When I try to create an Amazon EMR cluster, I get one of these error messages:
"EMR_DefaultRole is invalid"
"EMR_EC2_DefaultRole is invalid"
These errors usually happen when you edit one or more of the AWS Identity and Access Management (IAM) policies that are attached to the Amazon EMR default roles. To troubleshoot, compare the modified roles to the original versions (AmazonElasticMapReduceRole or AmazonElasticMapReduceforEC2Role).
If you can't find the source of the problem, then delete and recreate the roles.
Compare the modified roles to the original versions
If you added policies to the IAM roles EMR_DefaultRole or EMR_EC2_DefaultRole, then review the changes that you made. Compare the modified versions of the roles to the original versions (AmazonElasticMapReduceRole or AmazonElasticMapReduceforEC2Role). If you can't determine what caused the problem, delete the roles and the instance profile, as explained in the following section.
Delete and recreate the roles and instance profile
Before you begin, note the following:
- Be sure that you don't have any running EC2 instances that use the role or instance profile that you're about to delete. Deleting a role or instance profile that's associated with a running instance breaks applications that are running on the instance.
- The following steps reset EMR_DefaultRole and EMR_EC2_DefaultRole to their original configurations. If you customized the IAM policies attached to these roles, then those changes are lost.
AWS Management Console
1. Use the IAM console to delete the roles. IAM automatically deletes the instance profile and policies associated with the role.
2. Open the Amazon EMR console.
3. Create an EMR cluster. For Permissions, choose Default. Amazon EMR creates the default roles when it launches the cluster. These roles are available to any clusters that you launch later.
AWS Command Line Interface (AWS CLI)
Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.
1. Remove EMR_EC2_DefaultRole from the instance profile:
aws iam remove-role-from-instance-profile --instance-profile-name EMR_EC2_DefaultRole --role-name EMR_EC2_DefaultRole
2. Delete the instance profile:
aws iam delete-instance-profile --instance-profile-name EMR_EC2_DefaultRole
3. Remove the IAM policy that's associated with EMR_EC2_DefaultRole:
aws iam detach-role-policy --role-name EMR_EC2_DefaultRole --policy-arn arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforEC2Role
4. Delete EMR_EC2_DefaultRole:
aws iam delete-role --role-name EMR_EC2_DefaultRole
5. Remove the IAM policy that's associated with EMR_DefaultRole:
aws iam detach-role-policy --role-name EMR_DefaultRole --policy-arn arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceRole
6. Delete EMR_DefaultRole:
aws iam delete-role --role-name EMR_DefaultRole
7. Recreate the default roles:
aws emr create-default-roles
8. Launch a new EMR cluster.
Configure IAM service roles for Amazon EMR permissions to AWS services and resources