The instructions below show you how to deploy and set EMR Studio with single sign on (SSO).
- Enable SSO for your AWS account, if it is now already enabled
- Go to IAM Identity Center (successor to AWS Single Sign-On)
- Click the Enable button
- Click through the prompts
- Run the CloudFormation stack. It will create the required resources required for this example
The resources created by the CloudFormation stack are documented in the architecture below
- Create a SSO User
- Go to IAM Identity Center (successor to AWS Single Sign-On) User Page
- Click the Add user button
- Click through the prompts
- Add a user to the EMR studio
- Go to EMR Studio Home Page
- Click on the studio named EMR-Studio-Demo
- Click on add users* and select the SSO user you created
- Assign policy to the user
- Go to EMR Studio Home Page
- Click on the studio named EMR-Studio-Demo
- Select the bubble next to the SSO user
- Click on the Assign policy button
- Apply the advanced-user-policy-emr-studio to the user
- Log into EMR studio
If you have never created a EMR cluster in your account before you may not have the EMR_DefaultRole and EMR_EC2_DefaultRole roles. To create these you can execute the following aws CLI command.
If you don't have the AWS CLI set up locally you can run this command via. CloudShell
aws emr create-default-roles
You may also need to create the AWSServiceRoleForEMRCleanup if you do not already have this role created. To create this role
- Go to IAM Console Page
- Click on roles, create role, AWS service, EMR, EMR - Clean Up
- Click through the prompts and create the role
These roles (EMR_DefaultRole, EMR_EC2_DefaultRole, AWSServiceRoleForEMRCleanup) are required for users to create EMR clusters via. EMR studio
- Service catalog intergration