The custom service role feature enables you to create a CAM service role for granting access to COS resources. Please select Tencent Cloud Product Service as the service type and Elastic MapReduce as the service supporting the role. If no role is set, the system defaults to using the EMR_QCSLinkedRoleInApplicationDataAccess service-related role for accessing COS resources.
The following steps are for creating a new custom Definition service role and associating it with the cluster COS service role.
Note:
Note:
1. The cluster COS service role by default displays the currently bound role identity, and the cluster uses this role identity for reading and writing COS resources.
2. If both the EMR service-related role and the service role are authorized simultaneously, the new cluster will default to using the service-related role to access COS. The instance information authorization policy will show COS as authorized, and the cluster COS service role will display the EMR_QCSLinkedRoleInApplicationDataAccess service-related role.
3. When both the service-related role and service role for EMR are authorized, and the service-related role is not authorized via the EMR on CVM Console cluster instance information cluster COS service role binding, the default service role EMR_QCSRole and identity QcloudAccessForEMRRoleInApplicationDataAccess will be used for COS access. If you need to use the service-related role, please manually bind the EMR_QCSLinkedRoleInApplicationDataAccess service-related role in the cluster instance information cluster COS service role.
Step 1. Customize a Permission Policy
1. Log in to the CAM console, click Create Custom Policy, and select Create by Policy Syntax in the Select Policy Creation Method pop-up window.
2. On the Create by Policy Syntax page, select Blank Template as the template type.
3. Set the syntax policy as follows:
{
"version":"2.0",
"statement":[
{
"action":"cos:*",
"effect":"allow",
"resource":"qcs::cos::uid/appId:bucketName/*"
}
]
}
Where appId is the AppID of the root account, and bucketName is the name of the target bucket. Generate a policy named TestPolicy. In practical cases, you can customize the name.
Step 2. Create a Custom Role
1. In the CAM console, click Create Role to open the Select role entity pop-up window, select Tencent Cloud Product Service to go to the Create Custom Role page, and select Elasticsearch MapReduce (emr) in Product Service.
2. Associate the TestPolicy policy generated in step 1. In practical cases, you can associate a policy as needed.
3. Set the role tag keys and values and click Next.
4. Generate a custom role named EMRCosRole. In practical cases, you can customize the name.
Step 3. Bind the Role with an EMR Cluster
In the EMR console, click a cluster ID/name to go to the instance information page, select Instance info > Basic configuration > Custom Service Role and then click Set. Set the custom service role to the EMRCosRole role generated in step 2. In practical cases, you can customize the name.
Note:
1. Make sure that the custom service role associated with the cluster's COS service role includes specific access permissions for COS. If the associated role does not include the specific access permissions for COS, it will not be able to access COS.
2. Query Custom Service Role or Modify Custom Service Role with Predefined Permission Policy CAM.
Yes
No
Was this page helpful?