I want to resolve Access denied errors for AWS Identity and Access Management (IAM) users and roles in Amazon EMR Serverless.
Resolution
Resolve Access denied errors for IAM users or roles in EMR Serverless based on the error messages that you receive.
You don't have the necessary permissions for EMR Serverless
When your IAM user or role doesn't have the permissions to use EMR Serverless, you receive an error message that's similar to the following one:
"You do not have necessary permissions for EMR Serverless."
To resolve this error, grant your IAM user or role the permissions to use EMR Serverless.
The user isn't authorized to perform an action on a resource
When your IAM user or role doesn't have the necessary permissions to perform a specific action on a resource, you receive an error message that's similar to the following one:
"User: arn:aws:sts:example-region:example-aws-account:XXX/YYY is not authorized to perform: example-resource:action on resource: arn:aws:elasticmapreduce:example-region:example-AWS-account:example-resource/action because no identity-based policy allows the example-resource:action"
To resolve this error, identify the action that isn't allowed, and then add the action to your role's policy.
For example, in the following error message, the elasticmapreduce:CreateStudioPresignedUrl action isn't allowed:
"User: arn:aws:sts::example-AWS-account:assumed-role/example-role/example-user assuming the role is not authorized to perform: elasticmapreduce:CreateStudioPresignedUrl on resource: arn:aws:elasticmapreduce:
example-region:example-AWS-account:studio/es-xxx because no identity-based policy allows the elasticmapreduce:CreateStudioPresignedUrl action"
Related information
Troubleshooting errors in EMR Serverless