"elasticmapreduce:DescribeJobFlows",
"s3:GetObject",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"sdb:Select",
"cloudwatch:GetMetricStatistics"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
Example 3: Allow full access to Amazon EMR
The following policy gives permissions for all actions required to use Amazon EMR. This policy includes actions for Amazon EC2, Amazon S3, Amazon CloudWatch, and Amazon SimpleDB, as well as for all Amazon EMR actions. Amazon EMR relies on these additional services to perform such actions as launching instances, writing log files, or managing Hadoop jobs and tasks.
{
"Statement": [
{
"Action": [
"elasticmapreduce:*",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CancelSpotInstanceRequests",
"ec2:CreateSecurityGroup",
"ec2:CreateTags",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInstances",
"ec2:DescribeKeyPairs",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSpotInstanceRequests",
"ec2:DescribeSubnets",
"ec2:ModifyImageAttribute",
"ec2:ModifyInstanceAttribute",
"ec2:RequestSpotInstances",
"ec2:RunInstances",
"ec2:TerminateInstances",
"cloudwatch:*",
"s3:*",
"sdb:*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
![[Note]](http://docs.amazonwebservices.com/docs-common/images/note.png) | Note |
|---|---|
The |
Example 4: Allow requests from a certain IP address or range
The following policy denies any traffic using the AWS account that does not come from the named IP address ranges.
{
"Statement":[{
"Effect":"Deny",
"Action":"*",
"Resource":"*",
"Condition":{
"NotIpAddress":{
"aws:SourceIp":["10.1.2.0/24","10.1.3.0/24"]
}
}
}]
}
This policy uses the AWS-wide key called
aws:SourceIp to specify the range of valid IP
addresses. For information about AWS-wide policy keys, go to Element Descriptions in the Using AWS
Identity and Access Management Guide.
Example 5: Allow requests from a certain IP address or range
The following policy denies any traffic using the AWS account that does not come from the named IP address ranges.
{
"Statement":[{
"Effect":"Deny",
"Action":"*",
"Resource":"*",
"Condition":{
"NotIpAddress":{
"aws:SourceIp":["10.1.2.0/24","10.1.3.0/24"]
}
}
}]
}
Related Topics
How to Write a Policy (Using AWS Identity and Access Management Guide)
