EMR Serverless service principal is not authorized to perform: ECR:DescribeImages on resource

In the event of EMR Serverless job with this failure, you can validate and gain further insights into the issue by consulting the CloudTrail API Event labeled "eventName": "StartJobRun". The CloudTrail log should provide information about the execution role that was used for the job run. If the policy lack the necessary "ecr:GetDownloadUrlForLayer" permission, then invocation of the API event "eventName": "GetDownloadUrlForLayer" will also result in similar failure.

By examining the CloudTrail log and the associated execution role, you can identify the specific policy where the missing permission needs to be added to rectify the issue., example mentioned below

         ...
         ...
        "executionRoleArn": "arn:aws:iam::xxxxxxxxxxxxxxx:role/service-role/emr-serverless-studio-role",
        "clientToken": "xxxxxxxxx-xxxx-xxxxx-xxxx-26ae1d252aa9",
        "name": "My_First-Spark-Job",
        "jobDriver": {
            "sparkSubmit": {
                "entryPoint": "***",
                "sparkSubmitParameters": "***"
            }
        },
        "applicationId": "xxxxxxxxxxxxxxxxxx",
        "tags": {}
    },
    "responseElements": {
        "message": "EMR Serverless service principal is not authorized to perform: ECR:DescribeImages on resource."
    }

Basically, the Amazon Elastic Container Registry (ECR) repository necessitates the implementation of the following repository policy for Custom Amazon Machine Images (AMIs). This policy grants the Amazon EMR Serverless service principal the requisite permissions to execute get, describe, and download requests from the ECR repository.

Example Repository policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Emr Serverless Custom Image Support",
      "Effect": "Allow",
      "Principal": {
        "Service": "emr-serverless.amazonaws.com"
      },
      "Action": [
        "ecr:BatchGetImage",
        "ecr:DescribeImages",
        "ecr:GetDownloadUrlForLayer"
      ],
      "Condition":{
        "StringEquals":{
          "aws:SourceArn": "arn:aws:emr-serverless:region:aws-account-id:/applications/application-id"
        }
      }
    }
  ]
}

In order to change the policy through Amazon Elastic Container Registry (ECR) Console,

1. Access the Repositories section from the navigation pane Private registry.
2. Select the repository where the image is going to be fetched to view its contents and edit the permissions.
3. Click on "Actions" and locate the "Permissions" option in the navigation pane. Choose "Edit" to access the "Edit permissions" page. Here, you can add a new policy or edit statement and specifying whether the effect will be to allow or deny access, and defining the principal or conditions to which the policy statement will apply.

In case the aforementioned repository policy has already been implemented, it is still imperative to verify the policy conditions and ensure that the appropriate EMR Serverless application-id is defined. This application-id corresponds to the EMR serverless application that will retrieve the image from the repository. Failure to include the required application-id in the repository policy will result in an exception being raised.

Alternatively, you can utilize the IAM Policy Simulator to test the Amazon EMR service role's ability to describe, retrieve, and download the Amazon ECR image by leveraging the repository policy mentioned above. This approach will certainly help in identifying any missing permissions that may be hindering the process.