Minimal DynamoDB Permissions for EMR EMRFS Consistent View

Question

Hey folks, does anyone know what a minimal IAM policy statement would be for granting Amazon DynamoDB access to Amazon EMR Cluster members for the purposes of EMRFS Consistent view?

`AmazonElasticMapReduceforEC2Role` grants `dynamodb:*` on `*` resources, which is pretty broad.

The ideal answer would have both the limited set of actions required, and a narrower resource spec.

Thanks!

Accepted Answer

You can try the following template. EmrFSMetadata is default name for the DDB table, but this can be overridden if a different name is preferred and use the policy accordingly.  But you can take a look [S3 Optimizer][1]. There is no need for a Dynamo DB table with S3 Optimizer and if the output is in Parquet.

```
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "VisualEditor0",
                "Effect": "Allow",
                "Action": [
                    "dynamodb:BatchGetItem",
                    "dynamodb:BatchWriteItem",
                    "dynamodb:UpdateTimeToLive",
                    "dynamodb:ConditionCheckItem",
                    "dynamodb:PutItem",
                    "dynamodb:DeleteItem",
                    "dynamodb:Scan",
                    "dynamodb:ListTagsOfResource",
                    "dynamodb:Query",
                    "dynamodb:UpdateItem",
                    "dynamodb:DescribeTimeToLive",
                    "dynamodb:CreateTable",
                    "dynamodb:DescribeTable",
                    "dynamodb:GetItem",
                    "dynamodb:UpdateTable",
                    "dynamodb:DescribeTableReplicaAutoScaling"
                ],
                "Resource": "arn:aws:dynamodb:us-east-1:AccountID:table/EmrFSMetadata"
            }
        ]
    }
```

[1]: https://docs.aws.amazon.com/emr/latest/ReleaseGuide/emr-spark-s3-optimized-committer.html

Minimal DynamoDB Permissions for EMR EMRFS Consistent View

相關內容