AWS::EMR::Cluster
The AWS::EMR::Cluster resource creates an Amazon EMR cluster. This cluster is a
collection of EC2 instances that you can run big data frameworks on to process and
analyze vast
amounts of data. For more information, see Plan an Amazon EMR
Cluster in the Amazon EMR Management Guide.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::EMR::Cluster", "Properties" : { "AdditionalInfo" :JSON object, "Applications" : [Applications, ...], "AutoScalingRole" :String, "BootstrapActions" [Bootstrap Actions, ...], "Configurations" : [Configurations, ...], "CustomAmiId" :String, "EbsRootVolumeSize" :Integer, "Instances" :JobFlowInstancesConfig, "JobFlowRole" :String, "KerberosAttributes" :Amazon EMR Cluster KerberosAttributes, "LogUri" :String, "Name" :String, "ReleaseLabel" :String, "ScaleDownBehavior" :String, "SecurityConfiguration" :String, "ServiceRole" :String, "Steps" [StepConfig, ...], "Tags" : [Resource Tag, ...], "VisibleToAllUsers" :Boolean} }
YAML
Type: AWS::EMR::Cluster Properties: AdditionalInfo:JSON objectApplications: -ApplicationsAutoScalingRole:StringBootstrapActions: -Bootstrap ActionsConfigurations: -ConfigurationsCustomAmiId:StringEbsRootVolumeSize:IntegerInstances:JobFlowInstancesConfigJobFlowRole:StringKerberosAttributes" :Amazon EMR Cluster KerberosAttributesLogUri:StringName:StringReleaseLabel:StringScaleDownBehavior:StringSecurityConfiguration:StringServiceRole:StringSteps: -StepConfigTags: -Resource TagVisibleToAllUsers:Boolean
Properties
Note
For more information about the constraints and valid values of each property, see the Cluster data type in the Amazon EMR API Reference.
AdditionalInfo-
(Intended for advanced uses only.) Additional features that you want to select. This is meta information about third-party applications that third-party vendors use for testing purposes.
Required: No
Type: JSON object
Update requires: Replacement
Applications-
The software applications to deploy on the cluster, and the arguments that Amazon EMR passes to those applications.
Required: No
Type: List of Amazon EMR Cluster Application property types
Update requires: Replacement
AutoScalingRole-
An AWS Identity and Access Management (IAM) role for automatic scaling policies. The default role is
EMR_AutoScaling_DefaultRole. The IAM role provides permissions that the automatic scaling feature requires to launch and terminate Amazon EC2 instances in an instance group.Required: No
Type: String
Update requires: Replacement
BootstrapActions-
A list of bootstrap actions that Amazon EMR runs before starting applications on the cluster.
Required: No
Type: List of Amazon EMR Cluster BootstrapActionConfig property types
Update requires: Replacement
Configurations-
The software configuration of the Amazon EMR cluster.
Required: No
Type: List of Amazon EMR Cluster Configurations property types
Update requires: Replacement
CustomAmiId-
A custom Amazon Linux AMI for the cluster (instead of an EMR-owned AMI). For more information, see Using a Custom AMI in the Amazon EMR Management Guide.
Required: No
Type: String
Update requires: Replacement
Example:
"CustomAmiId" : "ami-7fb3bc69" EbsRootVolumeSize-
The size, in GiB, of the EBS root device volume of the Linux AMI that's used for each EC2 instance.
Currently, AWS CloudFormation supports only Amazon EMR 4.0 and later software releases.
Required: No
Type: Integer
Update requires: Replacement
Instances-
Configures the EC2 instances that run jobs in the Amazon EMR cluster.
Required: Yes
Type: Amazon EMR Cluster JobFlowInstancesConfig
Update requires: Some interruptions
JobFlowRole-
(Also called instance profile and EC2 role.) Accepts an instance profile that's associated with the role that you want to use. All EC2 instances in the cluster assume this role. For more information, see Create and Use IAM Roles for Amazon EMR in the Amazon EMR Management Guide.
Required: Yes
Type: String
Update requires: Replacement
KerberosAttributes-
Attributes for Kerberos configuration when Kerberos authentication is enabled using a security configuration.
