我正在尝试创建一个AWS lambda函数,该函数使用Java SDK启动EMR集群。
我的执行角色包含策略AmazonEMRFullAccessPolicy_v2(请参阅下面的云信息(,但我有以下错误:
"errorMessage": "User: arn:aws:sts::978841875846:assumed-role/bex-one-identity-recon_role_us-west-2/bex-one-identity-recon
is not authorized to perform: elasticmapreduce:RunJobFlow
on resource: arn:aws:elasticmapreduce:us-east-1:978841875846:cluster/* because
no identity-based policy allows the elasticmapreduce:RunJobFlow action
(Service: AmazonElasticMapReduce; Status Code: 400; Error Code: AccessDeniedException; Request ID: 189c923c-c3d5-44ec-a04b-8448dd4105f3)",
云层形成:
LambdaRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub "${KumoRole}_role_${AWS::Region}"
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: !Sub "${KumoRole}-cloudwatch_policy_${AWS::Region}"
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- logs:PutLogEvents
- logs:CreateLogGroup
- logs:CreateLogStream
Resource:
- arn:aws:logs:*:*:*
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonEMRFullAccessPolicy_v2
Lambda代码
public String handleRequest(Void event, Context context) {
AmazonElasticMapReduce emr = AmazonElasticMapReduceClientBuilder.standard()
.withRegion(Regions.US_EAST_1)
.build();
HadoopJarStepConfig hadoopJarStepConfig = new HadoopJarStepConfig()
.withJar("command-runner.jar")
.withArgs(...);
StepConfig stepConfig = new StepConfig()
.withName("Recon job")
.withActionOnFailure("TERMINATE_JOB_FLOW")
.withHadoopJarStep(hadoopJarStepConfig);
Application spark = new Application().withName("Spark");
RunJobFlowRequest request = new RunJobFlowRequest()
.withName("Spark Cluster")
.withReleaseLabel("emr-6.5.0")
.withSteps(stepConfig)
.withApplications(spark)
.withLogUri("s3://aws-logs-978841875846-us-east-1/elasticmapreduce/")
.withServiceRole("EMR_DefaultRole")
.withJobFlowRole("EMR_EC2_DefaultRole")
.withInstances(new JobFlowInstancesConfig()
.withEc2SubnetId("subnet-0c5fd0bf46ee8b237")
.withInstanceCount(2)
.withKeepJobFlowAliveWhenNoSteps(false)
.withTerminationProtected(false)
.withMasterInstanceType("m5.xlarge")
.withSlaveInstanceType("m5.2xlarge")
);
emr.runJobFlow(request);
}
正如Fedonev所指出的,我错过了"aws:RequestTag/for-use-with-amazon-emr-managed-policies": "true"的用户
我通过在RunJobFlowRequest创建上添加标签解决了这个问题:
.withTags(Collections.singleton(new Tag("for-use-with-amazon-emr-managed-policies", "true")))