💫EMR SaaS Installation

Summary

This guide shows how to grant DataFlint read-only access to Amazon EMR metadata via cross-account IAM role assumption. It applies to EMR on EC2, EMR Serverless, and EMR on EKS (IAM called this "EMR Containers").

For the broader SaaS threat model and stability notes, see SaaS Security & Stability.

You will:

1. Create a dedicated IAM role in your AWS account.

2. Add a trust policy that allows the DataFlint service role to assume it.

3. Attach a minimal read-only policy for EMR / EMR Containers APIs.

4. Share the role ARN + regions with DataFlint.

The entire process should take a few minutes.

You need to repeat this per AWS account you want DataFlint to read from.

Cross-account roles must use an External ID. Ask DataFlint for your CUSTOMER_EXTERNAL_ID and the DataFlint AWS account details.

What DataFlint needs

Send DataFlint:

• Role ARN you created (one per AWS account).

• Region(s) where you run EMR (and/or EMR on EKS / EMR Containers).

• The role name (optional, helps troubleshooting).

How it works

DataFlint assumes the role you create and calls read-only EMR APIs to:

• Discover clusters / virtual clusters.

• List and describe job runs and steps.

• Fetch application UI links when applicable (read-only).

AWS classifies a few EMR “UI helper” APIs as write actions (for example elasticmapreduce:CreatePersistentAppUI). DataFlint uses them only to generate read-only UI access links.

Required IAM permissions (minimal)

Use a dedicated policy attached to the role. This is the minimal set we currently require for EMR + EMR Containers read access:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowEmrContainersBasicAccess",
      "Effect": "Allow",
      "Action": [
        "emr-containers:ListVirtualClusters",
        "emr-containers:DescribeVirtualCluster",
        "emr-containers:ListJobRuns",
        "emr-containers:DescribeJobRun",
        "elasticmapreduce:CreatePersistentAppUI",
        "elasticmapreduce:DescribePersistentAppUI",
        "elasticmapreduce:GetPersistentAppUIPresignedURL",
        "elasticmapreduce:DescribeCluster",
        "elasticmapreduce:DescribeEditor",
        "elasticmapreduce:DescribeJobFlows",
        "elasticmapreduce:DescribeSecurityConfiguration",
        "elasticmapreduce:DescribeStep",
        "elasticmapreduce:DescribeReleaseLabel",
        "elasticmapreduce:GetBlockPublicAccessConfiguration",
        "elasticmapreduce:GetManagedScalingPolicy",
        "elasticmapreduce:GetAutoTerminationPolicy",
        "elasticmapreduce:ListBootstrapActions",
        "elasticmapreduce:ListClusters",
        "elasticmapreduce:ListEditors",
        "elasticmapreduce:ListInstanceFleets",
        "elasticmapreduce:ListInstanceGroups",
        "elasticmapreduce:ListInstances",
        "elasticmapreduce:ListSecurityConfigurations",
        "elasticmapreduce:ListSteps",
        "elasticmapreduce:ListSupportedInstanceTypes",
        "elasticmapreduce:ViewEventsFromAllClustersInConsole"
      ],
      "Resource": "*"
    }
  ]
}

If you want to scope down further (by region, tags, or resource ARNs), tell us your constraints and we’ll help tighten it.

Installation

Pick one method. All methods create the same resources.

AWS Console (UI)

Step 1: Create the IAM policy

1. Open IAM → Policies.

2. Click Create policy.

3. Choose JSON.

4. Paste the minimal policy from Required IAM permissions.

5. Click Next.

6. Policy name: DataflintEmrContainersReadOnly

7. Create the policy.

Step 2: Create the IAM role

1. Open IAM → Roles.

2. Click Create role.

3. Trusted entity type: AWS account.

4. Select Another AWS account.

5. Account ID: DATAFLINT_ACCOUNT_ID (get it from DataFlint).

6. Enable Require external ID.

7. External ID: CUSTOMER_EXTERNAL_ID (get it from DataFlint).

8. In Add permissions, attach DataflintEmrContainersReadOnly.

9. Role name: dataflint-emr-read-only-role

10. Create the role.

Step 3: Update the trust policy (Principal role)

In some accounts, the UI creates the trust policy with the root principal. We require the DataFlint service role principal instead.

1. Open the new role.

2. Go to Trust relationships → Edit trust policy.

3. Use this trust policy (replace placeholders):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::DATAFLINT_ACCOUNT_ID:role/eks-dataflint-service-role"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "CUSTOMER_EXTERNAL_ID"
        }
      }
    }
  ]
}

Step 4: Copy the role ARN

Open the role summary and copy the ARN. You’ll share it with DataFlint.

AWS CLI

Terraform

CloudFormation

Validate the setup (recommended)

You can validate that the role exists and has the expected policies attached.

aws iam get-role --role-name dataflint-emr-read-only-role
aws iam list-attached-role-policies --role-name dataflint-emr-read-only-role

You can also validate permissions using IAM simulation:

ROLE_ARN="$(aws iam get-role --role-name dataflint-emr-read-only-role --query 'Role.Arn' --output text)"

aws iam simulate-principal-policy \
  --policy-source-arn "${ROLE_ARN}" \
  --action-names emr-containers:ListVirtualClusters elasticmapreduce:ListClusters \
  --output text

Send the details to DataFlint

Share over your approved secure channel:

• Role ARN

• Regions for EMR / EMR Containers