當RAM使用者(子帳號)進行EMR Serverless Spark操作,例如建立、查看或刪除工作空間等操作時,必須具有相應的許可權。本文為您介紹如何進行RAM授權。
前提條件
已建立RAM使用者。具體操作,請參見建立RAM使用者。
操作步驟
使用Resource Access Management員登入RAM控制台。
在左側導覽列,選擇身份管理 > 使用者。
在使用者頁面,單擊目標RAM使用者操作列的添加許可權。
您也可以選中多個RAM使用者,單擊使用者列表下方的添加許可權,為RAM使用者大量授權。
在新增授權面板,為RAM使用者添加相應的許可權。
參數
說明
授權範圍
選擇所需的應用範圍:
帳號層級:許可權在當前阿里雲帳號內生效。
資源群組層級:許可權在指定的資源群組內生效。
授權主體
被授權主體,即需要授權的RAM使用者,系統會自動填入當前的RAM使用者,您也可以添加其他RAM使用者。
選擇許可權
支援的系統策略如下:
AliyunEMRServerlessSparkFullAccess:EMR Serverless Spark管理員權限,包含建立、刪除工作空間許可權。
AliyunEMRServerlessSparkFullAccess許可權內容
{ "Version": "1", "Statement": [ { "Action": "emr-serverless-spark:*", "Resource": "*", "Effect": "Allow" }, { "Action": [ "oss:ListBuckets", "dlf:DescribeRegions", "dlf:GetRegionStatus", "dlf:ListCatalogs", "emr:GetApmData", "emr:QueryApmGrafanaData" ], "Resource": "*", "Effect": "Allow" }, { "Action": "ram:CreateServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": "spark.emr-serverless.aliyuncs.com" } } } ] }AliyunEMRServerlessSparkDeveloperAccess:EMR Serverless Spark的開發人員許可權,不包括建立、刪除工作空間許可權。
AliyunEMRServerlessSparkDeveloperAccess許可權內容
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "emr-serverless-spark:AddMembers", "emr-serverless-spark:BindSessionCluster", "emr-serverless-spark:CancelJobRun", "emr-serverless-spark:CancelRun", "emr-serverless-spark:Check*", "emr-serverless-spark:CommitTask", "emr-serverless-spark:CreateArtifact", "emr-serverless-spark:CreateCatalog", "emr-serverless-spark:CreateCategory", "emr-serverless-spark:CreateComputeToken", "emr-serverless-spark:CreateEmrSparkServiceLinkedRole", "emr-serverless-spark:CreateEnvironment", "emr-serverless-spark:CreateJobRunDeployment", "emr-serverless-spark:CreateLivyCompute", "emr-serverless-spark:CreateLivyComputeToken", "emr-serverless-spark:CreateNetworkService", "emr-serverless-spark:CreateProcessDefinitionWithSchedule", "emr-serverless-spark:CreateRole", "emr-serverless-spark:CreateSessionCluster", "emr-serverless-spark:CreateSessionStatement", "emr-serverless-spark:CreateSqlStatement", "emr-serverless-spark:CreateTask", "emr-serverless-spark:CreateTaskInstance", "emr-serverless-spark:CreateTemplate", "emr-serverless-spark:CreateWorkspaceQueue", "emr-serverless-spark:DeleteArtifact", "emr-serverless-spark:DeleteCatalog", "emr-serverless-spark:DeleteCategory", "emr-serverless-spark:DeleteComputeToken", "emr-serverless-spark:DeleteEnvironment", "emr-serverless-spark:DeleteJobRunDeployment", "emr-serverless-spark:DeleteLivyCompute", "emr-serverless-spark:DeleteLivyComputeSession", "emr-serverless-spark:DeleteLivyComputeToken", "emr-serverless-spark:DeleteNetworkService", "emr-serverless-spark:DeleteProcessDefinitionByCode", "emr-serverless-spark:DeleteProcessDefinitionVersion", "emr-serverless-spark:DeleteRole", "emr-serverless-spark:DeleteSessionCluster", "emr-serverless-spark:DeleteTask", "emr-serverless-spark:DeleteWorkspaceQueue", "emr-serverless-spark:EditCatalog", "emr-serverless-spark:EditEnvironment", "emr-serverless-spark:EditSessionCluster", "emr-serverless-spark:EditWorkspaceQueue", "emr-serverless-spark:Execute", "emr-serverless-spark:ForceTaskInstanceSuccess", "emr-serverless-spark:GenerateComputeToken", "emr-serverless-spark:GenerateLivyComputeToken", "emr-serverless-spark:GenerateTaskCodes", "emr-serverless-spark:Get*", "emr-serverless-spark:GrantActionsToRole", "emr-serverless-spark:GrantRoleToUsers", "emr-serverless-spark:List*", "emr-serverless-spark:PublishWorkflowDefinition", "emr-serverless-spark:Query*", "emr-serverless-spark:RefreshLivyComputeToken", "emr-serverless-spark:ReleaseWorkflowAndSchedule", "emr-serverless-spark:RemoveMember", "emr-serverless-spark:RevokeActionsToRole", "emr-serverless-spark:RevokeRoleFromUsers", "emr-serverless-spark:StartHmsProxyServer", "emr-serverless-spark:StartJobRun", "emr-serverless-spark:StartJobRunDeployment", "emr-serverless-spark:StartLivyCompute", "emr-serverless-spark:StartProcessInstance", "emr-serverless-spark:StartRun", "emr-serverless-spark:StartSessionCluster", "emr-serverless-spark:StopJobRunDeployment", "emr-serverless-spark:StopLivyCompute", "emr-serverless-spark:StopSessionCluster", "emr-serverless-spark:SwitchProcessDefinitionVersion", "emr-serverless-spark:TearDownHmsProxyServer", "emr-serverless-spark:TerminateSessionStatement", "emr-serverless-spark:TerminateSqlStatement", "emr-serverless-spark:TestHmsConnection", "emr-serverless-spark:UnbindSessionCluster", "emr-serverless-spark:UpdateCategory", "emr-serverless-spark:UpdateComputeToken", "emr-serverless-spark:UpdateJobRunDeployment", "emr-serverless-spark:UpdateLivyCompute", "emr-serverless-spark:UpdateProcessDefinitionWithSchedule", "emr-serverless-spark:UpdateResourceAcl", "emr-serverless-spark:UpdateTask", "emr-serverless-spark:ValidateCode" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "dlf:DescribeRegions", "dlf:GetRegionStatus", "dlf:ListCatalogs", "dlf:ListDatabases", "dlf:ListTables", "emr:GetApmData", "emr:QueryApmGrafanaData" ], "Resource": "*" } ] }AliyunEmrServerlessSparkReadOnlyAccess:EMR Serverless Spark唯讀許可權,包含了唯讀訪問Spark服務的許可權。
AliyunEmrServerlessSparkReadOnlyAccess許可權內容
{ "Statement": [ { "Action": [ "emr-serverless-spark:Get*", "emr-serverless-spark:List*", "emr-serverless-spark:Query*", "emr-serverless-spark:Is*", "emr-serverless-spark:Check*" ], "Effect": "Allow", "Resource": "*" } ], "Version": "1" }
單擊確認新增授權。
單擊關閉。