You should use the Amazon EMR Steps API to submit Apache Hive, Apache Spark, and others varieties of purposes to an EMR cluster. You may invoke the Steps API utilizing Apache Airflow, AWS Steps Capabilities, the AWS Command Line Interface (AWS CLI), all of the AWS SDKs, and the AWS Administration Console. Jobs submitted with the Steps API use the Amazon Elastic Compute Cloud (Amazon EC2) occasion profile to entry AWS sources equivalent to Amazon Easy Storage Service (Amazon S3) buckets, AWS Glue tables, and Amazon DynamoDB tables from the cluster.
Beforehand, if a step wanted entry to a selected S3 bucket and one other step wanted entry to a selected DynamoDB desk, the AWS Identification and Entry Administration (IAM) coverage connected to the occasion profile needed to enable entry to each the S3 bucket and the DynamoDB desk. This meant that the IAM insurance policies you assigned to the occasion profile needed to comprise a union of all of the permissions for each step that ran on an EMR cluster.
We’re glad to introduce runtime roles for EMR steps. A runtime function is an IAM function that you just affiliate with an EMR step, and jobs use this function to entry AWS sources. With runtime roles for EMR steps, now you can specify totally different IAM roles for the Spark and the Hive jobs, thereby scoping down entry at a job degree. This lets you simplify entry controls on a single EMR cluster that’s shared between a number of tenants, whereby every tenant may be simply remoted utilizing IAM roles.
The flexibility to specify an IAM function with a job can also be obtainable on Amazon EMR on EKS and Amazon EMR Serverless. You too can use AWS Lake Formation to use table- and column-level permission for Apache Hive and Apache Spark jobs which are submitted with EMR steps. For extra info, discuss with Configure runtime roles for Amazon EMR steps.
On this publish, we dive deeper into runtime roles for EMR steps, serving to you perceive how the assorted items work collectively, and the way every step is remoted on an EMR cluster.
Answer overview
On this publish, we stroll by means of the next:
- Create an EMR cluster enabled to make use of the brand new role-based entry management with EMR steps.
- Create two IAM roles with totally different permissions by way of the Amazon S3 knowledge and Lake Formation tables they will entry.
- Enable the IAM principal submitting the EMR steps to make use of these two IAM roles.
- See how EMR steps working with the identical code and making an attempt to entry the identical knowledge have totally different permissions primarily based on the runtime function specified at submission time.
- See the way to monitor and management actions utilizing supply id propagation.
Arrange EMR cluster safety configuration
Amazon EMR safety configurations simplify making use of constant safety, authorization, and authentication choices throughout your clusters. You may create a safety configuration on the Amazon EMR console or by way of the AWS CLI or AWS SDK. Whenever you connect a safety configuration to a cluster, Amazon EMR applies the settings within the safety configuration to the cluster. You may connect a safety configuration to a number of clusters at creation time, however can’t apply them to a working cluster.
To allow runtime roles for EMR steps, we now have to create a safety configuration as proven within the following code and allow the runtime roles property (configured by way of EnableApplicationScopedIAMRole). Along with the runtime roles, we’re enabling propagation of the supply id (configured by way of PropagateSourceIdentity) and help for Lake Formation (configured by way of LakeFormationConfiguration). The supply id is a mechanism to watch and management actions taken with assumed roles. Enabling Propagate supply id lets you audit actions carried out utilizing the runtime function. Lake Formation is an AWS service to securely handle an information lake, which incorporates defining and implementing central entry management insurance policies in your knowledge lake.
Create a file known as step-runtime-roles-sec-cfg.json with the next content material:
Create the Amazon EMR safety configuration:
You too can do the identical by way of the Amazon console:
- On the Amazon EMR console, select Safety configurations within the navigation pane.
- Select Create.
- Select Create.
- For Safety configuration identify, enter a reputation.
- For Safety configuration setup choices, choose Select customized settings.
- For IAM function for purposes, choose Runtime function.
- Choose Propagate supply id to audit actions carried out utilizing the runtime function.
- For High quality-grained entry management, choose AWS Lake Formation.
- Full the safety configuration.
The safety configuration seems in your safety configuration record. You too can see that the authorization mechanism listed right here is the runtime function as an alternative of the occasion profile.
Launch the cluster
Now we launch an EMR cluster and specify the safety configuration we created. For extra info, discuss with Specify a safety configuration for a cluster.
