How do I resolve Access denied errors for IAM users and roles in EMR Serverless?

2 minute read
0

I want to resolve Access denied errors for AWS Identity and Access Management (IAM) users and roles in Amazon EMR Serverless.

Resolution

Resolve Access denied errors for IAM users or roles in EMR Serverless based on the error messages that you receive.

You don't have the necessary permissions for EMR Serverless

When your IAM user or role doesn't have the permissions to use EMR Serverless, you receive an error message that's similar to the following one:

"You do not have necessary permissions for EMR Serverless."

To resolve this error, grant your IAM user or role the permissions to use EMR Serverless.

The user isn't authorized to perform an action on a resource

When your IAM user or role doesn't have the necessary permissions to perform a specific action on a resource, you receive an error message that's similar to the following one:

"User: arn:aws:sts:example-region:example-aws-account:XXX/YYY is not authorized to perform: example-resource:action on resource: arn:aws:elasticmapreduce:example-region:example-AWS-account:example-resource/action because no identity-based policy allows the example-resource:action"

To resolve this error, identify the action that isn't allowed, and then add the action to your role's policy.

For example, in the following error message, the elasticmapreduce:CreateStudioPresignedUrl action isn't allowed:

"User: arn:aws:sts::example-AWS-account:assumed-role/example-role/example-user assuming the role is not authorized to perform: elasticmapreduce:CreateStudioPresignedUrl on resource: arn:aws:elasticmapreduce:
example-region:example-AWS-account:studio/es-xxx because no identity-based policy allows the elasticmapreduce:CreateStudioPresignedUrl action"

Related information

Troubleshooting errors in EMR Serverless

AWS OFFICIAL
AWS OFFICIALUpdated 2 months ago