1. 首頁
  2. 問答
  3. 角色/權限使用AWS CLI

角色/權限使用AWS CLI

2016-01-28 118 views
0

我試圖創建一個使用AWS EMR命令集羣創建EMR集羣。最初呼籲我沒有管理角色來做大部分的事情。角色/權限使用AWS CLI

aws emr create-cluster --release-label emr-4.2.0 --instance-groups InstanceGroupType=MASTER,InstanceCount=1,InstanceType=m3.xlarge InstanceGroupType=CORE,InstanceCount=2,InstanceType=m3.xlarge --service-role MY_ROLE--ec2-attributes KeyName=MY_KEY_PAIR,SubnetId=subnet-xxxxxxxx,InstanceProfile=MY_ROLE

我試圖在EC2實例上運行這個命令。顯示羣集ID後,我立即收到成功消息。但是,機器會終止並顯示無效的角色錯誤消息。

如果我嘗試看看在AWS控制檯中的羣集狀態,然後我看到這麼多權限錯誤消息。

是否有設置由角色/策略所需的權限,這將確保任何錯誤集羣的創作?

我不能使用--use默認的角色,因爲我沒有權限創建角色。

來源

2016-01-28 Arjun K R

回答

1

我可以給你EMR_DefaultRole我使用創建與EMR:

{ 
    "Version": "2012-10-17", 
    "Statement": [{ 
     "Effect": "Allow", 
     "Resource": "*", 
     "Action": [ 
      "ec2:AuthorizeSecurityGroupEgress", 
      "ec2:AuthorizeSecurityGroupIngress", 
      "ec2:CancelSpotInstanceRequests", 
      "ec2:CreateNetworkInterface", 
      "ec2:CreateSecurityGroup", 
      "ec2:CreateTags", 
      "ec2:DeleteNetworkInterface", 
      "ec2:DeleteSecurityGroup", 
      "ec2:DeleteTags", 
      "ec2:DescribeAvailabilityZones", 
      "ec2:DescribeAccountAttributes", 
      "ec2:DescribeDhcpOptions", 
      "ec2:DescribeInstanceStatus", 
      "ec2:DescribeInstances", 
      "ec2:DescribeKeyPairs", 
      "ec2:DescribeNetworkAcls", 
      "ec2:DescribeNetworkInterfaces", 
      "ec2:DescribePrefixLists", 
      "ec2:DescribeRouteTables", 
      "ec2:DescribeSecurityGroups", 
      "ec2:DescribeSpotInstanceRequests", 
      "ec2:DescribeSpotPriceHistory", 
      "ec2:DescribeSubnets", 
      "ec2:DescribeVpcAttribute", 
      "ec2:DescribeVpcEndpoints", 
      "ec2:DescribeVpcEndpointServices", 
      "ec2:DescribeVpcs", 
      "ec2:DetachNetworkInterface", 
      "ec2:ModifyImageAttribute", 
      "ec2:ModifyInstanceAttribute", 
      "ec2:RequestSpotInstances", 
      "ec2:RevokeSecurityGroupEgress", 
      "ec2:RunInstances", 
      "ec2:TerminateInstances", 
      "iam:GetRole", 
      "iam:GetRolePolicy", 
      "iam:ListInstanceProfiles", 
      "iam:ListRolePolicies", 
      "iam:PassRole", 
      "s3:CreateBucket", 
      "s3:Get*", 
      "s3:List*", 
      "sdb:BatchPutAttributes", 
      "sdb:Select", 
      "sqs:CreateQueue", 
      "sqs:Delete*", 
      "sqs:GetQueue*", 
      "sqs:PurgeQueue", 
      "sqs:ReceiveMessage" 
     ] 
    }] 
}

而且還可以,EC2默認配置文件的作用EMR_EC2_DefaultRole

{ 
    "Version": "2012-10-17", 
    "Statement": [{ 
     "Effect": "Allow", 
     "Resource": "*", 
     "Action": [ 
      "cloudwatch:*", 
      "dynamodb:*", 
      "ec2:Describe*", 
      "elasticmapreduce:Describe*", 
      "elasticmapreduce:ListBootstrapActions", 
      "elasticmapreduce:ListClusters", 
      "elasticmapreduce:ListInstanceGroups", 
      "elasticmapreduce:ListInstances", 
      "elasticmapreduce:ListSteps", 
      "kinesis:CreateStream", 
      "kinesis:DeleteStream", 
      "kinesis:DescribeStream", 
      "kinesis:GetRecords", 
      "kinesis:GetShardIterator", 
      "kinesis:MergeShards", 
      "kinesis:PutRecord", 
      "kinesis:SplitShard", 
      "rds:Describe*", 
      "s3:*", 
      "sdb:*", 
      "sns:*", 
      "sqs:*" 
     ] 
    }] 
}

來源

2016-01-28 10:04:40

+0

我認爲這就是我們如果我們使用--use-defualt-role其中一些權限可能不需要正確?或所有這些都需要肯定? –

+1

這是使用'--use-default-role'時的默認角色。我不確定所有這些權限是否需要,這取決於您如何配置您的EMR。例如:使用CloudWatch進行監控?或不?所以它基本上取決於你。 –

+0

謝謝。將弄清楚我實際需要的所有選項。 –

相關問題

 相關問題