If you use E-MapReduce (EMR) Workflow for the first time, you must assign the default role of your Alibaba Cloud account to EMR Workflow. This topic describes how to assign a RAM role to EMR Workflow and the policies that are attached to the RAM role.
Usage notes
If you use EMR Workflow for the first time, you must use an Alibaba Cloud account to assign a default RAM role to EMR Workflow. Otherwise, you cannot use EMR Workflow as a RAM user or by using an Alibaba Cloud account.
If you delete the default RAM role, make sure that the resources that use the default RAM role are released. Otherwise, you cannot use EMR Workflow as expected.
Procedure
Log on to the EMR console.
In the left-side navigation pane, choose EMR Studio > Workflow.
On the Dependency Check page, click Authorize Now.
Click Agree to Authorization.
After the authorization, EMR Workflow can access your cloud resources.
Policies
AliyunEMRWorkflowDefaultRole
The AliyunEMRWorkflowDefaultRolePolicy policy is attached to the AliyunEMRWorkflowDefaultRole role. The following code shows the content of the policy:
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:CreateNetworkInterface",
"ecs:DeleteNetworkInterface",
"ecs:DescribeNetworkInterfaces",
"ecs:CreateNetworkInterfacePermission",
"ecs:DescribeNetworkInterfacePermissions",
"ecs:DeleteNetworkInterfacePermission",
"ecs:DescribeSecurityGroupAttribute",
"vpc:DescribeVSwitchAttributes",
"vpc:DescribeVSwitches",
"vpc:CreateRouteTable",
"vpc:DeleteRouteTable",
"vpc:UnassociateRouteTable",
"vpc:AssociateRouteTable",
"vpc:DescribeRouteTableList",
"vpc:CreateRouteEntry",
"vpc:DeleteRouteEntry",
"vpc:DescribeRouteEntryList",
"emr:ListClusterHost",
"emr:DescribeCluster",
"emr:DescribeClusterV2",
"emr:ListClusters",
"emr:DescribeFlowAgentToken",
"emr:ListClusterServiceQuickLink",
"emr:DescribeClusterServiceConfig",
"emr:ListClusterHostComponent",
"emr:DescribeClusterServiceConfig",
"emr:GetClusterClientMeta",
"emr:ListApplicationConfigFiles",
"emr:GetApplicationConfigFile",
"emr:ListNodeGroups",
"emr:ListNodes",
"emr:ListClusterTemplates",
"emr:DescribeClusterTemplate",
"dlf:BatchCreatePartitions",
"dlf:BatchCreateTables",
"dlf:BatchDeletePartitions",
"dlf:BatchDeleteTables",
"dlf:BatchGetPartitions",
"dlf:BatchGetTables",
"dlf:BatchUpdatePartitions",
"dlf:BatchUpdateTables",
"dlf:CreateDatabase",
"dlf:CreateFunction",
"dlf:CreatePartition",
"dlf:CreateTable",
"dlf:DeleteDatabase",
"dlf:DeleteFunction",
"dlf:DeletePartition",
"dlf:DeleteTable",
"dlf:GetDatabase",
"dlf:GetFunction",
"dlf:GetPartition",
"dlf:GetTable",
"dlf:ListCatalogs",
"dlf:ListDatabases",
"dlf:ListFunctionNames",
"dlf:ListFunctions",
"dlf:ListPartitionNames",
"dlf:ListPartitions",
"dlf:ListPartitionsByExpr",
"dlf:ListPartitionsByFilter",
"dlf:ListTableNames",
"dlf:ListTables",
"dlf:RenamePartition",
"dlf:RenameTable",
"dlf:UpdateDatabase",
"dlf:UpdateFunction",
"dlf:UpdateTable",
"dlf:UpdateTableColumnStatistics",
"dlf:GetTableColumnStatistics",
"dlf:DeleteTableColumnStatistics",
"dlf:UpdatePartitionColumnStatistics",
"dlf:GetPartitionColumnStatistics",
"dlf:DeletePartitionColumnStatistics",
"dlf:BatchGetPartitionColumnStatistics",
"dlf:CreateLock",
"dlf:UnLock",
"dlf:AbortLock",
"dlf:RefreshLock",
"dlf:GetLock",
"dlf:GetAsyncTaskStatus"
],
"Resource": "*",
"Effect": "Allow"
}
]
}AliyunStreamAsiDefaultrole
The AliyunStreamAsiDefaultRolePolicy policy is attached to the AliyunStreamAsiDefaultrole role that depends on the fully managed Flink service. The following code shows the content of the policy:
{
"Version": "1",
"Statement": [
{
"Action": [
"oss:ListBuckets",
"oss:GetBucketInfo",
"oss:GetObjectMetadata",
"oss:GetObject",
"oss:ListObjects",
"oss:PutObject",
"oss:CopyObject",
"oss:CompleteMultipartUpload",
"oss:AbortMultipartUpload",
"oss:InitiateMultipartUpload",
"oss:UploadPartCopy",
"oss:UploadPart",
"oss:DeleteObject",
"oss:PutBucketcors",
"oss:GetBucketCors"
],
"Resource": "acs:oss:*:*:*",
"Effect": "Allow"
},
{
"Action": [
"ecs:AssociateEipAddress",
"ecs:AttachNetworkInterface",
