Allow users and groups to create and modify roles - Amazon EMR
Services or capabilities described in AWS documentation might vary by Region. To see the differences applicable to the AWS European Sovereign Cloud Region, see the AWS European Sovereign Cloud User Guide.

Allow users and groups to create and modify roles

IAM principals (users and groups) who create, modify, and specify roles for a cluster, including default roles, must be allowed to perform the following actions. For details about each action, see Actions in the IAM API Reference.

  • iam:CreateRole

  • iam:PutRolePolicy

  • iam:CreateInstanceProfile

  • iam:AddRoleToInstanceProfile

  • iam:ListRoles

  • iam:GetPolicy

  • iam:GetInstanceProfile

  • iam:GetPolicyVersion

  • iam:AttachRolePolicy

  • iam:PassRole

The iam:PassRole permission allows cluster creation. The remaining permissions allow the creation of the default roles.

For information about assigning permissions to a user, see Changing permissions for a user in the IAM User Guide.