Required: No
Type: Amazon EMR Cluster KerberosAttributes
Update requires: Replacement
LogUri-
An S3 bucket location that Amazon EMR writes logs files to from a job flow. If you don't specify a value, Amazon EMR doesn't write any log files.
Required: No
Type: String
Update requires: Replacement
Name-
A name for the Amazon EMR cluster.
Required: Yes
Type: String
Update requires: Replacement
ReleaseLabel-
The Amazon EMR software release label. A release is a set of software applications and components that you can install and configure on an Amazon EMR cluster. For more information, see About Amazon EMR Releases in the Amazon EMR Release Guide.
Currently, AWS CloudFormation supports only Amazon EMR 4.0 and later software releases.
Required: Conditional. If you specify the
Applicationsproperty, you must specify this property.Type: String
Update requires: Replacement
ScaleDownBehavior-
Indicates how individual EC2 instances terminate when an automatic scale-in activity occurs or an instance group is resized. For more information, see Cluster in the Amazon EMR API Reference.
Required: No
Type: String
Update requires: Replacement
SecurityConfiguration-
The name of the security configuration that's applied to the cluster.
Required: No
Type: String
Update requires: Replacement
ServiceRole-
The IAM role that Amazon EMR assumes to access AWS resources on your behalf. For more information, see Configure IAM Roles for Amazon EMR in the Amazon EMR Management Guide.
Required: Yes
Type: String
Update requires: Replacement
Steps-
The cluster (job flow) steps.
Required: No
Type: List of Amazon EMR Cluster StepConfig property types
Update requires: Replacement
Tags-
An arbitrary set of tags (key–value pairs) to help you identify the Amazon EMR cluster.
Required: No
Type: Resource Tag
Update requires: No interruption
VisibleToAllUsers-
Indicates whether the instances in the cluster are visible to all IAM users in the AWS account. If you specify
true, all IAM users can view and (if they have permissions) manage the instances. If you specifyfalse, only the IAM user that created the cluster can view and manage it.Required: No
Type: Boolean
Update requires: No interruption
Default value:
false
Return Values
Ref
When the logical ID of this resource is provided to the Ref
intrinsic function, Ref returns the cluster ID, such as
j-1ABCD123AB1A.
For more information about using the Ref function, see Ref.
Fn::GetAtt
Fn::GetAtt returns a value for a specified attribute of this type.
The following are the available attributes and sample return values.
MasterPublicDNS-
The public DNS name of the master node (instance), such as
ec2-12-123-123-123.us-west-2.compute.amazonaws.com.
For more information about using Fn::GetAtt, see Fn::GetAtt.
Examples
Create a Cluster with Two Core Nodes
The following example creates an Amazon EMR cluster with one master node and two core
nodes.
The specified IAM roles are the default roles provided by Amazon EMR. The example
also assumes
that the cluster is launched in an AWS Region with a default VPC and subnet. If you
don't
have these, use the Ec2SubnetId property to specify the VPC and subnet for the cluster.
Otherwise, AWS CloudFormation can't launch the cluster and returns the following status
message:
ElasticMapReduce Cluster failed to stabilize.
JSON
"TestCluster": { "Type": "AWS::EMR::Cluster", "Properties": { "Instances": { "MasterInstanceGroup": { "InstanceCount": 1, "InstanceType": "m3.xlarge", "Market": "ON_DEMAND", "Name": "Master" }, "CoreInstanceGroup": { "InstanceCount": 2, "InstanceType": "m3.xlarge", "Market": "ON_DEMAND", "Name": "Core" }, "TerminationProtected" : true }, "Name": "TestCluster", "JobFlowRole": "EMR_EC2_DefaultRole", "ServiceRole": "EMR_DefaultRole", "ReleaseLabel": "emr-4.2.0", "Tags": [ { "Key": "IsTest", "Value": "True" } ] } }
YAML
TestCluster: Type: AWS::EMR::Cluster Properties: Instances: MasterInstanceGroup: InstanceCount: 1 InstanceType: "m3.xlarge" Market: "ON_DEMAND" Name: "Master" CoreInstanceGroup: InstanceCount: 2 InstanceType: "m3.xlarge" Market: "ON_DEMAND" Name: "Core" TerminationProtected: true Name: "TestCluster" JobFlowRole: "EMR_EC2_DefaultRole" ServiceRole: "EMR_DefaultRole" ReleaseLabel: "emr-4.2.0" Tags: - Key: "IsTest" Value: "True"
Create a Cluster with a Bootstrap Action
The following example creates an Amazon EMR cluster with a bootstrap action.
