All Products
Search
Document Center

E-MapReduce:Assign a role to an Alibaba Cloud account

Last Updated:Dec 10, 2024

Before you use Alibaba Cloud E-MapReduce (EMR) on ACK, your Alibaba Cloud account must be assigned the system default role AliyunEMROnACKDefaultRole. This topic describes the methods that can be used to assign the system default role AliyunEMROnACKDefaultRole to an Alibaba Cloud account.

Automated authorization

In most cases, you are required to perform automated authorization when you use EMR on ACK for the first time.

  1. Log on to the EMR console.

  2. In the left-side navigation pane, click EMR on ACK.

  3. On the EMR on ACK page, click Authorize Now.

  4. On the Cloud Resource Access Authorization page, click Agree to Authorization in the lower part of the page.

    The AliyunEMROnACKDefaultRole role is selected by default.

Manual authorization

If EMR on ACK is unavailable after you delete the AliyunEMROnACKDefaultRole role by mistake or change the authorization policy, perform the following steps to create and grant permissions to the role:

  1. Create a RAM role.

    1. Log on to the Resource Access Management (RAM) console.

    2. In the left-side navigation pane, choose Identities > Roles.

    3. On the Roles page, click Create Role.

    4. In the Create Role panel, select a trusted entity and click Next.

      For more information about trusted entities, see Create a RAM role and attach the required policies to the role.

    5. Enter the information about the role that you want to create and click OK.

      Enter AliyunEMROnACKDefaultRole in the RAM Role Name field. If the AliyunEMROnACKDefaultRole role exists, you do not need to create again.

  2. Attach policies to the RAM role.

    1. On the Roles page, click the AliyunEMROnACKDefaultRole role and then click Precise Permission.

    2. In the Precise Permission panel, configure the Type and Policy Name parameters, and then click OK.

      You need to attach the following policies to the AliyunEMROnACKDefaultRole role.

      • Policy 1: System policy AliyunEMROnACKDefaultRolePolicy

        {
            "Version": "1",
            "Statement": [
                {
                    "Action": [
                        "cs:CreateCluster",
                        "cs:GetClusterById",
                        "cs:GetClusters",
                        "cs:GetUserConfig",
                        "cs:DeleteCluster",
                        "cs:AttachInstances",
                        "cs:DescribeClusterLogsRequest",
                        "cs:GetClusterLogs",
                        "cs:GetUserQuota",
                        "cs:DescribeClusterNodes",
                        "cs:GetNodepoolDetail",
                        "cs:GetNodepools",
                        "cs:UpdateNodepool",
                        "cs:ScaleNodepools",
                        "cs:DescribeClusterInnerServiceKubeconfig",
                        "cs:RevokeClusterInnerServiceKubeconfig",
                        "ecs:DescribeInstances"
                    ],
                    "Resource": "*",
                    "Effect": "Allow"
                }
            ]
        }
      • Policy 2: System policy AliyunEMRFullAccess

        {
            "Version": "1",
            "Statement": [
                {
                    "Action": "emr:*",
                    "Resource": "*",
                    "Effect": "Allow"
                },
                {
                    "Action": [
                        "cms:QueryMetricList",
                        "ram:GetRole",
                        "ram:ListRoles",
                        "ram:ListUserBasicInfos",
                        "ecs:DescribeZones",
                        "ecs:DescribeInstanceTypes",
                        "ecs:DescribeKeyPairs",
                        "ecs:DescribeAvailableResource",
                        "ecs:DescribeInstances",
                        "ecs:DescribeSpotPriceHistory",
                        "ecs:DescribeSpotAdvice",
                        "ecs:DescribeInstanceStatus",
                        "ecs:DescribeDeploymentSets",
                        "vpc:DescribeVpcs",
                        "vpc:DescribeVSwitches",
                        "oss:ListBuckets",
                        "dlf:DescribeRegions",
                        "dlf:GetRegionStatus",
                        "dlf:ListCatalogs"
                    ],
                    "Resource": "*",
                    "Effect": "Allow"
                },
                {
                    "Action": "ram:PassRole",
                    "Resource": "*",
                    "Effect": "Allow",
                    "Condition": {
                        "StringEquals": {
                            "acs:Service": "emr.aliyuncs.com"
                        }
                    }
                },
                {
                    "Action": "quotas:ListProductQuotas",
                    "Resource": "acs:quotas:*:*:quota/ecs/*",
                    "Effect": "Allow"
                },
                {
                    "Action": "kms:DescribeAccountKmsStatus",
                    "Resource": "*",
                    "Effect": "Allow"
                }
            ]
        }
      • Policy 3: Custom policy EmrOnAckPolicyV2

        {
            "Version": "1",
            "Statement": [
                {
                    "Action": [
                        "ram:*"
                    ],
                    "Resource": [
                        "acs:ram:*:*:domain/*",
                        "acs:ram:*:*:application/*"
                    ],
                    "Effect": "Allow"
                }
            ]
        }

      Note

      After you create a RAM role and attach the preceding policies, you can use EMR on ACK.