tencent cloud

Feedback

Role Authorization

Last updated: 2024-10-30 15:50:01
    When using the EMR service, users need to grant the service account the default system role EMR_QCSRole. Once the role is successfully granted, EMR can call related services (such as TKE and COS) to create clusters and save logs.
    Note
    When enabling EMR for the first time, you need to complete the role authorization process using the root account; otherwise, neither sub-accounts nor the root account can use EMR.

    Role Authorization Process

    1. When a user creates a cluster or creates an on-demand execution plan, if the EMR_QCSRole role authorization for the service account fails, the user will be redirected to a page notifying the permission limitations. Then click Go to CAM to proceed with role authorization.
    2. Click Agree to Authorize to authorize the default role EMR_QCSRole to the EMR service account.
    3. After authorization is completed, the user needs to refresh the EMR console or purchase page, after which normal operations can proceed. For more detailed information on EMR_QCSRole policies, you can log in to the CAM Console. The permissions included in EMR_QCSRole can be found in Collaborator/Sub-account Permissions.

    Special Instructions for Service Role Authorization Related to EMR on TKE Clusters

    When you create or use an EMR on TKE cluster, data needs to be directly written to or calculated in Cloud Object Storage (COS). To ensure data security, EMR should be granted temporary keys to read and write COS resources. Therefore, the relevant EMR service-related role EMR_QCSLinkedRoleInApplicationDataAccess should be authorized and bound to the QcloudAccessForEMRLinkedRoleInApplicationDataAccess preset policy.
    1. When viewing the EMR on TKE cluster list, you need to check if the service-related role EMR_QCSLinkedRoleInApplicationDataAccess is bound to the EMR service.
    2. If the EMR service-related role EMR_QCSLinkedRoleInApplicationDataAccess does not exist, authorization and binding need to be performed.
    Note
    If you need to specify cluster access permissions for the corresponding COS resources in a more refined manner, see Custom Service Roles for settings.

    EMR on TKE Cluster Authentication Description

    The permission settings for sub-accounts and collaborators are consistent with that of the EMR on CVM version. For details, see Collaborator/Sub-account Permissions.
    Tag authentication and API authentication settings are consistent with that of the EMR on CVM version. For details, see Authentication Granularity Scheme.
    
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support