The next code offers the AWS CLI command for launching an EMR cluster with the suitable safety configuration. Observe that this cluster is launched on the default VPC and public subnet with the default IAM roles. As well as, the cluster is launched with one major and one core occasion of the desired occasion sort. For extra particulars on the way to customise the launch parameters, discuss with create-cluster.
If the default EMR roles EMR_EC2_DefaultRole and EMR_DefaultRole don’t exist in IAM in your account (that is the primary time you’re launching an EMR cluster with these), earlier than launching the cluster, use the next command to create them:
Create the cluster with the next code:
When the cluster is absolutely provisioned (Ready state), let’s attempt to run a step on it with runtime roles for EMR steps enabled:
After launching the command, we obtain the next as output:
The step failed, asking us to offer a runtime function. Within the subsequent part, we arrange two IAM roles with totally different permissions and use them because the runtime roles for EMR steps.
Arrange IAM roles as runtime roles
Any IAM function that you just need to use as a runtime function for EMR steps should have a belief coverage that enables the EMR cluster’s EC2 occasion profile to imagine it. In our setup, we’re utilizing the default IAM function EMR_EC2_DefaultRole because the occasion profile function. As well as, we create two IAM roles known as test-emr-demo1 and test-emr-demo2 that we use as runtime roles for EMR steps.
The next code is the belief coverage for each of the IAM roles, which lets the EMR cluster’s EC2 occasion profile function, EMR_EC2_DefaultRole, assume these roles and set the supply id and LakeFormationAuthorizedCaller tag on the function periods. The TagSession permission is required in order that Amazon EMR can authorize to Lake Formation. The SetSourceIdentity assertion is required for the propagate supply id characteristic.
Create a file known as trust-policy.json with the next content material (change 123456789012 along with your AWS account ID):
Use that coverage to create the 2 IAM roles, test-emr-demo1 and test-emr-demo2:
Arrange permissions for the principal submitting the EMR steps with runtime roles
The IAM principal submitting the EMR steps must have permissions to invoke the AddJobFlowSteps API. As well as, you need to use the Situation key elasticmapreduce:ExecutionRoleArn to manage entry to particular IAM roles. For instance, the next coverage permits the IAM principal to solely use IAM roles test-emr-demo1 and test-emr-demo2 because the runtime roles for EMR steps.
- Create the
job-submitter-policy.jsonfile with the next content material (change 123456789012 along with your AWS account ID): - Create the IAM coverage with the next code:
- Assign this coverage to the IAM principal (IAM person or IAM function) you’re going to make use of to submit the EMR steps (change 123456789012 along with your AWS account ID and change
johnwith the IAM person you employ to submit your EMR steps):
IAM person john can now submit steps utilizing arn:aws:iam::123456789012:function/test-emr-demo1 and arn:aws:iam::123456789012:function/test-emr-demo2 because the step runtime roles.
Use runtime roles with EMR steps
We now put together our setup to indicate runtime roles for EMR steps in motion.
Arrange Amazon S3
To arrange your Amazon S3 knowledge, full the next steps:
- Create a CSV file known as
take a look at.csvwith the next content material: - Add the file to Amazon S3 in three totally different areas:
For our preliminary take a look at, we use a PySpark utility known as
take a look at.pywith the next contents:Within the script, we’re making an attempt to entry the CSV file current beneath three totally different prefixes within the take a look at bucket.
- Add the Spark utility inside the identical S3 bucket the place we positioned the
take a look at.csvfile however in a special location:
Arrange runtime function permissions
To indicate how runtime roles for EMR steps works, we assign to the roles we created totally different IAM permissions to entry Amazon S3. The next desk summarizes the grants we offer to every function (emr-steps-roles-new-us-east-1 is the bucket you configured within the earlier part).
