

本文属于机器翻译版本。若本译文内容与英语原文存在差异，则一律以英文原文为准。

# 创建 EMR Studio 服务角色
<a name="emr-studio-service-role"></a>

## 关于 EMR Studio 服务角色
<a name="emr-studio-about-service-role"></a>

每个 EMR Studio 都使用一个 IAM 角色，该角色具有允许工作室与其他AWS服务进行交互的权限。此服务角色必须包括允许 EMR Studio 在工作空间和集群之间建立安全的网络通道Amazon S3 Control、在其中存储笔记本文件以及在将工作区链接到 Git 存储库AWS Secrets Manager时进行访问的权限。

使用 Studio 服务角色（而不是会话策略）定义所有 Amazon S3 访问权限以存储 Notebook 文件，并定义 AWS Secrets Manager 访问权限。

## 如何在 Amazon EC2 或 Amazon EKS 上为 EMR Studio 创建服务角色
<a name="emr-studio-service-role-instructions"></a>

1. 按照[创建角色中的说明向AWS服务委派权限](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html)，使用以下信任策略创建服务角色。
**重要**  
下面的信任策略包括 [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn) 和 [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceaccount](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceaccount) 全局条件密钥，用于限制您为 EMR Studio 授予的、针对您账户中特定资源的权限。这样做可以防止[混淆代理人问题](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html)。

------
#### [ JSON ]

****  

   ```
   {
     "Version":"2012-10-17",		 	 	 
     "Statement": [
       {
         "Sid": "AllowSTSAssumerole",
         "Effect": "Allow",
         "Principal": {
           "Service": "elasticmapreduce.amazonaws.com"
         },
         "Action": "sts:AssumeRole",
         "Condition": {
           "StringEquals": {
             "aws:SourceAccount": "123456789012"
           },
           "ArnLike": {
             "aws:SourceArn": "arn:aws:elasticmapreduce:*:123456789012:*"
           }
         }
       }
     ]
   }
   ```

------

1. 删除默认角色权限。然后，包括下面的示例 IAM 权限策略中的权限。或者，您也可以创建使用 [EMR Studio 服务角色权限](#emr-studio-service-role-permissions-table) 的自定义策略。
**重要**  
要使基于 Amazon EC2 标签的访问控制与 EMR Studio 配合使用，您必须按照以下策略所示设置对 `ModifyNetworkInterfaceAttribute` API 的访问权限。
为了让 EMR Studio 与服务角色配合使用，不得更改以下语句：`AllowAddingEMRTagsDuringDefaultSecurityGroupCreation` 和 `AllowAddingTagsDuringEC2ENICreation`。
要您使用示例策略，必须使用密钥 `"for-use-with-amazon-emr-managed-policies"` 和值 `"true"` 标记以下资源。  
用于 EMR Studio 的 Amazon Virtual Private Cloud (VPC)。
您要与 Studio 配合使用的每个子网。
任何自定义 EMR Studio 安全组。如果您想继续使用在 EMR Studio 预览期间创建的安全组，则必须标记它们。
Studio 用户用来将 Git 存储库链接到工作空间的秘密。AWS Secrets Manager
您可以在AWS 管理控制台中，使用相关资源屏幕上的 **Tags (标签)** 选项卡将标签应用于资源。

   如果适用，请更改以下策略中的 `"Resource":"{{*}}"` 中的 `{{*}}`，以便为您的使用案例指定该语句涵盖的资源的 Amazon 资源名称（ARN）)。

------
#### [ JSON ]

