I want to troubleshoot issues that I receive when I create an Amazon EMR Studio workspace.
Short description
The following are common issues that you might experience when you create an Amazon EMR Studio workspace:
- A blank page appears without any errors shown when you choose Create Workspace.
- The user has incorrect IAM permissions.
- Invalid studio subnet configuration.
Resolution
To troubleshoot issues that you receive when you create an EMR Studio workspace, complete the following steps:
Assign and manage EMR Studio users
When you use an AWS Identity and Access Management (IAM) authentication mode, you can configure the EMR Studio user assignment and permissions. Also, you can configure the EMR Studio user assignment and permissions with IAM and your identity provider.
For more information, see Assign and manage EMR Studio users.
Troubleshoot errors with incorrect IAM permissions
To view existing EMR Notebooks as EMR Studio Workspaces, users must have the elasticmapreduce:ListStudios and elasticmapreduce:CreateStudioPresignedUrl role permissions.
The following error messages or similar appear because of incorrect IAM permissions:
"User is not authorized to perform iam:PassRole on resource: because no identity-based policy allows the iam:PassRole action"
"User is not authorized to perform elasticmapreduce:CreateEditor on resource: because no identity-based policy allows the elasticmapreduce:CreateEditor action"
"User is not authorized to perform elasticmapreduce:DescribeEditor on resource: because no identity-based policy allows the elasticmapreduce:DescribeEditor action"
When you create a workspace, make sure that your policy has the following minimum requirements:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"elasticmapreduce:DescribeEditor",
"elasticmapreduce:StartEditor",
"elasticmapreduce:StopEditor",
"elasticmapreduce:DeleteEditor",
"elasticmapreduce:OpenEditorInConsole"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringEquals": {
"elasticmapreduce:ResourceTag/creatorUserId": "${aws:userId}"
}
}
}
]
}
Troubleshoot errors with invalid studio subnet configuration
The following error messages or similar appear because of an invalid studio subnet configuration:
"Workspace(notebook) is stopped. Studio has no subnets in supported availability zones. Supported availability zones: us-east-1a, us-east-1b, us-east-1c, us-east-1d, us-east-1e, us-east-1f"
"Invalid studio subnet configuration. All of the studio subnets are invalid/deleted. Please use a studio with valid subnets."
The preceding errors occur because of an invalid subnet ID, the subnet is deleted, or the Amazon EMR Studio role doesn't have the required permissions. To resolve these errors, see Set up an Amazon EMR Studio and How to create a service role for EMR Studio on Amazon EC2 or Amazon EKS.
Troubleshoot errors with service role IAM permissions
The following error message or similar appears because the service role doesn't have the required IAM permissions:
"errorMessage": "Service role does not have permission to access the LocationUri. (Service: AWSEditors; Status Code: 400; Error Code: InvalidRequestException; Request ID: 1b2028dd-deb4-4fc0-b18e-****; Proxy: null)"
The preceding error occurs when the IAM role that's used by the EMR notebook doesn't have the required permissions. The IAM role needs permissions to access the Amazon Simple Storage Service (Amazon S3) location where the EMR notebook is stored. To resolve this issue, make sure you have the following IAM permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetBucket",
"s3:DeleteObject",
"s3:GetObject",
"s3:List",
"s3:GetEncryptionConfiguration"
],
"Resource": [
"arn:aws:s3:::bucket",
"arn:aws:s3:::bucket/"
]
}
]
}
If you encrypt your Amazon S3 bucket, then include the following permissions for AWS Key Management Service:
"kms:Decrypt",
"kms:GenerateDataKey",
"kms:ReEncryptFrom",
"kms:ReEncryptTo",
"kms:DescribeKey"
Additional troubleshooting
To further troubleshoot, take the following actions:
- Check the resource-level permissions and any other deny permissions that might cause access denied errors.
- Check if you received a User not authorized to perform <example-resource-action> on <example-resource> because no identity-based policy allows the <example-action> action. If the action that's not allowed is identified in your error, then add the action to your policy to allow actions.
- Check if your issue is a known issue.