| S3 areas IAM Roles | test-emr-demo1 | test-emr-demo2 |
| s3://emr-steps-roles-new-us-east-1/* | No Entry | No Entry |
| s3://emr-steps-roles-new-us-east-1/demo1/* | Full Entry | No Entry |
| s3://emr-steps-roles-new-us-east-1/demo2/* | No Entry | Full Entry |
| s3://emr-steps-roles-new-us-east-1/scripts/* | Learn Entry | Learn Entry |
- Create the file
demo1-policy.jsonwith the next content material (substituteemr-steps-roles-new-us-east-1along with your bucket identify): - Create the file
demo2-policy.jsonwith the next content material (substituteemr-steps-roles-new-us-east-1along with your bucket identify): - Create our IAM insurance policies:
- Assign to every function the associated coverage (change 123456789012 along with your AWS account ID):
To make use of runtime roles with Amazon EMR steps, we have to add the next coverage to our EMR cluster’s EC2 occasion profile (on this instance
EMR_EC2_DefaultRole). With this coverage, the underlying EC2 situations for the EMR cluster can assume the runtime function and apply a tag to that runtime function. - Create the file
runtime-roles-policy.jsonwith the next content material (change 123456789012 along with your AWS account ID): - Create the IAM coverage:
- Assign the created coverage to the EMR cluster’s EC2 occasion profile, on this instance
EMR_EC2_DefaultRole:
Check permissions with runtime roles
We’re now able to carry out our first take a look at. We run the take a look at.py script, beforehand uploaded to Amazon S3, two instances as Spark steps: first utilizing the test-emr-demo1 function after which utilizing the test-emr-demo2 function because the runtime roles.
To run an EMR step specifying a runtime function, you want the newest model of the AWS CLI. For extra particulars about updating the AWS CLI, discuss with Putting in or updating the newest model of the AWS CLI.
Let’s submit a step specifying test-emr-demo1 because the runtime function:
This command returns an EMR step ID. To examine our step output logs, we will proceed two other ways:
- From the Amazon EMR console – On the Steps tab, select the View logs hyperlink associated to the precise step ID and choose
stdout. - From Amazon S3 – Whereas launching our cluster, we configured an S3 location for logging. We will discover our step logs beneath
$(LOG_URI)/steps/<stepID>/stdout.gz.
The logs might take a few minutes to populate after the step is marked as Accomplished.
The next is the output of the EMR step with test-emr-demo1 because the runtime function:
As we will see, solely the demo1 folder was accessible by our utility.
Diving deeper into the step stderr logs, we will see that the associated YARN utility application_1656350436159_0017 was launched with the person 6GC64F33KUW4Q2JY6LKR7UAHWETKKXYL. We will affirm this by connecting to the EMR major occasion utilizing SSH and utilizing the YARN CLI:
Please word that in your case, the YARN utility ID and the person might be totally different.
Now we submit the identical script once more as a brand new EMR step, however this time with the function test-emr-demo2 because the runtime function:
The next is the output of the EMR step with test-emr-demo2 because the runtime function:
As we will see, solely the demo2 folder was accessible by our utility.
Diving deeper into the step stderr logs, we will see that the associated YARN utility application_1656350436159_0018 was launched with a special person 7T2ORHE6Z4Q7PHLN725C2CVWILZWYOLE. We will affirm this through the use of the YARN CLI:
Every step was in a position to solely entry the CSV file that was allowed by the runtime function, so step one was in a position to solely entry s3://emr-steps-roles-new-us-east-1/demo1/take a look at.csv and the second step was solely in a position to entry s3://emr-steps-roles-new-us-east-1/demo2/take a look at.csv. As well as, we noticed that Amazon EMR created a novel person for the steps, and used the person to run the roles. Please word that each roles want at the least learn entry to the S3 location the place the step scripts are positioned (for instance, s3://emr-steps-roles-demo-bucket/scripts/take a look at.py).
Now that we now have seen how runtime roles for EMR steps work, let’s take a look at how we will use Lake Formation to use fine-grained entry controls with EMR steps.
Use Lake Formation-based entry management with EMR steps
You should use Lake Formation to use table- and column-level permissions with Apache Spark and Apache Hive jobs submitted as EMR steps. First, the info lake admin in Lake Formation must register Amazon EMR because the AuthorizedSessionTagValue to implement Lake Formation permissions on EMR. Lake Formation makes use of this session tag to authorize callers and supply entry to the info lake. The Amazon EMR worth is referenced contained in the step-runtime-roles-sec-cfg.json file we used earlier once we created the EMR safety configuration, and contained in the trust-policy.json file we used to create the 2 runtime roles test-emr-demo1 and test-emr-demo2.
We will accomplish that on the Lake Formation console within the Exterior knowledge filtering part (change 123456789012 along with your AWS account ID).
On the IAM runtime roles’ belief coverage, we have already got the sts:TagSession permission with the situation “aws:RequestTag/LakeFormationAuthorizedCaller": "Amazon EMR". So we’re able to proceed.
To show how Lake Formation works with EMR steps, we create one database named entities with two tables named customers and merchandise, and we assign in Lake Formation the grants summarized within the following desk.
| IAM Roles Tables | entities (DB) |
|
| customers (Desk) |
merchandise (Desk) |
|
| test-emr-demo1 | Full Learn Entry | No Entry |
| test-emr-demo2 | Learn Entry on Columns: uid, state | Full Learn Entry |
Put together Amazon S3 information
We first put together our Amazon S3 information.