****  

   ```
   {
     "Version":"2012-10-17",		 	 	 
     "Statement": [
       {
         "Sid": "AllowEMRReadOnlyActions",
         "Effect": "Allow",
         "Action": [
           "elasticmapreduce:ListInstances",
           "elasticmapreduce:DescribeCluster",
           "elasticmapreduce:ListSteps"
         ],
         "Resource": [
           "*"
         ]
       },
       {
         "Sid": "AllowEC2ENIActionsWithEMRTags",
         "Effect": "Allow",
         "Action": [
           "ec2:CreateNetworkInterfacePermission",
           "ec2:DeleteNetworkInterface"
         ],
         "Resource": [
           "arn:aws:ec2:*:*:network-interface/*"
         ],
         "Condition": {
           "StringEquals": {
             "aws:ResourceTag/for-use-with-amazon-emr-managed-policies": "true"
           }
         }
       },
       {
         "Sid": "AllowEC2ENIAttributeAction",
         "Effect": "Allow",
         "Action": [
           "ec2:ModifyNetworkInterfaceAttribute"
         ],
         "Resource": [
           "arn:aws:ec2:*:*:instance/*",
           "arn:aws:ec2:*:*:network-interface/*",
           "arn:aws:ec2:*:*:security-group/*"
         ]
       },
       {
         "Sid": "AllowEC2SecurityGroupActionsWithEMRTags",
         "Effect": "Allow",
         "Action": [
           "ec2:AuthorizeSecurityGroupEgress",
           "ec2:AuthorizeSecurityGroupIngress",
           "ec2:RevokeSecurityGroupEgress",
           "ec2:RevokeSecurityGroupIngress",
           "ec2:DeleteNetworkInterfacePermission"
         ],
         "Resource": [
           "*"
         ],
         "Condition": {
           "StringEquals": {
             "aws:ResourceTag/for-use-with-amazon-emr-managed-policies": "true"
           }
         }
       },
       {
         "Sid": "AllowDefaultEC2SecurityGroupsCreationWithEMRTags",
         "Effect": "Allow",
         "Action": [
           "ec2:CreateSecurityGroup"
         ],
         "Resource": [
           "arn:aws:ec2:*:*:security-group/*"
         ],
         "Condition": {
           "StringEquals": {
             "aws:RequestTag/for-use-with-amazon-emr-managed-policies": "true"
           }
         }
       },
       {
         "Sid": "AllowDefaultEC2SecurityGroupsCreationInVPCWithEMRTags",
         "Effect": "Allow",
         "Action": [
           "ec2:CreateSecurityGroup"
         ],
         "Resource": [
           "arn:aws:ec2:*:*:vpc/*"
         ],
         "Condition": {
           "StringEquals": {
             "aws:ResourceTag/for-use-with-amazon-emr-managed-policies": "true"
           }
         }
       },
       {
         "Sid": "AllowAddingEMRTagsDuringDefaultSecurityGroupCreation",
         "Effect": "Allow",
         "Action": [
           "ec2:CreateTags"
         ],
         "Resource": [
           "arn:aws:ec2:*:*:security-group/*"
         ],
         "Condition": {
           "StringEquals": {
             "aws:RequestTag/for-use-with-amazon-emr-managed-policies": "true",
             "ec2:CreateAction": "CreateSecurityGroup"
           }
         }
       },
       {
         "Sid": "AllowEC2ENICreationWithEMRTags",
         "Effect": "Allow",
         "Action": [
           "ec2:CreateNetworkInterface"
         ],
         "Resource": [
           "arn:aws:ec2:*:*:network-interface/*"
         ],
         "Condition": {
           "StringEquals": {
             "aws:RequestTag/for-use-with-amazon-emr-managed-policies": "true"
           }
         }
       },
       {
         "Sid": "AllowEC2ENICreationInSubnetAndSecurityGroupWithEMRTags",
         "Effect": "Allow",
         "Action": [
           "ec2:CreateNetworkInterface"
         ],
         "Resource": [
           "arn:aws:ec2:*:*:subnet/*",
           "arn:aws:ec2:*:*:security-group/*"
         ],
         "Condition": {
           "StringEquals": {
             "aws:ResourceTag/for-use-with-amazon-emr-managed-policies": "true"
           }
         }
       },
       {
         "Sid": "AllowAddingTagsDuringEC2ENICreation",
         "Effect": "Allow",
         "Action": [
           "ec2:CreateTags"
         ],
         "Resource": [
           "arn:aws:ec2:*:*:network-interface/*"
         ],
         "Condition": {
           "StringEquals": {
             "ec2:CreateAction": "CreateNetworkInterface"
           }
         }
       },
       {
         "Sid": "AllowEC2ReadOnlyActions",
         "Effect": "Allow",
         "Action": [
           "ec2:DescribeSecurityGroups",
           "ec2:DescribeNetworkInterfaces",
           "ec2:DescribeTags",
           "ec2:DescribeInstances",
           "ec2:DescribeSubnets",
           "ec2:DescribeVpcs"
         ],
         "Resource": [
           "*"
         ]
       },
       {
         "Sid": "AllowSecretsManagerReadOnlyActionsWithEMRTags",
         "Effect": "Allow",
         "Action": [
           "secretsmanager:GetSecretValue"
         ],
         "Resource": [
           "arn:aws:secretsmanager:*:*:secret:*"
         ],
         "Condition": {
           "StringEquals": {
             "aws:ResourceTag/for-use-with-amazon-emr-managed-policies": "true"
           }
         }
       },
       {
         "Sid": "AllowWorkspaceCollaboration",
         "Effect": "Allow",
         "Action": [
           "iam:GetUser",
           "iam:GetRole",
           "iam:ListUsers",
           "iam:ListRoles",
           "sso:GetManagedApplicationInstance",
           "sso-directory:SearchUsers"
         ],
         "Resource": [
           "*"
         ]
       }
     ]
   }
   ```

------

1. 为您的服务角色授予对用于 EMR Studio 的 Amazon S3 位置的读写权限。使用以下最小权限集。有关更多信息，请参阅 [Amazon S3：允许以编程方式和在控制台中对 S3 Bucket 中的对象进行读写访问](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_s3_rw-bucket-console.html)示例。

   ```
   "s3:PutObject",
   "s3:GetObject",
   "s3:GetEncryptionConfiguration",
   "s3:ListBucket",
   "s3:DeleteObject"
   ```

   如果您加密了 Amazon S3 存储桶，您必须为 AWS Key Management Service包含以下权限。

   ```
   "kms:Decrypt",
   "kms:GenerateDataKey",
   "kms:ReEncryptFrom",
   "kms:ReEncryptTo",
   "kms:DescribeKey"
   ```

