Better inline policy/arn with essential privileges to create the emr virtualcluster using ACK

[kirananil007]

What is the URL of the document?

https://aws-controllers-k8s.github.io/community/docs/user-docs/irsa/

Which section(s) is the issue in?

https://github.com/aws-controllers-k8s/emrcontainers-controller/tree/main/config/iam

What needs fixing?

https://github.com/aws-controllers-k8s/emrcontainers-controller/tree/main/config/iam
The following page doesn't have an arn specified similar to ack s3.
https://github.com/aws-controllers-k8s/s3-controller/blob/main/config/iam/recommended-policy-arn

Currently only has an inline policy which is insufficient in terms of cluster creating privileges.

Additional context
A valid arn will be helpful to fix the validation issue which I'm facing while creating a EMR virtual cluster using ACK.

If I give admin privileges I am able to create the virtualcluster successfully which is not ideal for clusters other than test environments.

Appreciate something sImilar to ACK s3: arn:aws:iam::aws:policy/AmazonS3FullAccess for ACK EMR as well to be documented.

This is the output of $ kubectl describe virtualclusters

Name:         my-ack-vc
Namespace:    default
Labels:       <none>
Annotations:  <none>
API Version:  emrcontainers.services.k8s.aws/v1alpha1
Kind:         VirtualCluster
Metadata:
  Creation Timestamp:  2024-06-21T19:30:01Z
  Finalizers:
    finalizers.emrcontainers.services.k8s.aws/VirtualCluster
  Generation:        3
  Resource Version:  34043
  UID:               102d8601-1d0f-475d-8681-8e61e2f6767b
Spec:
  Container Provider:
    Id:  eks-emr
    Info:
      Eks Info:
        Namespace:  ack-system
    type_:          EKS
  Name:             my-ack-vc
Status:
  Ack Resource Metadata:
    Owner Account ID:  1XXX4X8X4XXX
    Region:            us-east-1
  Conditions:
    Message:               ValidationException: Unauthorized to perform read namespace on ack-system
    Status:                True
    Type:                  ACK.Terminal
    Last Transition Time:  2024-06-21T19:56:47Z
    Message:               Resource not synced
    Reason:                resource is in terminal condition
    Status:                False
    Type:                  ACK.ResourceSynced
Events:                    <none>

[a-hilaly]

Currently only has an inline policy which is insufficient in terms of cluster creating privileges.

Can you please tell more about the missing IAM Policies? What permissions are we missing?

arn:aws:iam::aws:policy/AmazonS3FullAccess

Managed policies are created by service teams, if there isn't one for EMR we will have to use an inline policy unfortunately

[kirananil007]

These are the default AWS managed policies available from console. None of them provide access to emr-containers: * services.