登录控制台
Amazon Redshift
群集管理指南 (API 版本 2012-12-01)
AWS 文档 » Amazon Redshift » 群集管理指南 » 安全性 » Amazon Redshift 的身份验证和访问控制 » Amazon Redshift API 权限参考
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 Amazon AWS 入门

Amazon Redshift API 权限参考

在设置 访问控制 和编写您可挂载到 IAM 身份的权限策略(基于身份的策略)时,可以使用下表作为参考。表列表各项 Amazon Redshift API 操作、您执行该操作所需授予的相应操作的权限、您可以授予权限的 AWS 资源以及您可以使用哪些条件键来细化访问控制(有关条件的更多信息,请参阅 使用 IAM 策略条件实现精细访问控制)。您需要在策略的 Action 字段中指定操作、在策略的 Resource 字段中指定资源值、在策略的 Condition 字段中指定条件。

注意

要指定操作,请在 API 操作名称之前使用 redshift: 前缀(例如,redshift:CreateCluster)。

如果在表右上角处看到扩展箭头 (),则您可以在新窗口中打开该表(要关闭窗口,请选择右下角处的关闭按钮 (X))。

Amazon Redshift API 和必需的操作权限

Amazon Redshift API 操作 资源 条件键

AuthorizeClusterSecurityGroupIngress

redshift:AuthorizeClusterSecurityGroupIngress

群集安全组

arn:aws:redshift:region:account-id:securitygroup:security-group-name

AuthorizeSnapshotAccess

redshift:AuthorizeSnapshotAccess

群集

arn:aws:redshift:region:account-id:cluster:cluster-name

快照

arn:aws:redshift:region:account-id:snapshot:cluster-name/snapshot-name

CopyClusterSnapshot

redshift:CopyClusterSnapshot

快照

arn:aws:redshift:region:account-id:snapshot:cluster-name/source-snapshot-name

arn:aws:redshift:region:account-id:snapshot:cluster-name/target-snapshot-name

CreateCluster

redshift:CreateCluster

群集

arn:aws:redshift:region:account-id:cluster:cluster-name

redshift:RequestTag

CreateClusterParameterGroup

redshift:CreateClusterParameterGroup

参数组

arn:aws:redshift:region:account-id:parametergroup:parameter-group-name

redshift:RequestTag

CreateClusterSecurityGroup

redshift:CreateClusterSecurityGroup

群集安全组

arn:aws:redshift:region:account-id:securitygroup:security-group-name

redshift:RequestTag

CreateClusterSnapshot

redshift:CreateClusterSnapshot

快照

arn:aws:redshift:region:account-id:snapshot:cluster-name/snapshot-name

redshift:RequestTag

CreateClusterSubnetGroup

redshift:CreateClusterSubnetGroup

子网组

arn:aws:redshift:region:account-id:subnetgroup:subnet-group-name

redshift:RequestTag

CreateEventSubscription

redshift:CreateEventSubscription

事件订阅

arn:aws:redshift:region:account-id:eventsubscription:event-subscription-name

CreateHsmClientCertificate

redshift:CreateHsmClientCertificate

HSM 客户端证书

arn:aws:redshift:region:account-id:hsmclientcertificate:HSM-client-certificate-id

redshift:RequestTag

CreateHsmConfiguration

redshift:CreateHsmConfiguration

HSM 配置

arn:aws:redshift:region:account-id:hsmconfiguration:HSM-configuration-id

redshift:RequestTag

CreateSnapshotCopyGrant

redshift:CreateSnapshotCopyGrant

快照复制授予

arn:aws:redshift:region:account-id:snapshotcopygrant:snapshot-copy-grant-name

redshift:RequestTag

CreateTags

redshift:CreateTags

群集

arn:aws:redshift:region:account-id:cluster:cluster-name

redshift:RequestTag

群集安全组

arn:aws:redshift:region:account-id:securitygroup:security-group-name

HSM 客户端证书

arn:aws:redshift:region:account-id:hsmclientcertificate:HSM-client-certificate-id

