All Products
Search
Document Center

E-MapReduce:Grant permissions to a RAM user

Last Updated:Dec 16, 2024

You can perform operations as a RAM user in E-MapReduce (EMR) Serverless Spark only if the RAM user has relevant permissions. For example, you can create, view, or delete a Serverless Spark workspace if the RAM user that you use has relevant permissions. This topic describes how to grant permissions to a RAM user.

Prerequisites

A RAM user is created. For information about how to create a RAM user, see Create a RAM user.

Procedure

  1. Log on to the RAM console as a RAM administrator.

  2. In the left-side navigation pane, choose Identities > Users.

  3. On the Users page, find the required RAM user, and click Add Permissions in the Actions column.

    image

    You can also select multiple RAM users and click Add Permissions in the lower part of the page to grant permissions to the RAM users at a time.

  4. In the Grant Permission panel, grant required permissions to the RAM user.

    image.png

    Parameter

    Description

    Resource Scope

    The scope of resources that you can access with the granted permissions. Valid values:

    • Account: If you select this option, permissions take effect on the current Alibaba Cloud account.

    • ResourceGroup: If you select this option, permissions take effect on a specified resource group.

    Principal

    The RAM user to which you want to grant permissions. By default, the current RAM user is specified as the principal. You can also specify another RAM user.

    Policy

    The policies that you can attach to your account. Supported system policies:

    • AliyunEMRServerlessSparkFullAccess: the policy that defines administrator permissions to create and delete workspaces in EMR Serverless Spark.

      Document of the AliyunEMRServerlessSparkFullAccess policy

      {
        "Version": "1",
        "Statement": [
          {
            "Action": "emr-serverless-spark:*",
            "Resource": "*",
            "Effect": "Allow"
          },
          {
            "Action": [
              "oss:ListBuckets",
              "dlf:DescribeRegions",
              "dlf:GetRegionStatus",
              "dlf:ListCatalogs",
              "emr:GetApmData",
              "emr:QueryApmGrafanaData"
            ],
            "Resource": "*",
            "Effect": "Allow"
          },
          {
            "Action": "ram:CreateServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
              "StringEquals": {
                "ram:ServiceName": "spark.emr-serverless.aliyuncs.com"
              }
            }
          }
        ]
      }
    • AliyunEMRServerlessSparkDeveloperAccess: the policy that defines the permissions of EMR Serverless Spark developers, excluding the permissions to create and delete workspaces.