1. 如果要在用户级别控制对 Git 密钥的访问权限，请在 EMR Studio **用户角色策略**中将基于标签的权限添加至 `secretsmanager:GetSecretValue`，并从 EMR Studio **服务角色策略**中移除对 `secretsmanager:GetSecretValue` 策略的权限。有关设置精细用户权限的更多信息，请参阅 [为 EMR Studio 用户创建权限策略](emr-studio-user-permissions.md#emr-studio-permissions-policies)。

## EMR Serverless 最低需要的服务角色
<a name="emr-studio-service-role-serverless"></a>

如果要通过 EMR Studio Notebook 实例将交互式工作负载与 EMR Serverless 结合使用，请使用与上一节“[如何在 Amazon EC2 或 Amazon EKS 上为 EMR Studio 创建服务角色](#emr-studio-service-role-instructions)”中设置 EMR Studio 相同的信任策略。

对于 IAM policy，最低可行策略应具有以下权限。使用您在配置 EMR Studio 和 Workspace 时计划使用的存储桶名称更新 `{{bucket-name}}`。EMR Studio 使用存储桶来备份 Studio 中的 Workspaces 和 Notebook 实例文件。

------
#### [ JSON ]

****  

```
{
  "Version":"2012-10-17",		 	 	 
  "Statement": [
    {
      "Sid": "ObjectActions",
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:DeleteObject"
      ],
      "Resource": [
        "arn:aws:s3:::{{bucket-name}}/*"
      ]
    },
    {
      "Sid": "BucketActions",
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket",
        "s3:GetEncryptionConfiguration"
      ],
      "Resource": [
        "arn:aws:s3:::{{bucket-name}}"
      ]
    }
  ]
}
```

------

如果您计划使用加密的 Amazon S3 存储桶，则请在策略中添加以下权限：

```
"kms:Decrypt",
"kms:GenerateDataKey",
"kms:ReEncryptFrom",
"kms:ReEncryptTo",
"kms:DescribeKey"
```

## EMR Studio 服务角色权限
<a name="emr-studio-service-role-permissions-table"></a>

下表列出了 EMR Studio 使用服务角色运行的运算，以及每项运算所需的 IAM 操作。


| 操作 | 操作 | 
| --- | --- | 
| 在 Workspace 和 EMR 集群之间建立安全的网络通道，并执行必要的清理操作。 |  <pre>"ec2:CreateNetworkInterface", <br />"ec2:CreateNetworkInterfacePermission", <br />"ec2:DeleteNetworkInterface", <br />"ec2:DeleteNetworkInterfacePermission", <br />"ec2:DescribeNetworkInterfaces", <br />"ec2:ModifyNetworkInterfaceAttribute", <br />"ec2:AuthorizeSecurityGroupEgress", <br />"ec2:AuthorizeSecurityGroupIngress", <br />"ec2:CreateSecurityGroup",<br />"ec2:DescribeSecurityGroups", <br />"ec2:RevokeSecurityGroupEgress",<br />"ec2:DescribeTags",<br />"ec2:DescribeInstances",<br />"ec2:DescribeSubnets",<br />"ec2:DescribeVpcs",<br />"elasticmapreduce:ListInstances", <br />"elasticmapreduce:DescribeCluster", <br />"elasticmapreduce:ListSteps"</pre>  | 
| 使用存储在中的 Git 凭据AWS Secrets Manager将 Git 存储库链接到工作区。 |  <pre>"secretsmanager:GetSecretValue"</pre>  | 
| 将AWS标签应用于 EMR Studio 在设置安全网络通道时创建的网络接口和默认安全组。有关更多信息，请参阅[标记AWS资源](https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html)。 |  <pre>"ec2:CreateTags"</pre>  | 
| 访问 Notebook 文件和元数据或将它们上传到 Amazon S3。 | <pre>"s3:PutObject",<br />"s3:GetObject",<br />"s3:GetEncryptionConfiguration",<br />"s3:ListBucket",<br />"s3:DeleteObject" </pre>如果您使用 加密的 Amazon S3 存储桶，则必须包含以下权限。<pre>"kms:Decrypt",<br />"kms:GenerateDataKey",<br />"kms:ReEncryptFrom",<br />"kms:ReEncryptTo",<br />"kms:DescribeKey"</pre> | 
| 启用和配置 Workspace 协作。 |  <pre>"iam:GetUser",<br />"iam:GetRole",<br />"iam:ListUsers",<br />"iam:ListRoles",<br />"sso:GetManagedApplicationInstance",<br />"sso-directory:SearchUsers",<br />"sso:DescribeApplication",<br />"sso:DescribeInstance"</pre>  | 
| [使用客户托管密钥 (CMK) 加密 EMR Studio 工作空间笔记本和文件 AWS Key Management Service](https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-studio-workspace-storage-encryption)  |  <pre>"kms:Decrypt",<br />"kms:GenerateDataKey",<br />"kms:ReEncryptFrom",<br />"kms:ReEncryptTo",<br />"kms:DescribeKey"</pre>  | 