Cloud Computing

Admin Permissions For EMR Studio AWS With Examples


Details of the AWS Documentation Essential IAM Administrators’ Permissions of EMR Studio

Admin Permissions For EMR Studio AWS

The AWS Identity and Access Management (IAM) rights that administrators need to successfully create and manage Amazon EMR Studio installations are described in documentation published by Amazon Web Services. For an AWS account to have safe and regulated access to EMR Studio resources, certain specific permissions are essential. For administrators setting up IAM policies to provide the right amount of access for EMR Studio administration, the documentation acts as a thorough guide.

A number of crucial tasks that require distinct IAM permissions are at the heart of running an EMR Studio. Administrators need to have a set of elasticmapreduce permissions for routine administrative operations, especially when not utilizing the IAM Identity Center authentication method. For example, the “elasticmapreduce:CreateStudio” permission is needed to create a new EMR Studio.

The “elasticmapreduce:DescribeStudio” permission is required in order to inspect the configuration or status of a particular Studio. The “elasticmapreduce:ListStudios” permission is required for administrators who want to view a list of every EMR Studio in their account. The “elasticmapreduce:DeleteStudio” permission is necessary if a Studio needs to be deactivated. In addition to these EMR-specific steps, the manual emphasizes that when establishing a Studio, the “iam:PassRole” permission is required. This permission is essential because it enables the EMR service to interact with other AWS services on behalf of the user or the Studio by assuming the service role and user role specified for the Studio.

Importantly, the manual notes that when an EMR Studio is set up to use the IAM Identity Centre authentication mechanism, additional permissions are required. Managing Studio Session Mappings, which control how users and groups authenticated through IAM Identity Centre are allowed access to and interact with the EMR Studio, as well as interacting with the AWS IAM Identity Centre (formerly known as AWS SSO) and related directory services, are the main responsibilities of these additional permissions.

In an EMR Studio running in IAM Identity Centre mode, controlling user and group access requires a more intricate set of permissions and actions. It takes a mix of permissions from several AWS services to assign individuals or groups to a Studio.

These consist of different sso and sso-directory actions like “sso:AssociateProfile”, “sso:CreateApplicationAssignment”, “sso-directory:SearchUsers”, and “sso-directory:DescribeUser” in addition to permissions like “elasticmapreduce:CreateStudioSessionMapping”. The list for assignment operations also includes other services, such as organisations and iam, with permissions like “organizations:DescribeOrganization” and “iam:ListPolicies” included.

Permissions such as “elasticmapreduce:GetStudioSessionMapping” are required in order to retrieve information about assignments for a particular user or group. Additionally, sso-directory actions (“sso-directory:SearchUsers” and “sso-directory:DescribeUser”) and sso actions (“sso:DescribeApplication”) are required. The “elasticmapreduce:ListStudioSessionMappings” capability is used to simply list every user and group that is currently allocated to a specific EMR Studio. “elasticmapreduce:UpdateStudioSessionMapping” and sso-directory and sso rights like “sso-directory:SearchUsers”, “sso:DescribeApplication”, and “sso:DescribeInstance” are necessary in order to change the session policy linked to a designated user or group.

Last but not least, deleting a user or group from a Studio requires a variety of permissions spanning sso-directory (“sso-directory:SearchUsers”, “sso-directory:DescribeGroup”), elasticmapreduce (“elasticmapreduce:DeleteStudioSessionMapping”), and sso (“sso:DeleteApplicationAssignment”, “sso:DisassociateProfile”).

The AWS documentation offers sample IAM policies designed for both the conventional IAM authentication mode and the IAM Identity Centre authentication method to help administrators set up these required rights. These illustrations serve as useful foundations for developing unique policies.

Administrators are directed to fill out the policy templates with the details of their unique account and resources. This customisation entails changing the placeholder values for the AWS Region code where the Studio will be located, the AWS account ID, the Amazon Resource Name (ARN) of the object or objects the policy statement covers, and the precise names of the EMR Studio service role and EMR Studio user role.

The way resources are described for certain service operations is one of the documentation’s most crucial details, especially when it comes to the IAM Identity Centre sample policy. The documentation makes it clear that naming a specific ARN in the “Resource” portion of an IAM policy statement is not supported by Identity Centre or Identity Centre directory APIs.