JSON
"TestCluster": { "Type": "AWS::EMR::Cluster", "Properties": { "BootstrapActions": [{ "Name": "SomeBootStrapAction", "ScriptBootstrapAction": { "Path": "/path/to/s3" } }], "Instances": { "MasterInstanceGroup": { "InstanceCount": 1, "InstanceType": "m3.xlarge", "Market": "ON_DEMAND", "Name": "Master" }, "CoreInstanceGroup": { "InstanceCount": 2, "InstanceType": "m3.xlarge", "Market": "ON_DEMAND", "Name": "Core" }, "TerminationProtected": true }, "Name": "TestCluster", "JobFlowRole": "EMR_EC2_DefaultRole", "ScaleDownBehavior": "TERMINATE_AT_TASK_COMPLETION", "ServiceRole": "EMR_DefaultRole", "ReleaseLabel": "emr-4.2.0", "Tags": [ { "Key": "IsTest", "Value": "True" } ] } }
YAML
TestCluster: Type: AWS::EMR::Cluster Properties: BootstrapActions: - Name: "SomeBootStrapAction" ScriptBootstrapAction: Path: "/path/to/s3" Instances: MasterInstanceGroup: InstanceCount: 1 InstanceType: "m3.xlarge" Market: "ON_DEMAND" Name: "Master" CoreInstanceGroup: InstanceCount: 2 InstanceType: "m3.xlarge" Market: "ON_DEMAND" Name: "Core" TerminationProtected: true Name: "TestCluster" JobFlowRole: "EMR_EC2_DefaultRole" ScaleDownBehavior: "TERMINATE_AT_TASK_COMPLETION" ServiceRole: "EMR_DefaultRole" ReleaseLabel: "emr-4.2.0" Tags: - Key: "IsTest" Value: "True"
Create a Cluster with a Custom AMI
The following example template a custom Amazon Linux AMI when creating an Amazon EMR cluster.
JSON
{ "AWSTemplateFormatVersion": "2010-09-09", "Parameters" : { "CustomAmiId" : { "Type" : "String" }, "InstanceType" : { "Type" : "String" }, "ReleaseLabel" : { "Type" : "String" }, "SubnetId" : { "Type" : "String" }, "TerminationProtected" : { "Type" : "String", "Default" : "false" }, "ElasticMapReducePrincipal" : { "Type" : "String" }, "Ec2Principal" : { "Type" : "String" } }, "Resources": { "cluster": { "Type": "AWS::EMR::Cluster", "Properties": { "CustomAmiId" : {"Ref" : "CustomAmiId"}, "Instances": { "MasterInstanceGroup": { "InstanceCount": 1, "InstanceType": {"Ref" : "InstanceType"}, "Market": "ON_DEMAND", "Name": "cfnMaster" }, "CoreInstanceGroup": { "InstanceCount": 1, "InstanceType": {"Ref" : "InstanceType"}, "Market": "ON_DEMAND", "Name": "cfnCore" }, "TerminationProtected" : {"Ref" : "TerminationProtected"}, "Ec2SubnetId" : {"Ref" : "SubnetId"} }, "Name": "CFNtest", "JobFlowRole" : {"Ref": "emrEc2InstanceProfile"}, "ServiceRole" : {"Ref": "emrRole"}, "ReleaseLabel" : {"Ref" : "ReleaseLabel"}, "VisibleToAllUsers" : true, "Tags": [ { "Key": "key1", "Value": "value1" } ] } }, "emrRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version": "2008-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": {"Ref" : "ElasticMapReducePrincipal"} }, "Action": "sts:AssumeRole" } ] }, "Path": "/", "ManagedPolicyArns": ["arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceRole"] } }, "emrEc2Role": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version": "2008-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": {"Ref" : "Ec2Principal"} }, "Action": "sts:AssumeRole" } ] }, "Path": "/", "ManagedPolicyArns": ["arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforEC2Role"] } }, "emrEc2InstanceProfile": { "Type": "AWS::IAM::InstanceProfile", "Properties": { "Path": "/", "Roles": [ { "Ref": "emrEc2Role" } ] } } } }
YAML
