[v2] [customization] Create/delete role associations for EMR on EKS

[hssyoo]

Description

EKS Pod Identity requires users to create pod identity associations for cluster service accounts that the pod container is going to use with a configured job execution IAM role. This requires users to provide service account names and the IAM role arn. However, service account information is opaque in the EMR on EKS service so the --create-role-associations and --delete-role-associations customizations simplify management by resolving the correct service accounts based on the input cluster and role names.

Manual testing

Create an IAM role with the following assume role policy document:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "pods.eks.amazonaws.com"
            },
            "Action": [
                "sts:AssumeRole",
                "sts:TagSession"
            ]
        }
    ]
}

Create an EKS cluster.

Run the create command, replacing the my-cluster and my-role values:

aws emr-containers create-role-associations --cluster-name my-cluster --namespace default --role-name my-role

Run the delete command, replacing the my-cluster and my-role values:

aws emr-containers delete-role-associations --cluster-name my-cluster --namespace default --role-name my-role