- Create the
customers.csvfile with the next content material: - Create the merchandise.csv file with the next content material:
- Add these information to Amazon S3 in two totally different areas:
Put together the database and tables
We will create our entities database through the use of the AWS Glue APIs.
- Create the
entities-db.jsonfile with the next content material (substituteemr-steps-roles-new-us-east-1 along with your bucket identify): - With a Lake Formation admin person, run the next command to create our database:
We additionally use the AWS Glue APIs to create the tables customers and merchandise.
- Create the
users-table.jsonfile with the next content material (substituteemr-steps-roles-new-us-east-1along with your bucket identify): - Create the
products-table.jsonfile with the next content material (substituteemr-steps-roles-new-us-east-1along with your bucket identify): - With a Lake Formation admin person, create our tables with the next instructions:
Arrange the Lake Formation knowledge lake areas
To entry our tables knowledge in Amazon S3, Lake Formation wants learn/write entry to them. To realize that, we now have to register Amazon S3 areas the place our knowledge resides and specify for them which IAM function to acquire credentials from.
Let’s create our IAM function for the info entry.
- Create a file known as
trust-policy-data-access-role.jsonwith the next content material: - Use the coverage to create the IAM
function emr-demo-lf-data-access-role: - Create the file
data-access-role-policy.jsonwith the next content material (substituteemr-steps-roles-new-us-east-1along with your bucket identify): - Create our IAM coverage:
- Assign to our
emr-demo-lf-data-access-rolethe created coverage (change 123456789012 along with your AWS account ID):We will now register our knowledge location in Lake Formation.
- On the Lake Formation console, select Knowledge lake areas within the navigation pane.
- Right here we will register our S3 location containing knowledge for our two tables and select the created
emr-demo-lf-data-access-roleIAM function, which has learn/write entry to that location.
For extra particulars about including an Amazon S3 location to your knowledge lake and configuring your IAM knowledge entry roles, discuss with Including an Amazon S3 location to your knowledge lake.
Implement Lake Formation permissions
To make certain we’re utilizing Lake Formation permissions, we should always affirm that we don’t have any grants arrange for the principal IAMAllowedPrincipals. The IAMAllowedPrincipals group consists of any IAM customers and roles which are allowed entry to your Knowledge Catalog sources by your IAM insurance policies, and it’s used to keep up backward compatibility with AWS Glue.
To verify Lake Formations permissions are enforced, navigate to the Lake Formation console and select Knowledge lake permissions within the navigation pane. Filter permissions by “Database”:“entities” and take away all of the permissions given to the principal IAMAllowedPrincipals.
For extra particulars on IAMAllowedPrincipals and backward compatibility with AWS Glue, discuss with Altering the default safety settings in your knowledge lake.
Configure AWS Glue and Lake Formation grants for IAM runtime roles
To permit our IAM runtime roles to correctly work together with Lake Formation, we should always present them the lakeformation:GetDataAccess and glue:Get* grants.
Lake Formation permissions management entry to Knowledge Catalog sources, Amazon S3 areas, and the underlying knowledge at these areas. IAM permissions management entry to the Lake Formation and AWS Glue APIs and sources. Due to this fact, though you may need the Lake Formation permission to entry a desk within the Knowledge Catalog (SELECT), your operation fails in the event you don’t have the IAM permission on the glue:Get* API.
For extra particulars about Lake Formation entry management, discuss with Lake Formation entry management overview.
- Create the
emr-runtime-roles-lake-formation-policy.jsonfile with the next content material: - Create the associated IAM coverage:
- Assign this coverage to each IAM runtime roles (change 123456789012 along with your AWS account ID):
Arrange Lake Formation permissions
We now arrange the permission in Lake Formation for the 2 runtime roles.
- Create the file
users-grants-test-emr-demo1.jsonwith the next content material to grant SELECT entry to all columns within theentities.customersdesk totest-emr-demo1: - Create the file
users-grants-test-emr-demo2.jsonwith the next content material to grant SELECT entry to theuidandstatecolumns within theentities.customersdesk totest-emr-demo2: - Create the file
products-grants-test-emr-demo2.jsonwith the next content material to grant SELECT entry to all columns within theentities.merchandisedesk totest-emr-demo2: - Let’s arrange our permissions in Lake Formation:
- Test the permissions we outlined on the Lake Formation console on the Knowledge lake permissions web page by filtering by
“Database”:“entities”.
