Tencent Cloud EMR (hereinafter referred to as EMR) requires access to or operations on other related cloud products during operation. To ensure normal operation and use of EMR by Collaborator or Sub-user, this document provides guidance on granting relevant permissions.
Permission Policies Overview
Policy Name
Description
Required or Optional
Description
QcloudCamRoleFullAccess
Full read-write access for CAM Users and Roles
No
Used as a Custom service role, it provides granular permission control for inter-product data access. Refer to Cluster COS Service Role for details
The pre-defined QcloudEMRPurchaseAccess policy allows you to manage the financial permissions for purchasing EMR products for all users. When this policy is granted to a user, it includes the financial permissions for CVM, CDB, and EMR. If you need to restrict a user's ability to purchase CVM and CDB, do not grant the corresponding product ordering permissions.
Application scenario
Authorize EMR to access other cloud product permissions
1. Service Role (mandatory): When using EMR services, access to cloud services like CVM, CBS, and TencentDB is required. During the initial product purchase, the service role EMR_QCSRole for EMR must be assigned and granted the policy QcloudAccessForEMRRole (for requesting basic resources such as CVM, CBS, TencentDB, and read permissions for COS) and EMR's access permissions to cloud resources.
2. Service-related role (optional): If EMR directly writes to or processes data in COS, to ensure data security, EMR needs the corresponding service role EMR_QCSLinkedRoleInApplicationDataAccess and must bind to the QcloudAccessForEMRLinkedRoleInApplicationDataAccess pre-defined policy to read and write COS resources using temporary keys.
Special Note on COS Bucket Access Authorization:
1. Since August 20, 2023, for new users or existing users modifying their authorization policies, the default service-related role EMR_QCSLinkedRoleInApplicationDataAccess is granted.
2. The current authorization policy for existing users is to bind the QcloudAccessForEMRRoleInApplicationDataAccess policy in the service role EMR_QCSRole.
3. When both the service-related role and service role are authorized, the service-related role is used by default. In the cluster instance information authorization policy, COS will show as authorized, and the cluster COS service role will display the EMR_QCSLinkedRoleInApplicationDataAccess role.
Purchase and manage EMR clusters
For scenarios involving resource purchasing, such as creating clusters, adding components, modifying configurations, or expanding collaborators/sub-users, it is necessary to grant QcloudEMRFullAccess. This is according to the Definition TencentDB purchasing policy. If there are no resource purchasing scenarios, such as for service configuration management or restarts, only the QcloudEMRFullAccess policy needs to be granted.
Caution
For the annual/monthly subscription purchase method, if financial permissions are not granted, a pending order will be generated and linked to an account with financial permissions for approval. The pay-as-you-go purchase method does not support order approval; financial permissions must be granted.
Policy Category
Policy Name
Policy Description
EMR Preset Policy
QcloudEMRFullAccess
Full read-write access for EMR (select one)
EMR Preset Policy
QcloudEMRReadOnlyAccess
Read-only access for EMR (choose one of the two)
EMR Preset Policy
QcloudEMRPurchaseAccess
Financial permissions for EMR products
The root account grants the above permissions to the Sub-user or Collaborator. The steps are as follows:
1. Log in to CAM Console, find the corresponding Sub-user or collaborator in Users > User List, then click Authorize.
2. Search for the policy listed in the table above (the following image takes QcloudEMRFullAccess policy as an example) within Associated Policies. Once the policy is selected, click OK to confirm.
3. Grant the EMR financial policy QcloudEMRPurchaseAccess, similar to step 2.
Cluster COS Service Role
EMR root account or Collaborator and Sub-user with QcloudCamRoleFullAccess can precisely control COS bucket permissions and other cloud resource permissions. For details, see Cluster COS Service Role.
Root account grants QcloudCamRoleFullAccess to Sub-user or Collaborator, the specific steps are as follows:
1. Log in to CAM Console, find the corresponding Sub-user or collaborator in Users > User List, then click Authorize.
2. Search for QcloudCamRoleFullAccess policy within Associated Policies. Once the policy is selected, click OK to confirm.
