When using the EMR service, users need to grant the service account the default system role EMR_QCSRole. Once the role is successfully granted, EMR can call related services (such as TKE and COS) to create clusters and save logs.
Note
When enabling EMR for the first time, you need to complete the role authorization process using the root account; otherwise, neither sub-accounts nor the root account can use EMR.
Role Authorization Process
1. When a user creates a cluster or creates an on-demand execution plan, if the EMR_QCSRole role authorization for the service account fails, the user will be redirected to a page notifying the permission limitations. Then click Go to CAM to proceed with role authorization.
2. Click Grant to authorize the default role EMR_QCSRole to the EMR service account.
3. After authorization is completed, the user needs to refresh the EMR console or purchase page, after which normal operations can proceed. For more detailed information on EMR_QCSRole policies, you can log in to the CAM console. The permissions included in EMR_QCSRole can be found in Collaborator/Sub-account Permissions. Special Instructions for Service Role Authorization Related to EMR on TKE Clusters
When you create or use an EMR on TKE cluster, data needs to be directly written to or calculated in Cloud Object Storage (COS). To ensure data security, EMR should be granted temporary keys to read and write COS resources. Therefore, the relevant EMR service-related role EMR_QCSLinkedRoleInApplicationDataAccess
should be authorized and bound to the QcloudAccessForEMRLinkedRoleInApplicationDataAccess
preset policy.
1. When viewing the EMR on TKE cluster list, you need to check if the service-related role EMR_QCSLinkedRoleInApplicationDataAccess
is bound to the EMR service.
2. If the EMR service-related role EMR_QCSLinkedRoleInApplicationDataAccess
does not exist, authorization and binding need to be performed.
Note
If you need to specify cluster access permissions for the corresponding COS resources in a more refined manner, see Custom Service Roles for settings. EMR on TKE Cluster Authentication Description
Was this page helpful?