EMR 笔记本不存在 IAM 角色

【问题标题】:IAM Role does not exist for EMR NotebooksEMR 笔记本不存在 IAM 角色
【发布时间】:2020-06-02 06:26:59
【问题描述】:

我正在尝试在 Amazon EMR 集群上创建笔记本。

我没有找到要添加为 IAM 的笔记本 EMR_Notebooks_DefaultRole 的默认角色。存在的所有可用角色是:

添加策略和添加角色后出现错误:

错误:服务角色无权访问 S3 LocationUri {}

EMR_Notebooks_DefaultRole的内容:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Resource": "*",
            "Action": [
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:CancelSpotInstanceRequests",
                "ec2:CreateNetworkInterface",
                "ec2:CreateSecurityGroup",
                "ec2:CreateTags",
                "ec2:DeleteNetworkInterface",
                "ec2:DeleteSecurityGroup",
                "ec2:DeleteTags",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeDhcpOptions",
                "ec2:DescribeImages",
                "ec2:DescribeInstanceStatus",
                "ec2:DescribeInstances",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeNetworkAcls",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribePrefixLists",
                "ec2:DescribeRouteTables",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSpotInstanceRequests",
                "ec2:DescribeSpotPriceHistory",
                "ec2:DescribeSubnets",
                "ec2:DescribeTags",
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeVpcEndpoints",
                "ec2:DescribeVpcEndpointServices",
                "ec2:DescribeVpcs",
                "ec2:DetachNetworkInterface",
                "ec2:ModifyImageAttribute",
                "ec2:ModifyInstanceAttribute",
                "ec2:RequestSpotInstances",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:RunInstances",
                "ec2:TerminateInstances",
                "ec2:DeleteVolume",
                "ec2:DescribeVolumeStatus",
                "ec2:DescribeVolumes",
                "ec2:DetachVolume",
                "iam:GetRole",
                "iam:GetRolePolicy",
                "iam:ListInstanceProfiles",
                "iam:ListRolePolicies",
                "iam:PassRole",
                "s3:*",
                "s3:CreateBucket",
                "s3:Get*",
                "s3:List*",
                "sdb:BatchPutAttributes",
                "sdb:Select",
                "sqs:CreateQueue",
                "sqs:Delete*",
                "sqs:GetQueue*",
                "sqs:PurgeQueue",
                "sqs:ReceiveMessage",
                "cloudwatch:PutMetricAlarm",
                "cloudwatch:DescribeAlarms",
                "cloudwatch:DeleteAlarms",
                "application-autoscaling:RegisterScalableTarget",
                "application-autoscaling:DeregisterScalableTarget",
                "application-autoscaling:PutScalingPolicy",
                "application-autoscaling:DeleteScalingPolicy",
                "application-autoscaling:Describe*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "iam:CreateServiceLinkedRole",
            "Resource": "arn:aws:iam::*:role/aws-service-role/spot.amazonaws.com/AWSServiceRoleForEC2Spot*",
            "Condition": {
                "StringLike": {
                    "iam:AWSServiceName": "spot.amazonaws.com"
                }
            }
        }
    ]
}

BlocNotes 已停止

【问题讨论】:

  • 请检查所需角色是否存在于 IAM/roles 中?如果不是,那么您必须根据 AWS 提供的策略创建角色,或者如果您想要更精细的控制,那么您可能还必须创建自己的自定义策略。
  • @Shubhamoli 感谢您的回复,该角色存在。我已添加并收到此错误 错误:服务角色无权访问 S3 LocationUri {}
  • 我在我的原始帖子@Shubhamoli 中添加了一张图片
  • 请附上必要的策略以访问 S3
  • @Shubhamoli 请查看我的原始帖子。我应该添加什么?提前非常感谢您

标签: python amazon-web-services jupyter-notebook amazon-emr


【解决方案1】:

您的策略中已包含“s3:*”,请将其应用于 S3 存储桶

明确地,包括存储桶 ARN 和文件夹路径

  • arn:aws:s3:::bucket

  • arn:aws:s3:::bucket/*

在 EMR 控制台中创建 notebook 时,还要在路径中指定一个文件夹

【讨论】:

    【解决方案2】:

    我刚刚遇到了同样的问题,当我手动将“notesbooks”文件夹添加到我的 S3 驱动器时,它工作正常。

    【讨论】:

    【解决方案3】:

    要解决此问题,请转到 S3 存储桶并更新存储桶策略,如下所示:

        {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::632293491421:role/EMR_DefaultRole"
            },
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::aws-emr-resources-632293491421-eu-west-1"
            ]
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::632293491421:role/EMR_DefaultRole"
            },
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::aws-emr-resources-632293491421-eu-west-1/*"
            ]
        }
    ]
}

    以下截图可能会有所帮助!

    【讨论】:

      【解决方案4】:

      要创建EMR_Notebooks_DefaultRole,请选择Create default role

      AWS documentation:

       If a notebook has not been created before, you can choose to create the default role.

      【讨论】:

        猜你喜欢
        • 1970-01-01
        • 1970-01-01
        • 2020-08-26
        • 1970-01-01
        • 2019-07-08
        • 1970-01-01
        • 2019-12-15
        • 2019-10-24
        • 1970-01-01
        相关资源
        最近更新 更多
        热门标签
        Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode