## Note: This is a sample role and policy, make sure to change per your security needs ## Creates an IAM Execution Role aws iam create-role --role-name emr-serverless-job-role --assume-role-policy-document '{ "Version": "2012-10-17", "Statement": [ { "Sid": "EMRServerlessIAMExecutionRole", "Effect": "Allow", "Principal": { "Service": "emr-serverless.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }' ## Attaches IAM policy to the role created above, replace with your dynamodb-export-bucket,spark-script-bucket and iceberg-bucket aws iam put-role-policy --role-name emr-serverless-job-role --policy-name S3Access --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Sid": "ReadFromExportAndScriptsBuckets", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::dynamodb-export-bucket", "arn:aws:s3:::dynamodb-export-bucket/*", "arn:aws:s3:::spark-script-bucket", "arn:aws:s3:::spark-script-bucket/*" ] }, { "Sid": "WriteToOutputDataBucket", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket", "s3:PutObject", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::iceberg-bucket/*" ] } ] }' ## Attaches IAM Policy for Glue Access aws iam put-role-policy --role-name emr-serverless-job-role --policy-name GlueAccess --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Sid": "GlueCreateAndReadDataCatalog", "Effect": "Allow", "Action": [ "glue:GetDatabase", "glue:GetDataBases", "glue:CreateTable", "glue:GetTable", "glue:GetTables", "glue:GetPartition", "glue:GetPartitions", "glue:CreatePartition", "glue:BatchCreatePartition", "glue:GetUserDefinedFunctions", "glue:UpdateTable" ], "Resource": ["*"] } ] }'