HSM 配置

arn:aws:redshift:region:account-id:hsmconfiguration:HSM-configuration-id

参数组

arn:aws:redshift:region:account-id:parametergroup:parameter-group-name

快照

arn:aws:redshift:region:account-id:snapshot:cluster-name/snapshot-name

快照复制授予

arn:aws:redshift:region:account-id:snapshotcopygrant:snapshot-copy-grant-name

子网组

arn:aws:redshift:region:account-id:subnetgroup:subnet-group-name

DeleteCluster

redshift:DeleteCluster

群集

arn:aws:redshift:region:account-id:cluster:cluster-name

redshift:ResourceTag

DeleteClusterParameterGroup

redshift:DeleteClusterParameterGroup

参数组

arn:aws:redshift:region:account-id:parametergroup:parameter-group-name

redshift:ResourceTag

DeleteClusterSecurityGroup

redshift:DeleteClusterSecurityGroup

群集安全组

arn:aws:redshift:region:account-id:securitygroup:security-group-name

redshift:ResourceTag

DeleteClusterSnapshot

redshift:DeleteClusterSnapshot

快照

arn:aws:redshift:region:account-id:snapshot:cluster-name/snapshot-name

redshift:ResourceTag

DeleteClusterSubnetGroup

redshift:DeleteClusterSubnetGroup

子网组

arn:aws:redshift:region:account-id:subnetgroup:subnet-group-name

redshift:ResourceTag

DeleteEventSubscription

redshift:DeleteEventSubscription

事件订阅

arn:aws:redshift:region:account-id:eventsubscription:event-subscription-name

DeleteHsmClientCertificate

redshift:DeleteHsmClientCertificate

HSM 客户端证书

arn:aws:redshift:region:account-id:hsmclientcertificate:HSM-client-certificate-id

redshift:ResourceTag

DeleteHsmConfiguration

redshift:DeleteHsmConfiguration

HSM 配置

arn:aws:redshift:region:account-id:hsmconfiguration:HSM-configuration-id

redshift:ResourceTag

DeleteSnapshotCopyGrant

redshift:DeleteSnapshotCopyGrant

快照复制授予

arn:aws:redshift:region:account-id:snapshotcopygrant:snapshot-copy-grant-name

redshift:ResourceTag

DeleteTags

redshift:DeleteTags

群集

arn:aws:redshift:region:account-id:cluster:cluster-name

redshift:ResourceTag

群集安全组

arn:aws:redshift:region:account-id:securitygroup:security-group-name

HSM 客户端证书

arn:aws:redshift:region:account-id:hsmclientcertificate:HSM-client-certificate-id

