Why do I get the "EMR_DefaultRole is invalid" or "EMR_EC2_DefaultRole is invalid" error when I create an Amazon EMR cluster?

3 minute read

When I try to create an Amazon EMR cluster, I get one of these error messages:

"EMR_DefaultRole is invalid" "EMR_EC2_DefaultRole is invalid"

Short description

These errors usually happen when you edit one or more of the AWS Identity and Access Management (IAM) policies that are attached to the Amazon EMR default roles. To troubleshoot, compare the modified roles to the original versions (AmazonElasticMapReduceRole or AmazonElasticMapReduceforEC2Role).

If you can't find the source of the problem, then delete and recreate the roles.

Resolution

Compare the modified roles to the original versions

If you added policies to the IAM roles EMR_DefaultRole or EMR_EC2_DefaultRole, then review the changes that you made. Compare the modified versions of the roles to the original versions (AmazonElasticMapReduceRole or AmazonElasticMapReduceforEC2Role). If you can't determine what caused the problem, delete the roles and the instance profile, as explained in the following section.

Delete and recreate the roles and instance profile

Before you begin, note the following:

Be sure that you don't have any running EC2 instances that use the role or instance profile that you're about to delete. Deleting a role or instance profile that's associated with a running instance breaks applications that are running on the instance.
The following steps reset EMR_DefaultRole and EMR_EC2_DefaultRole to their original configurations. If you customized the IAM policies attached to these roles, then those changes are lost.

AWS Management Console

1. Use the IAM console to delete the roles. IAM automatically deletes the instance profile and policies associated with the role.

2. Open the Amazon EMR console.

3. Create an EMR cluster. For Permissions, choose Default. Amazon EMR creates the default roles when it launches the cluster. These roles are available to any clusters that you launch later.

AWS Command Line Interface (AWS CLI)

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.

1. Remove EMR_EC2_DefaultRole from the instance profile:

aws iam remove-role-from-instance-profile --instance-profile-name EMR_EC2_DefaultRole --role-name EMR_EC2_DefaultRole

2. Delete the instance profile:

aws iam delete-instance-profile --instance-profile-name EMR_EC2_DefaultRole

3. Remove the IAM policy that's associated with EMR_EC2_DefaultRole:

aws iam detach-role-policy --role-name EMR_EC2_DefaultRole --policy-arn arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforEC2Role

4. Delete EMR_EC2_DefaultRole:

aws iam delete-role --role-name EMR_EC2_DefaultRole

5. Remove the IAM policy that's associated with EMR_DefaultRole:

aws iam detach-role-policy --role-name EMR_DefaultRole --policy-arn arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceRole

6. Delete EMR_DefaultRole:

aws iam delete-role --role-name EMR_DefaultRole

7. Recreate the default roles:

aws emr create-default-roles

8. Launch a new EMR cluster.

Related information

Configure IAM service roles for Amazon EMR permissions to AWS services and resources

Topics

Analytics

Relevant content

Error on msdb.dbo.rds_restore_database: The provided token is malformed or otherwise invalid
Accepted Answer
Dexterite
asked 7 months ago
Error when calling aws cloudfront create-invalidation
Accepted Answer
Fredrik
asked 2 years ago
I get the error - The input you provided is invalid - when submitting SES production request form
AWS-User-4010387
asked 2 years ago
Invalid operation when creating Stored Procedure
akc_adi
asked 2 years ago
Invalid operation when creating Stored Procedure
lcor
asked 5 years ago
How do I resolve the "Role [role_arn] is invalid or cannot be assumed” error when I update or delete an AWS CloudFormation stack?
AWS OFFICIALUpdated 2 years ago
Why do I get a "535 Authentication credentials invalid" error from an Amazon SES SMTP endpoint?
AWS OFFICIALUpdated a month ago
Why do I get an "Invalid MAIL FROM" or "Invalid RCPT TO" error response from an Amazon SES SMTP endpoint?
AWS OFFICIALUpdated 2 months ago
Why do I get a “The provided token is malformed or otherwise invalid” error when I launch an Amazon EMR cluster using Hive and Presto in the AWS China (Beijing) Region?
AWS OFFICIALUpdated 2 years ago
Troubleshooting "The Access Key ID or Security Token is Invalid" Error after Upgrading DynamoDB Local to Version 2.0.0 / 1.23.0 or Greater
EXPERT
Leeroy Hannigan
published 10 months ago