Skip to main content

studios

Creates, updates, deletes or gets a studio resource or lists studios in a region

Overview

Namestudios
TypeResource
DescriptionResource schema for AWS::EMR::Studio
Idaws.emr.studios

Fields

NameDatatypeDescription
arnstringThe Amazon Resource Name (ARN) of the EMR Studio.
auth_modestringSpecifies whether the Studio authenticates users using single sign-on (SSO) or IAM. Amazon EMR Studio currently only supports SSO authentication.
default_s3_locationstringThe default Amazon S3 location to back up EMR Studio Workspaces and notebook files. A Studio user can select an alternative Amazon S3 location when creating a Workspace.
descriptionstringA detailed description of the Studio.
engine_security_group_idstringThe ID of the Amazon EMR Studio Engine security group. The Engine security group allows inbound network traffic from the Workspace security group, and it must be in the same VPC specified by VpcId.
namestringA descriptive name for the Amazon EMR Studio.
service_rolestringThe IAM role that will be assumed by the Amazon EMR Studio. The service role provides a way for Amazon EMR Studio to interoperate with other AWS services.
studio_idstringThe ID of the EMR Studio.
subnet_idsarrayA list of up to 5 subnet IDs to associate with the Studio. The subnets must belong to the VPC specified by VpcId. Studio users can create a Workspace in any of the specified subnets.
tagsarrayA list of tags to associate with the Studio. Tags are user-defined key-value pairs that consist of a required key string with a maximum of 128 characters, and an optional value string with a maximum of 256 characters.
urlstringThe unique Studio access URL.
user_rolestringThe IAM user role that will be assumed by users and groups logged in to a Studio. The permissions attached to this IAM role can be scoped down for each user or group using session policies.
vpc_idstringThe ID of the Amazon Virtual Private Cloud (Amazon VPC) to associate with the Studio.
workspace_security_group_idstringThe ID of the Amazon EMR Studio Workspace security group. The Workspace security group allows outbound network traffic to resources in the Engine security group, and it must be in the same VPC specified by VpcId.
idp_auth_urlstringYour identity provider's authentication endpoint. Amazon EMR Studio redirects federated users to this endpoint for authentication when logging in to a Studio with the Studio URL.
idp_relay_state_parameter_namestringThe name of relay state parameter for external Identity Provider.
trusted_identity_propagation_enabledbooleanA Boolean indicating whether to enable Trusted identity propagation for the Studio. The default value is false.
idc_user_assignmentstringSpecifies whether IAM Identity Center user assignment is REQUIRED or OPTIONAL. If the value is set to REQUIRED, users must be explicitly assigned to the Studio application to access the Studio.
idc_instance_arnstringThe ARN of the IAM Identity Center instance to create the Studio application.
encryption_key_arnstringThe AWS KMS key identifier (ARN) used to encrypt AWS EMR Studio workspace and notebook files when backed up to AWS S3.
regionstringAWS region.

Methods

NameAccessible byRequired Params
create_resourceINSERTAuthMode, EngineSecurityGroupId, Name, ServiceRole, SubnetIds, VpcId, WorkspaceSecurityGroupId, DefaultS3Location, region
delete_resourceDELETEdata__Identifier, region
update_resourceUPDATEdata__Identifier, data__PatchDocument, region
list_resourcesSELECTregion
get_resourceSELECTdata__Identifier, region

SELECT examples

Gets all studios in a region.

SELECT
region,
arn,
auth_mode,
default_s3_location,
description,
engine_security_group_id,
name,
service_role,
studio_id,
subnet_ids,
tags,
url,
user_role,
vpc_id,
workspace_security_group_id,
idp_auth_url,
idp_relay_state_parameter_name,
trusted_identity_propagation_enabled,
idc_user_assignment,
idc_instance_arn,
encryption_key_arn
FROM aws.emr.studios
WHERE region = 'us-east-1';

Gets all properties from an individual studio.

SELECT
region,
arn,
auth_mode,
default_s3_location,
description,
engine_security_group_id,
name,
service_role,
studio_id,
subnet_ids,
tags,
url,
user_role,
vpc_id,
workspace_security_group_id,
idp_auth_url,
idp_relay_state_parameter_name,
trusted_identity_propagation_enabled,
idc_user_assignment,
idc_instance_arn,
encryption_key_arn
FROM aws.emr.studios
WHERE region = 'us-east-1' AND data__Identifier = '<StudioId>';

INSERT example

Use the following StackQL query and manifest file to create a new studio resource, using stack-deploy.

/*+ create */
INSERT INTO aws.emr.studios (
 AuthMode,
 DefaultS3Location,
 EngineSecurityGroupId,
 Name,
 ServiceRole,
 SubnetIds,
 VpcId,
 WorkspaceSecurityGroupId,
 region
)
SELECT 
'{{ AuthMode }}',
 '{{ DefaultS3Location }}',
 '{{ EngineSecurityGroupId }}',
 '{{ Name }}',
 '{{ ServiceRole }}',
 '{{ SubnetIds }}',
 '{{ VpcId }}',
 '{{ WorkspaceSecurityGroupId }}',
'{{ region }}';

DELETE example

/*+ delete */
DELETE FROM aws.emr.studios
WHERE data__Identifier = '<StudioId>'
AND region = 'us-east-1';

Permissions

To operate on the studios resource, the following permissions are required:

Create

elasticmapreduce:CreateStudio,
elasticmapreduce:DescribeStudio,
elasticmapreduce:AddTags,
sso:CreateManagedApplicationInstance,
sso:DeleteManagedApplicationInstance,
iam:PassRole

Read

elasticmapreduce:DescribeStudio,
sso:GetManagedApplicationInstance

Update

elasticmapreduce:UpdateStudio,
elasticmapreduce:DescribeStudio,
elasticmapreduce:AddTags,
elasticmapreduce:RemoveTags

Delete

elasticmapreduce:DeleteStudio,
elasticmapreduce:DescribeStudio,
sso:DeleteManagedApplicationInstance

List

elasticmapreduce:ListStudios