HSM 配置

arn:aws:redshift:region:account-id:hsmconfiguration:HSM-configuration-id

参数组

arn:aws:redshift:region:account-id:parametergroup:parameter-group-name

快照

arn:aws:redshift:region:account-id:snapshot:cluster-name/snapshot-name

快照复制授予

arn:aws:redshift:region:account-id:snapshotcopygrant:snapshot-copy-grant-name

子网组

arn:aws:redshift:region:account-id:subnetgroup:subnet-group-name

DescribeClusterParameterGroups

redshift:DescribeClusterParameterGroups

redshift:ResourceTag

DescribeClusterParameters

redshift:DescribeClusterParameters

参数组

arn:aws:redshift:region:account-id:parametergroup:parameter-group-name

DescribeClusters

redshift:DescribeClusters

DescribeClusterSecurityGroups

redshift:DescribeClusterSecurityGroups

DescribeClusterSnapshots

redshift:DescribeClusterSnapshots

DescribeClusterSubnetGroups

redshift:DescribeClusterSubnetGroups

DescribeClusterVersions

redshift:DescribeClusterVersions

DescribeDefaultClusterParameters

redshift:DescribeDefaultClusterParameters

DescribeEventCategories

redshift:DescribeEventCategories

DescribeEvents

redshift:DescribeEvents

DescribeEventSubscriptions

redshift:DescribeEventSubscriptions

DescribeHsmClientCertificates

redshift:DescribeHsmClientCertificates

DescribeHsmConfigurations

redshift:DescribeHsmConfigurations

DescribeLoggingStatus

redshift:DescribeLoggingStatus

DescribeOrderableClusterOptions

redshift:DescribeOrderableClusterOptions

DescribeReservedNodeOfferings

redshift:DescribeReservedNodeOfferings

DescribeReservedNodes

redshift:DescribeReservedNodes

DescribeResize

redshift:DescribeResize

DescribeSnapshotCopyGrants

redshift:DescribeSnapshotCopyGrants

DescribeTableRestoreStatus

redshift:DescribeTableRestoreStatus

DescribeTags

redshift:DescribeTags

DisableLogging

redshift:DisableLogging

群集

arn:aws:redshift:region:account-id:cluster:cluster-name

redshift:ResourceTag

DisableSnapshotCopy

redshift:DisableSnapshotCopy

群集

arn:aws:redshift:region:account-id:cluster:cluster-name

redshift:ResourceTag

EnableLogging

redshift:EnableLogging

群集

arn:aws:redshift:region:account-id:cluster:cluster-name

redshift:ResourceTag

EnableSnapshotCopy

redshift:EnableSnapshotCopy

群集

arn:aws:redshift:region:account-id:cluster:cluster-name

redshift:ResourceTag

GetClusterCredentials

redshift:GetClusterCredentials

redshift:CreateClusterUser

redshift:JoinGroup

群集

arn:aws:redshift:region:account-id:cluster:cluster-name

redshift:ResourceTag

redshift:DbName

redshift:DbUser

redshift:DurationSeconds

Database

arn:aws:redshift:region:account-id:cluster:cluster-name/database-name

数据库用户

arn:aws:redshift:region:account-id:cluster:cluster-name/database-user-name

数据库组

arn:aws:redshift:region:account-id:cluster:cluster-name/database-group-name

ModifyClusterParameterGroup

redshift:ModifyClusterParameterGroup

参数组

arn:aws:redshift:region:account-id:parametergroup:parameter-group-name

redshift:ResourceTag

ModifyClusterSubnetGroup

redshift:ModifyClusterSubnetGroup

子网组

arn:aws:redshift:region:account-id:subnetgroup:subnet-group-name

redshift:ResourceTag

ModifyEventSubscription

redshift:ModifyEventSubscription

事件订阅

arn:aws:redshift:region:account-id:eventsubscription:event-subscription-name

redshift:ResourceTag

ModifySnapshotCopyRetentionPeriod

redshift:ModifySnapshotCopyRetentionPeriod

群集

arn:aws:redshift:region:account-id:cluster:cluster-name

redshift:ResourceTag

PurchaseReservedNodeOffering

redshift:PurchaseReservedNodeOffering

RebootCluster

redshift:RebootCluster

群集

arn:aws:redshift:region:account-id:cluster:cluster-name

redshift:ResourceTag

ResetClusterParameterGroup

redshift:ResetClusterParameterGroup

参数组

arn:aws:redshift:region:account-id:parametergroup:parameter-group-name

redshift:ResourceTag

RestoreFromClusterSnapshot

redshift:RestoreFromClusterSnapshot

群集

arn:aws:redshift:region:account-id:cluster:target-cluster-name

redshift:ResourceTag

快照

arn:aws:redshift:region:account-id:snapshot:snapshot-cluster-name/snapshot-name

RestoreTableFromClusterSnapshot

redshift:RestoreTableFromClusterSnapshot

快照

arn:aws:redshift:region:account-id:snapshot:cluster-name/snapshot-name

redshift:ResourceTag

RevokeClusterSecurityGroupIngress

redshift:RevokeClusterSecurityGroupIngress

群集安全组

arn:aws:redshift:region:account-id:securitygroup:security-group-name

redshift:ResourceTag

RevokeSnapshotAccess

redshift:RevokeSnapshotAccess

快照

arn:aws:redshift:region:account-id:snapshot:cluster-name/snapshot-name

redshift:ResourceTag

RotateEncryptionKey

redshift:RotateEncryptionKey

群集

arn:aws:redshift:region:account-id:cluster:cluster-name

redshift:ResourceTag

Redshift 还支持并非基于 Amazon Redshift API 的以下操作:

  • redshift:ViewQueriesInConsole 操作用于控制用户能否在 Amazon Redshift console中 Cluster 部分的 Queries 选项卡上看到查询。

  • redshift:CancelQuerySession 操作用于控制用户能否从 Amazon Redshift console中的 Cluster 部分终止正在运行的查询和加载。