Check Lake Formation permissions with runtime roles
For our take a look at, we use a PySpark utility known as test-lake-formation.py with the next content material:
Within the script, we’re making an attempt to entry the tables customers and merchandise. Let’s add our Spark utility in the identical S3 bucket that we used earlier:
We’re now able to carry out our take a look at. We run the test-lake-formation.py script first utilizing the test-emr-demo1 function after which utilizing the test-emr-demo2 function because the runtime roles.
Let’s submit a step specifying test-emr-demo1 because the runtime function:
The next is the output of the EMR step with test-emr-demo1 because the runtime function:
As we will see, our utility was solely in a position to entry the customers desk.
Submit the identical script once more as a brand new EMR step, however this time with the function test-emr-demo2 because the runtime function:
The next is the output of the EMR step with test-emr-demo2 because the runtime function:
As we will see, our utility was in a position to entry a subset of columns for the customers desk and all of the columns for the merchandise desk.
We will conclude that the permissions whereas accessing the Knowledge Catalog are being enforced primarily based on the runtime function used with the EMR step.
Audit utilizing the supply id
The supply id is a mechanism to watch and management actions taken with assumed roles. The Propagate supply id characteristic equally lets you monitor and management actions taken utilizing runtime roles by the roles submitted with EMR steps.
We already configured EMR_EC2_defaultRole with "sts:SetSourceIdentity" on our two runtime roles. Additionally, each runtime roles let EMR_EC2_DefaultRole to SetSourceIdentity of their belief coverage. So we’re able to proceed.
We now see the Propagate supply id characteristic in motion with a easy instance.
Configure the IAM function that’s assumed to submit the EMR steps
We configure the IAM function job-submitter-1, which is assumed specifying the supply id and which is used to submit the EMR steps. On this instance, we enable the IAM person paul to imagine this function and set the supply id. Please word you need to use any IAM principal right here.
- Create a file known as
trust-policy-2.jsonwith the next content material (change 123456789012 along with your AWS account ID): - Use it because the belief coverage to create the IAM function
job-submitter-1:We use now the identical
emr-runtime-roles-submitter-policycoverage we outlined earlier than to permit the function to submit EMR steps utilizing thetest-emr-demo1andtest-emr-demo2runtime roles. - Assign this coverage to the IAM function
job-submitter-1(change 123456789012 along with your AWS account ID):
Check the supply id with AWS CloudTrail
To indicate how propagation of supply id works with Amazon EMR, we generate a task session with the supply id test-ad-user.
With the IAM person paul (or with the IAM principal you configured), we first carry out the impersonation (change 123456789012 along with your AWS account ID):
The next code is the output acquired:
We use the momentary AWS safety credentials of the function session, to submit an EMR step together with the runtime function test-emr-demo1:
In a couple of minutes, we will see occasions showing within the AWS CloudTrail log file. We will see all of the AWS APIs that the roles invoked utilizing the runtime function. Within the following snippet, we will see that the step carried out the sts:AssumeRole and lakeformation:GetDataAccess actions. It’s value noting how the supply id test-ad-user has been preserved within the occasions.
Clear up
Now you can delete the EMR cluster you created.
- On the Amazon EMR console, select Clusters within the navigation pane.
- Choose the cluster
iam-passthrough-cluster, then select Terminate. - Select Terminate once more to verify.
Alternatively, you may delete the cluster through the use of the Amazon EMR CLI with the next command (change the EMR cluster ID with the one returned by the beforehand run aws emr create-cluster command):
Conclusion
On this publish, we mentioned how one can management knowledge entry on Amazon EMR on EC2 clusters through the use of runtime roles with EMR steps. We mentioned how the characteristic works, how you need to use Lake Formation to use fine-grained entry controls, and the way to monitor and management actions utilizing a supply id. To study extra about this characteristic, discuss with Configure runtime roles for Amazon EMR steps.
In regards to the authors
Stefano Sandona is an Analytics Specialist Answer Architect with AWS. He loves knowledge, distributed techniques and safety. He helps prospects all over the world architecting their knowledge platforms. He has a powerful deal with Amazon EMR and all the safety facets round it.
Sharad Kala is a senior engineer at AWS working with the EMR group. He focuses on the safety facets of the purposes working on EMR. He has a eager curiosity in working and studying about distributed techniques.