AWSTemplateFormatVersion: 2010-09-09 Parameters: CustomAmiId: Type: String InstanceType: Type: String ReleaseLabel: Type: String SubnetId: Type: String TerminationProtected: Type: String Default: 'false' ElasticMapReducePrincipal: Type: String Ec2Principal: Type: String Resources: cluster: Type: AWS::EMR::Cluster Properties: CustomAmiId: !Ref CustomAmiId Instances: MasterInstanceGroup: InstanceCount: 1 InstanceType: !Ref InstanceType Market: ON_DEMAND Name: cfnMaster CoreInstanceGroup: InstanceCount: 1 InstanceType: !Ref InstanceType Market: ON_DEMAND Name: cfnCore TerminationProtected: !Ref TerminationProtected Ec2SubnetId: !Ref SubnetId Name: CFNtest JobFlowRole: !Ref emrEc2InstanceProfile ServiceRole: !Ref emrRole ReleaseLabel: !Ref ReleaseLabel VisibleToAllUsers: true Tags: - Key: key1 Value: value1 emrRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: 2008-10-17 Statement: - Sid: '' Effect: Allow Principal: Service: !Ref ElasticMapReducePrincipal Action: 'sts:AssumeRole' Path: / ManagedPolicyArns: - 'arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceRole' emrEc2Role: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: 2008-10-17 Statement: - Sid: '' Effect: Allow Principal: Service: !Ref Ec2Principal Action: 'sts:AssumeRole' Path: / ManagedPolicyArns: - 'arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforEC2Role' emrEc2InstanceProfile: Type: AWS::IAM::InstanceProfile Properties: Path: / Roles: - !Ref emrEc2Role
Specify Root Volume Size
The following example template enables you to specify the size of the EBS root volume for an Amazon EMR cluster.
JSON
{ "AWSTemplateFormatVersion": "2010-09-09", "Parameters" : { "InstanceType" : { "Type" : "String" }, "ReleaseLabel" : { "Type" : "String" }, "SubnetId" : { "Type" : "String" }, "TerminationProtected" : { "Type" : "String", "Default" : "false" }, "EbsRootVolumeSize" : { "Type" : "String" } }, "Resources": { "cluster": { "Type": "AWS::EMR::Cluster", "Properties": { "EbsRootVolumeSize" : {"Ref" : "EbsRootVolumeSize"}, "Instances": { "MasterInstanceGroup": { "InstanceCount": 1, "InstanceType": {"Ref" : "InstanceType"}, "Market": "ON_DEMAND", "Name": "cfnMaster" }, "CoreInstanceGroup": { "InstanceCount": 1, "InstanceType": {"Ref" : "InstanceType"}, "Market": "ON_DEMAND", "Name": "cfnCore" }, "TerminationProtected" : {"Ref" : "TerminationProtected"}, "Ec2SubnetId" : {"Ref" : "SubnetId"} }, "Name": "CFNtest", "JobFlowRole" : {"Ref": "emrEc2InstanceProfile"}, "ServiceRole" : {"Ref": "emrRole"}, "ReleaseLabel" : {"Ref" : "ReleaseLabel"}, "VisibleToAllUsers" : true, "Tags": [ { "Key": "key1", "Value": "value1" } ] } }, "emrRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version": "2008-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "elasticmapreduce.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }, "Path": "/", "ManagedPolicyArns": ["arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceRole"] } }, "emrEc2Role": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version": "2008-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }, "Path": "/", "ManagedPolicyArns": ["arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforEC2Role"] } }, "emrEc2InstanceProfile": { "Type": "AWS::IAM::InstanceProfile", "Properties": { "Path": "/", "Roles": [ { "Ref": "emrEc2Role" } ] } } } }
YAML