"ecs:AuthorizeSecurityGroup",
"ecs:AuthorizeSecurityGroupEgress",
"ecs:CreateNetworkInterface",
"ecs:CreateNetworkInterfacePermission",
"ecs:CreateSecurityGroup",
"ecs:DeleteNetworkInterface",
"ecs:DeleteNetworkInterfacePermission",
"ecs:DeleteSecurityGroup",
"ecs:DescribeNetworkInterfacePermissions",
"ecs:DescribeNetworkInterfaces",
"ecs:DescribeSecurityGroupAttribute",
"ecs:DescribeSecurityGroupReferences",
"ecs:DescribeSecurityGroups",
"ecs:DetachNetworkInterface",
"ecs:JoinSecurityGroup",
"ecs:LeaveSecurityGroup",
"ecs:ModifyNetworkInterfaceAttribute",
"ecs:ModifySecurityGroupAttribute",
"ecs:ModifySecurityGroupPolicy",
"ecs:ModifySecurityGroupPolicy",
"ecs:ModifySecurityGroupRule",
"ecs:RevokeSecurityGroup",
"ecs:RevokeSecurityGroupEgress",
"ecs:UnassociateEipAddress"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"slb:AddBackendServers",
"slb:AddListenerWhiteListItem",
"slb:AddTags",
"slb:AddVServerGroupBackendServers",
"slb:CreateLoadBalancer",
"slb:CreateLoadBalancerHTTPListener",
"slb:CreateLoadBalancerHTTPSListener",
"slb:CreateLoadBalancerTCPListener",
"slb:CreateLoadBalancerUDPListener",
"slb:CreateRules",
"slb:CreateVServerGroup",
"slb:DeleteLoadBalancer",
"slb:DeleteLoadBalancerListener",
"slb:DeleteRules",
"slb:DeleteVServerGroup",
"slb:DescribeHealthStatus",
"slb:DescribeListenerAccessControlAttribute",
"slb:DescribeLoadBalancerAttribute",
"slb:DescribeLoadBalancerHTTPListenerAttribute",
"slb:DescribeLoadBalancerHTTPListenerAttributes",
"slb:DescribeLoadBalancerHTTPSListenerAttribute",
"slb:DescribeLoadBalancerTCPListenerAttribute",
"slb:DescribeLoadBalancerUDPListenerAttribute",
"slb:DescribeLoadBalancers",
"slb:DescribeRegions",
"slb:DescribeRules",
"slb:DescribeTags",
"slb:DescribeVServerGroupAttribute",
"slb:DescribeVServerGroups",
"slb:ModifyLoadBalancerInstanceSpec",
"slb:ModifyLoadBalancerInternetSpec",
"slb:ModifyLoadBalancerInstanceChargeType",
"slb:ModifyLoadBalancerPayType",
"slb:RemoveBackendServers",
"slb:RemoveListenerWhiteListItem",
"slb:RemoveVServerGroupBackendServers",
"slb:SetBackendServers",
"slb:SetListenerAccessControlStatus",
"slb:SetLoadBalancerHTTPListenerAttribute",
"slb:SetLoadBalancerHTTPSListenerAttribute",
"slb:SetLoadBalancerName",
"slb:SetLoadBalancerStatus",
"slb:SetLoadBalancerTCPListenerAttribute",
"slb:SetLoadBalancerUDPListenerAttribute",
"slb:SetRule",
"slb:SetServerCertificateName",
"slb:SetVServerGroupAttribute",
"slb:StartLoadBalancerListener",
"slb:StopLoadBalancerListener",
"slb:SetLoadBalancerDeleteProtection",
"slb:RemoveTags",
"slb:DescribeLoadBalancerListeners",
"slb:ModifyVServerGroupBackendServers",
"slb:SetLoadBalancerModificationProtection",
"slb:CreateLoadBalancerForCloudService"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"arms:ListDashboards",
"arms:CreateContact",
"arms:DeleteContact",
"arms:SearchContact",
"arms:UpdateContact",
"arms:CreateContactGroup",
"arms:DeleteContactGroup",
"arms:SearchContactGroup",
"arms:UpdateContactGroup",
"arms:SearchAlertRules",
"arms:CreateAlertRules",
"arms:UpdateAlertRules",
"arms:DeleteAlertRules",
"arms:StartAlertRule",
"arms:StopAlertRule",
"arms:SearchAlarmHistories",
"arms:OpenArmsService",
"arms:CreateWehook",
"arms:UpdateWebhook",
"arms:CreateDispatchRule",
"arms:ListDispatchRule",
"arms:DeleteDispatchRule",
"arms:UpdateDispatchRule",
"arms:DescribeDispatchRule",
"arms:GetAlarmHistories",
"arms:SendCustomIncidents",
"arms:SaveAlert",
"arms:DeleteAlert",
"arms:GetAlert"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"vpc:DescribeVpcAttribute",
"vpc:DescribeVpcs",
"vpc:DescribeVSwitchAttributes",
"vpc:DescribeVSwitches",
"vpc:DescribeRouteTableList",
"vpc:DescribeRouteTables",
"vpc:DescribeRouteEntryList",
"vpc:DescribeRouterInterfaceAttribute",
"vpc:DescribeRouterInterfaces",
"vpc:DescribeVRouters",
"vpc:ModifyBypassToaAttribute"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ims:ListUserBasicInfos"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"tag:ListTagResources",
"tag:ListTagKeys",
"tag:ListTagValues"
],
"Resource": "*",
"Effect": "Allow"
}
]
}