      Document of the AliyunEMRServerlessSparkDeveloperAccess policy

      {
          "Version": "1",
          "Statement": [
              {
                  "Effect": "Allow",
                  "Action": [
                      "emr-serverless-spark:AddMembers",
                      "emr-serverless-spark:BindSessionCluster",
                      "emr-serverless-spark:CancelJobRun",
                      "emr-serverless-spark:CancelRun",
                      "emr-serverless-spark:Check*",
                      "emr-serverless-spark:CommitTask",
                      "emr-serverless-spark:CreateArtifact",
                      "emr-serverless-spark:CreateCatalog",
                      "emr-serverless-spark:CreateCategory",
                      "emr-serverless-spark:CreateComputeToken",
                      "emr-serverless-spark:CreateEmrSparkServiceLinkedRole",
                      "emr-serverless-spark:CreateEnvironment",
                      "emr-serverless-spark:CreateJobRunDeployment",
                      "emr-serverless-spark:CreateLivyCompute",
                      "emr-serverless-spark:CreateLivyComputeToken",
                      "emr-serverless-spark:CreateNetworkService",
                      "emr-serverless-spark:CreateProcessDefinitionWithSchedule",
                      "emr-serverless-spark:CreateRole",
                      "emr-serverless-spark:CreateSessionCluster",
                      "emr-serverless-spark:CreateSessionStatement",
                      "emr-serverless-spark:CreateSqlStatement",
                      "emr-serverless-spark:CreateTask",
                      "emr-serverless-spark:CreateTaskInstance",
                      "emr-serverless-spark:CreateTemplate",
                      "emr-serverless-spark:CreateWorkspaceQueue",
                      "emr-serverless-spark:DeleteArtifact",
                      "emr-serverless-spark:DeleteCatalog",
                      "emr-serverless-spark:DeleteCategory",
                      "emr-serverless-spark:DeleteComputeToken",
                      "emr-serverless-spark:DeleteEnvironment",
                      "emr-serverless-spark:DeleteJobRunDeployment",
                      "emr-serverless-spark:DeleteLivyCompute",
                      "emr-serverless-spark:DeleteLivyComputeSession",
                      "emr-serverless-spark:DeleteLivyComputeToken",
                      "emr-serverless-spark:DeleteNetworkService",
                      "emr-serverless-spark:DeleteProcessDefinitionByCode",
                      "emr-serverless-spark:DeleteProcessDefinitionVersion",
                      "emr-serverless-spark:DeleteRole",
                      "emr-serverless-spark:DeleteSessionCluster",
                      "emr-serverless-spark:DeleteTask",
                      "emr-serverless-spark:DeleteWorkspaceQueue",
                      "emr-serverless-spark:EditCatalog",
                      "emr-serverless-spark:EditEnvironment",
                      "emr-serverless-spark:EditSessionCluster",
                      "emr-serverless-spark:EditWorkspaceQueue",
                      "emr-serverless-spark:Execute",
                      "emr-serverless-spark:ForceTaskInstanceSuccess",
                      "emr-serverless-spark:GenerateComputeToken",
                      "emr-serverless-spark:GenerateLivyComputeToken",
                      "emr-serverless-spark:GenerateTaskCodes",
                      "emr-serverless-spark:Get*",
                      "emr-serverless-spark:GrantActionsToRole",
                      "emr-serverless-spark:GrantRoleToUsers",
                      "emr-serverless-spark:List*",
                      "emr-serverless-spark:PublishWorkflowDefinition",
                      "emr-serverless-spark:Query*",
                      "emr-serverless-spark:RefreshLivyComputeToken",
                      "emr-serverless-spark:ReleaseWorkflowAndSchedule",
                      "emr-serverless-spark:RemoveMember",
                      "emr-serverless-spark:RevokeActionsToRole",
                      "emr-serverless-spark:RevokeRoleFromUsers",
                      "emr-serverless-spark:StartHmsProxyServer",
                      "emr-serverless-spark:StartJobRun",
                      "emr-serverless-spark:StartJobRunDeployment",
                      "emr-serverless-spark:StartLivyCompute",
                      "emr-serverless-spark:StartProcessInstance",
                      "emr-serverless-spark:StartRun",
                      "emr-serverless-spark:StartSessionCluster",
                      "emr-serverless-spark:StopJobRunDeployment",
                      "emr-serverless-spark:StopLivyCompute",
                      "emr-serverless-spark:StopSessionCluster",
                      "emr-serverless-spark:SwitchProcessDefinitionVersion",
                      "emr-serverless-spark:TearDownHmsProxyServer",
                      "emr-serverless-spark:TerminateSessionStatement",
                      "emr-serverless-spark:TerminateSqlStatement",
                      "emr-serverless-spark:TestHmsConnection",
                      "emr-serverless-spark:UnbindSessionCluster",
                      "emr-serverless-spark:UpdateCategory",
                      "emr-serverless-spark:UpdateComputeToken",
                      "emr-serverless-spark:UpdateJobRunDeployment",
                      "emr-serverless-spark:UpdateLivyCompute",
                      "emr-serverless-spark:UpdateProcessDefinitionWithSchedule",
                      "emr-serverless-spark:UpdateResourceAcl",
                      "emr-serverless-spark:UpdateTask",
                      "emr-serverless-spark:ValidateCode"
                  ],
                  "Resource": "*"
              },
              {
                  "Effect": "Allow",
                  "Action": [
                      "dlf:DescribeRegions",
                      "dlf:GetRegionStatus",
                      "dlf:ListCatalogs",
                      "dlf:ListDatabases",
                      "dlf:ListTables",
                      "emr:GetApmData",
                      "emr:QueryApmGrafanaData"
                  ],
                  "Resource": "*"
              }
          ]
      }
    • AliyunEmrServerlessSparkReadOnlyAccess: the policy that defines read permissions to access EMR Serverless Spark.

      Document of the AliyunEmrServerlessSparkReadOnlyAccess policy

      {
          "Statement": [
              {
                  "Action": [
                      "emr-serverless-spark:Get*",
                      "emr-serverless-spark:List*",
                      "emr-serverless-spark:Query*",
                      "emr-serverless-spark:Is*",
                      "emr-serverless-spark:Check*"
                  ],
                  "Effect": "Allow",
                  "Resource": "*"
              }
          ],
          "Version": "1"
      }
  5. Click Grant permissions.

  6. Click Close.