AWSTemplateFormatVersion: 2010-09-09 Parameters: InstanceType: Type: String ReleaseLabel: Type: String SubnetId: Type: String TerminationProtected: Type: String Default: 'false' EbsRootVolumeSize: Type: String Resources: cluster: Type: AWS::EMR::Cluster Properties: EbsRootVolumeSize: !Ref EbsRootVolumeSize Instances: MasterInstanceGroup: InstanceCount: 1 InstanceType: !Ref InstanceType Market: ON_DEMAND Name: cfnMaster CoreInstanceGroup: InstanceCount: 1 InstanceType: !Ref InstanceType Market: ON_DEMAND Name: cfnCore TerminationProtected: !Ref TerminationProtected Ec2SubnetId: !Ref SubnetId Name: CFNtest JobFlowRole: !Ref emrEc2InstanceProfile ServiceRole: !Ref emrRole ReleaseLabel: !Ref ReleaseLabel VisibleToAllUsers: true Tags: - Key: key1 Value: value1 emrRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: 2008-10-17 Statement: - Sid: '' Effect: Allow Principal: Service: elasticmapreduce.amazonaws.com Action: 'sts:AssumeRole' Path: / ManagedPolicyArns: - 'arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceRole' emrEc2Role: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: 2008-10-17 Statement: - Sid: '' Effect: Allow Principal: Service: ec2.amazonaws.com Action: 'sts:AssumeRole' Path: / ManagedPolicyArns: - 'arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforEC2Role' emrEc2InstanceProfile: Type: AWS::IAM::InstanceProfile Properties: Path: / Roles: - !Ref emrEc2Role
Create a Cluster with Kerberos Authentication
The following example template enables you to specify the Kerberos authentication configuration for an Amazon EMR cluster.
JSON
{ "AWSTemplateFormatVersion": "2010-09-09", "Parameters" : { "CrossRealmTrustPrincipalPassword" : { "Type" : "String" }, "KdcAdminPassword" : { "Type" : "String" }, "Realm" : { "Type" : "String" }, "InstanceType" : { "Type" : "String" }, "ReleaseLabel" : { "Type" : "String" }, "SubnetId" : { "Type" : "String" } }, "Resources": { "cluster": { "Type": "AWS::EMR::Cluster", "Properties": { "Instances": { "MasterInstanceGroup": { "InstanceCount": 1, "InstanceType": {"Ref" : "InstanceType"}, "Market": "ON_DEMAND", "Name": "cfnMaster" }, "CoreInstanceGroup": { "InstanceCount": 1, "InstanceType": {"Ref" : "InstanceType"}, "Market": "ON_DEMAND", "Name": "cfnCore" }, "Ec2SubnetId" : {"Ref" : "SubnetId"} }, "Name": "CFNtest2", "JobFlowRole" : {"Ref": "emrEc2InstanceProfile"}, "KerberosAttributes" : { "CrossRealmTrustPrincipalPassword" : "CfnIntegrationTest-1", "KdcAdminPassword" : "CfnIntegrationTest-1", "Realm": "EC2.INTERNAL" }, "ServiceRole" : {"Ref": "emrRole"}, "ReleaseLabel" : {"Ref" : "ReleaseLabel"}, "SecurityConfiguration" : {"Ref" : "securityConfiguration"}, "VisibleToAllUsers" : true, "Tags": [ { "Key": "key1", "Value": "value1" } ] } }, "key" : { "Type" : "AWS::KMS::Key", "Properties" : { "KeyPolicy" : { "Version": "2012-10-17", "Id": "key-default-1", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": { "Fn::GetAtt" : ["emrEc2Role", "Arn"]} }, "Action": "kms:*", "Resource": "*" }, { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": { "Fn::Join" : ["" , ["arn:aws:iam::", {"Ref" : "AWS::AccountId"} ,":root" ]] } }, "Action": "kms:*", "Resource": "*" } ] } } }, "securityConfiguration": { "Type" : "AWS::EMR::SecurityConfiguration", "Properties" : { "SecurityConfiguration" : { "AuthenticationConfiguration": { "KerberosConfiguration": { "Provider": "ClusterDedicatedKdc", "ClusterDedicatedKdcConfiguration": { "TicketLifetimeInHours": 24, "CrossRealmTrustConfiguration": { "Realm": "AD.DOMAIN.COM", "Domain": "ad.domain.com", "AdminServer": "ad.domain.com", "KdcServer": "ad.domain.com" } } } } } } }, "emrRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version": "2008-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "elasticmapreduce.