All Products
Search

This Product

    E-MapReduce:Grant permissions to a RAM user

    Document Center

    E-MapReduce:Grant permissions to a RAM user

    Last Updated:Jul 15, 2024

    You can perform operations as a RAM user in E-MapReduce (EMR) Serverless Spark only if the RAM user has relevant permissions. For example, you can create, view, or delete a Serverless Spark workspace if the RAM user that you use has relevant permissions. This topic describes how to grant permissions to a RAM user.

    Prerequisites

    A RAM user is created. For information about how to create a RAM user, see Create a RAM user.

    Procedure

    1. Log on to the RAM console as a RAM administrator.

    2. In the left-side navigation pane, choose Identities > Users.

    3. On the Users page, find the required RAM user, and click Add Permissions in the Actions column.

      image

      You can also select multiple RAM users and click Add Permissions in the lower part of the page to grant permissions to the RAM users at a time.

    4. In the Grant Permission panel, grant required permissions to the RAM user.

      image.png

      Parameter

      Description

      Resource Scope

      Valid values:

      • Account: If you select this option, permissions take effect on the current Alibaba Cloud account.

      • ResourceGroup: If you select this option, permissions take effect on a specified resource group.

      Principal

      The principal is the RAM user to which you want to grant permissions. By default, the current RAM user is specified as the principal. You can also specify another RAM user.

      Policy

      Select the following policies from the supported system policies:

      • AliyunEMRServerlessSparkFullAccess: the policy that contains administrator permissions to create and delete workspaces in EMR Serverless Spark.

        The following code provides the details of the AliyunEMRServerlessSparkFullAccess policy:

        {
  "Version": "1",
  "Statement": [
    {
      "Action": "emr-serverless-spark:*",
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "oss:ListBuckets",
        "dlf:DescribeRegions",
        "dlf:GetRegionStatus",
        "dlf:ListCatalogs",
        "emr:GetApmData",
        "emr:QueryApmGrafanaData"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ram:CreateServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "spark.emr-serverless.aliyuncs.com"
        }
      }
    }
  ]
}

      • AliyunEmrServerlessSparkReadOnlyAccess: the policy that contains read permissions to access EMR Serverless Spark.

        The following code provides the details of the AliyunEmrServerlessSparkReadOnlyAccess policy:

        {
    "Statement": [
        {
            "Action": [
                "emr-serverless-spark:Get*",
                "emr-serverless-spark:List*",
                "emr-serverless-spark:Query*",
                "emr-serverless-spark:Is*",
                "emr-serverless-spark:Check*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ],
    "Version": "1"
}

    5. Click Grant permissions.

    6. Click Close.