As a result, the “Resource” element is set to “*” for activities pertaining to the sso and sso-directory services in the sample policy for IAM Identity Centre mode, thereby authorising these actions across all resources that those services support. In contrast, the policy can target specific Studio ARNs (e.g., “arn:aws:elasticmapreduce:\region>::studio/*”) or role ARNs (e.g., “arn:aws:iam:::role/\EMRStudio-Service-Role>”) with permissions for elasticmapreduce actions. This allows for more granular resource-level control for those services.

Following creating and customizing a suitable IAM policy that includes these rights, it needs to be linked to the appropriate IAM identity. The permissions specified in the policy are granted to this identity, which may be an IAM user, role, or group. The administrative tools needed to control the EMR Studio environment are activated in this last stage. The thoroughness of the documented permissions highlights how crucial granular access control is to AWS’s services like EMR Studio, especially when combined with identity management programs like IAM Identity Centre.

Admin permissions for EMR studio example

Example policy: Admin permissions when you use IAM authentication mode

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Resource": "arn:aws:elasticmapreduce:<region>:<aws-account-id>:studio/*",
            "Action": [
                "elasticmapreduce:CreateStudio",
                "elasticmapreduce:DescribeStudio",
                "elasticmapreduce:DeleteStudio"
            ]
        },
        {
            "Effect": "Allow",
            "Resource": "<your-resource-ARN>",
            "Action": [
                "elasticmapreduce:ListStudios"
            ]
        },
        {
            "Effect": "Allow",
            "Resource": [
                "arn:aws:iam::<aws-account-id>:role/<EMRStudio-Service-Role>"
            ],
            "Action": "iam:PassRole"
        }
    ]
}

Example policy: Admin permissions when you use IAM Identity Center authentication mode

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Resource": "arn:aws:elasticmapreduce:<region>:<aws-account-id>:studio/*",
            "Action": [
                "elasticmapreduce:CreateStudio",
                "elasticmapreduce:DescribeStudio",
                "elasticmapreduce:DeleteStudio",
                "elasticmapreduce:CreateStudioSessionMapping",
                "elasticmapreduce:GetStudioSessionMapping",
                "elasticmapreduce:UpdateStudioSessionMapping",
                "elasticmapreduce:DeleteStudioSessionMapping"
            ]
        },
        {
            "Effect": "Allow",
            "Resource": "<your-resource-ARN>",
            "Action": [
                "elasticmapreduce:ListStudios",
                "elasticmapreduce:ListStudioSessionMappings"
            ]
        },
        {
            "Effect": "Allow",
            "Resource": [
                "arn:aws:iam::<aws-account-id>:role/<EMRStudio-Service-Role>",
                "arn:aws:iam::<aws-account-id>:role/<EMRStudio-User-Role>"
            ],
            "Action": "iam:PassRole"
        },
        {
            "Effect": "Allow",
            "Resource": "*",
            "Action": [
                "sso:CreateApplication", 
                "sso:PutApplicationAuthenticationMethod", 
                "sso:PutApplicationGrant", 
                "sso:PutApplicationAccessScope",
                "sso:PutApplicationAssignmentConfiguration",
                "sso:DescribeApplication", 
                "sso:DeleteApplication", 
                "sso:DeleteApplicationAuthenticationMethod", 
                "sso:DeleteApplicationAccessScope", 
                "sso:DeleteApplicationGrant", 
                "sso:ListInstances", 
                "sso:CreateApplicationAssignment", 
                "sso:DeleteApplicationAssignment",
                "sso:ListApplicationAssignments", 
                "sso:DescribeInstance",
                "sso:AssociateProfile",
                "sso:DisassociateProfile",
                "sso:GetProfile",
                "sso:ListDirectoryAssociations",
                "sso:ListProfiles",
                "sso-directory:SearchUsers",
                "sso-directory:SearchGroups",
                "sso-directory:DescribeUser",
                "sso-directory:DescribeGroup",
                "organizations:DescribeOrganization",
                "organizations:ListDelegatedAdministrators",
                "sso:CreateInstance",
                "sso:DescribeRegisteredRegions",
                "sso:GetSharedSsoConfiguration",
                "iam:ListPolicies"
            ]
        }
    ]
}

Thank you for your Interest in Cloud Computing. Please Reply

Latest Posts

Discover more from Cloud Computing

Subscribe now to keep reading and get access to the full archive.

Continue reading