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }, "Path": "/", "ManagedPolicyArns": ["arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceRole"] } }, "emrEc2Role": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version": "2008-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }, "Path": "/", "ManagedPolicyArns": ["arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforEC2Role"] } }, "emrEc2InstanceProfile": { "Type": "AWS::IAM::InstanceProfile", "Properties": { "Path": "/", "Roles": [ { "Ref": "emrEc2Role" } ] } } }, "Outputs" : { "keyArn" : { "Value" : {"Fn::GetAtt" : ["key", "Arn"]} } } }
YAML
AWSTemplateFormatVersion: 2010-09-09 Parameters: CrossRealmTrustPrincipalPassword: Type: String KdcAdminPassword: Type: String Realm: Type: String InstanceType: Type: String ReleaseLabel: Type: String SubnetId: Type: String Resources: cluster: Type: 'AWS::EMR::Cluster' Properties: Instances: MasterInstanceGroup: InstanceCount: 1 InstanceType: !Ref InstanceType Market: ON_DEMAND Name: cfnMaster CoreInstanceGroup: InstanceCount: 1 InstanceType: !Ref InstanceType Market: ON_DEMAND Name: cfnCore Ec2SubnetId: !Ref SubnetId Name: CFNtest2 JobFlowRole: !Ref emrEc2InstanceProfile KerberosAttributes: CrossRealmTrustPrincipalPassword: CfnIntegrationTest-1 KdcAdminPassword: CfnIntegrationTest-1 Realm: EC2.INTERNAL ServiceRole: !Ref emrRole ReleaseLabel: !Ref ReleaseLabel SecurityConfiguration: !Ref securityConfiguration VisibleToAllUsers: true Tags: - Key: key1 Value: value1 key: Type: 'AWS::KMS::Key' Properties: KeyPolicy: Version: 2012-10-17 Id: key-default-1 Statement: - Sid: Enable IAM User Permissions Effect: Allow Principal: AWS: !GetAtt - emrEc2Role - Arn Action: 'kms:*' Resource: '*' - Sid: Enable IAM User Permissions Effect: Allow Principal: AWS: !Join - '' - - 'arn:aws:iam::' - !Ref 'AWS::AccountId' - ':root' Action: 'kms:*' Resource: '*' securityConfiguration: Type: 'AWS::EMR::SecurityConfiguration' Properties: SecurityConfiguration: AuthenticationConfiguration: KerberosConfiguration: Provider: ClusterDedicatedKdc ClusterDedicatedKdcConfiguration: TicketLifetimeInHours: 24 CrossRealmTrustConfiguration: Realm: AD.DOMAIN.COM Domain: ad.domain.com AdminServer: ad.domain.com KdcServer: ad.domain.com emrRole: Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Version: 2008-10-17 Statement: - Sid: '' Effect: Allow Principal: Service: elasticmapreduce.amazonaws.com Action: 'sts:AssumeRole' Path: / ManagedPolicyArns: - 'arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceRole' emrEc2Role: Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Version: 2008-10-17 Statement: - Sid: '' Effect: Allow Principal: Service: ec2.amazonaws.com Action: 'sts:AssumeRole' Path: / ManagedPolicyArns: - 'arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforEC2Role' emrEc2InstanceProfile: Type: 'AWS::IAM::InstanceProfile' Properties: Path: / Roles: - !Ref emrEc2Role Outputs: keyArn: Value: !GetAtt - key - Arn
