The first time you use E-MapReduce (EMR) Workbench Workflow, make sure that your Alibaba Cloud account is assigned the default role. This topic describes how to assign the default role to an Alibaba Cloud account and the policy that is attached to the role.
Limits
The first time you use EMR Workbench Workflow, make sure that your Alibaba Cloud account is assigned the default RAM role that has the permissions on EMR Workbench Workflow. Otherwise, your Alibaba Cloud account and the RAM users within your Alibaba Cloud account cannot use EMR Workbench Workflow.
If you want to delete the default role, make sure that the resources that use the role are released. Otherwise, the use of EMR Workbench Workflow is affected.
Procedure
Note
The first time you use EMR Workbench Workflow, you must use your Alibaba Cloud account to perform the following operations to complete role assignment. You do not need to manually configure permissions. Then, you do not need to repeat the role assignment operation when you use EMR again.
Log on to the EMR console by using your Alibaba Cloud account.
In the left-side navigation pane, choose EMR Workbench > Workflow.
Go to the Dependency Check page, find the desired check item, and then click Authorize Now in the Actions column.
On the page that appears, click Agree to Authorization.
After the role assignment, EMR Workbench Workflow can access your cloud resources.
Policies
AliyunEMRWorkflowDefaultRole
The AliyunEMRWorkflowDefaultRolePolicy policy is attached to the AliyunEMRWorkflowDefaultRole role. The following code shows the policy document:
{
"Version": "1",
"Statement": [
{
"Action": [
"ecs:CreateNetworkInterface",
"ecs:DeleteNetworkInterface",
"ecs:DescribeNetworkInterfaces",
"ecs:CreateNetworkInterfacePermission",
"ecs:DescribeNetworkInterfacePermissions",
"ecs:DeleteNetworkInterfacePermission",
"ecs:DescribeSecurityGroupAttribute",
"ecs:DescribeSecurityGroups",
"vpc:DescribeVSwitchAttributes",
"vpc:DescribeVSwitches",
"vpc:CreateRouteTable",
"vpc:DeleteRouteTable",
"vpc:UnassociateRouteTable",
"vpc:AssociateRouteTable",
"vpc:DescribeRouteTableList",
"vpc:CreateRouteEntry",
"vpc:DeleteRouteEntry",
"vpc:DescribeRouteEntryList",
"emr:ListClusterHost",
"emr:DescribeCluster",
"emr:DescribeClusterV2",
"emr:ListClusters",
"emr:DescribeFlowAgentToken",
"emr:ListClusterServiceQuickLink",
"emr:DescribeClusterServiceConfig",
"emr:ListClusterHostComponent",
"emr:DescribeClusterServiceConfig",
"emr:GetClusterClientMeta",
"emr:ListApplicationConfigFiles",
"emr:GetApplicationConfigFile",
"emr:ListNodeGroups",
"emr:ListNodes",
"emr:ListClusterTemplates",
"emr:DescribeClusterTemplate",
"emr:DescribeFlowProject",
"emr:ListFlow",
"emr:DescribeFlow",
"emr:DescribeFlowJob",
"emr:ListFlowJob",
"emr:ListFlowProject",
"emr:ListFlowCategory",
"emr:DescribeFlowVariableCollection",
"dlf:BatchCreatePartitions",
"dlf:BatchCreateTables",
"dlf:BatchDeletePartitions",
"dlf:BatchDeleteTables",
"dlf:BatchGetPartitions",
"dlf:BatchGetTables",
"dlf:BatchUpdatePartitions",
"dlf:BatchUpdateTables",
"dlf:CreateDatabase",
"dlf:CreateFunction",
"dlf:CreatePartition",
"dlf:CreateTable",
"dlf:DeleteDatabase",
"dlf:DeleteFunction",
"dlf:DeletePartition",
"dlf:DeleteTable",
"dlf:GetDatabase",
"dlf:GetFunction",
"dlf:GetPartition",
"dlf:GetTable",
"dlf:ListCatalogs",
"dlf:ListDatabases",
"dlf:ListFunctionNames",
"dlf:ListFunctions",
"dlf:ListPartitionNames",
"dlf:ListPartitions",
"dlf:ListPartitionsByExpr",
"dlf:ListPartitionsByFilter",
"dlf:ListTableNames",
"dlf:ListTables",
"dlf:RenamePartition",
"dlf:RenameTable",
"dlf:UpdateDatabase",
"dlf:UpdateFunction",
"dlf:UpdateTable",
"dlf:UpdateTableColumnStatistics",
"dlf:GetTableColumnStatistics",
"dlf:DeleteTableColumnStatistics",
"dlf:UpdatePartitionColumnStatistics",
"dlf:GetPartitionColumnStatistics",
"dlf:DeletePartitionColumnStatistics",
"dlf:BatchGetPartitionColumnStatistics",
"dlf:CreateLock",
"dlf:UnLock",
"dlf:AbortLock",
"dlf:RefreshLock",
"dlf:GetLock",
"dlf:GetAsyncTaskStatus"
],
"Resource": "*",
"Effect": "Allow"
}
]
}AliyunStreamAsiDefaultRole
The AliyunStreamAsiDefaultRolePolicy policy is attached to the AliyunStreamAsiDefaultrole role that depends on the fully managed Flink service. The following code shows the policy document:
{
"Version": "1",
"Statement": [
{
"Action": [
"oss:ListBuckets",
"oss:GetBucketInfo",
"oss:GetObjectMetadata",
"oss:GetObject",
"oss:ListObjects",
