Using AWS IAM restricted roles and policies for compute and CDE

AWS IAM write permissions are used by the Cloudera Data Engineering (CDE) compute infrastructure to create and delete roles and instance profiles.

Some customers may not be willing to provide IAM write permission in the role’s policy. Instead, customers can set up static pre-created roles andinstance profiles defined and used by the CDE compute infrastructure to provision clusters.

The two main tasks for AWS IAM write permissions are the following:

Create roles and an instance profile.
Create restricted IAM policies for use by the compute infrastructure.

After the two tasks are completed, you may create a cross-account credential if needed.

See the following topics for the procedures for creating the roles and policies.