"oss:PutObject",
"oss:CopyObject",
"oss:CompleteMultipartUpload",
"oss:AbortMultipartUpload",
"oss:InitiateMultipartUpload",
"oss:UploadPartCopy",
"oss:UploadPart",
"oss:DeleteObject",
"oss:PutBucketcors",
"oss:GetBucketCors"
],
"Resource": "acs:oss:*:*:*",
"Effect": "Allow"
},
{
"Action": [
"ecs:AssociateEipAddress",
"ecs:AttachNetworkInterface",
"ecs:AuthorizeSecurityGroup",
"ecs:AuthorizeSecurityGroupEgress",
"ecs:CreateNetworkInterface",
"ecs:CreateNetworkInterfacePermission",
"ecs:CreateSecurityGroup",
"ecs:DeleteNetworkInterface",
"ecs:DeleteNetworkInterfacePermission",
"ecs:DeleteSecurityGroup",
"ecs:DescribeNetworkInterfacePermissions",
"ecs:DescribeNetworkInterfaces",
"ecs:DescribeSecurityGroupAttribute",
"ecs:DescribeSecurityGroupReferences",
"ecs:DescribeSecurityGroups",
"ecs:DetachNetworkInterface",
"ecs:JoinSecurityGroup",
"ecs:LeaveSecurityGroup",
"ecs:ModifyNetworkInterfaceAttribute",
"ecs:ModifySecurityGroupAttribute",
"ecs:ModifySecurityGroupPolicy",
"ecs:ModifySecurityGroupPolicy",
"ecs:ModifySecurityGroupRule",
"ecs:RevokeSecurityGroup",
"ecs:RevokeSecurityGroupEgress",
"ecs:UnassociateEipAddress"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"slb:AddBackendServers",
"slb:AddListenerWhiteListItem",
"slb:AddTags",
"slb:AddVServerGroupBackendServers",
"slb:CreateLoadBalancer",
"slb:CreateLoadBalancerHTTPListener",
"slb:CreateLoadBalancerHTTPSListener",
"slb:CreateLoadBalancerTCPListener",
"slb:CreateLoadBalancerUDPListener",
"slb:CreateRules",
"slb:CreateVServerGroup",
"slb:DeleteLoadBalancer",
"slb:DeleteLoadBalancerListener",
"slb:DeleteRules",
"slb:DeleteVServerGroup",
"slb:DescribeHealthStatus",
"slb:DescribeListenerAccessControlAttribute",
"slb:DescribeLoadBalancerAttribute",
"slb:DescribeLoadBalancerHTTPListenerAttribute",
"slb:DescribeLoadBalancerHTTPListenerAttributes",
"slb:DescribeLoadBalancerHTTPSListenerAttribute",
"slb:DescribeLoadBalancerTCPListenerAttribute",
"slb:DescribeLoadBalancerUDPListenerAttribute",
"slb:DescribeLoadBalancers",
"slb:DescribeRegions",
"slb:DescribeRules",
"slb:DescribeTags",
"slb:DescribeVServerGroupAttribute",
"slb:DescribeVServerGroups",
"slb:ModifyLoadBalancerInstanceSpec",
"slb:ModifyLoadBalancerInternetSpec",
"slb:ModifyLoadBalancerInstanceChargeType",
"slb:ModifyLoadBalancerPayType",
"slb:RemoveBackendServers",
"slb:RemoveListenerWhiteListItem",
"slb:RemoveVServerGroupBackendServers",
"slb:SetBackendServers",
"slb:SetListenerAccessControlStatus",
"slb:SetLoadBalancerHTTPListenerAttribute",
"slb:SetLoadBalancerHTTPSListenerAttribute",
"slb:SetLoadBalancerName",
"slb:SetLoadBalancerStatus",
"slb:SetLoadBalancerTCPListenerAttribute",
"slb:SetLoadBalancerUDPListenerAttribute",
"slb:SetRule",
"slb:SetServerCertificateName",
"slb:SetVServerGroupAttribute",
"slb:StartLoadBalancerListener",
"slb:StopLoadBalancerListener",
"slb:SetLoadBalancerDeleteProtection",
"slb:RemoveTags",
"slb:DescribeLoadBalancerListeners",
"slb:ModifyVServerGroupBackendServers",
"slb:SetLoadBalancerModificationProtection",
"slb:CreateLoadBalancerForCloudService"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"arms:ListDashboards",
"arms:CreateContact",
"arms:DeleteContact",
"arms:SearchContact",
"arms:UpdateContact",
"arms:CreateContactGroup",
"arms:DeleteContactGroup",
"arms:SearchContactGroup",
"arms:UpdateContactGroup",
"arms:SearchAlertRules",
"arms:CreateAlertRules",
"arms:UpdateAlertRules",
"arms:DeleteAlertRules",
"arms:StartAlertRule",
"arms:StopAlertRule",
"arms:SearchAlarmHistories",
"arms:OpenArmsService",
"arms:CreateWehook",
"arms:UpdateWebhook",
"arms:CreateDispatchRule",
"arms:ListDispatchRule",
"arms:DeleteDispatchRule",
"arms:UpdateDispatchRule",
"arms:DescribeDispatchRule",
"arms:GetAlarmHistories",
"arms:SendCustomIncidents",
"arms:SaveAlert",
"arms:DeleteAlert",
"arms:GetAlert"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"vpc:DescribeVpcAttribute",
"vpc:DescribeVpcs",
"vpc:DescribeVSwitchAttributes",
"vpc:DescribeVSwitches",
"vpc:DescribeRouteTableList",
"vpc:DescribeRouteTables",
"vpc:DescribeRouteEntryList",
"vpc:DescribeRouterInterfaceAttribute",
"vpc:DescribeRouterInterfaces",
"vpc:DescribeVRouters",
"vpc:ModifyBypassToaAttribute"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ims:ListUserBasicInfos"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"tag:ListTagResources",
"tag:ListTagKeys",
"tag:ListTagValues"
],
"Resource": "*",
"Effect": "Allow"
}
]
}