授予 Amazon S3 批处理操作的权限 - Amazon Simple Storage Service
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门

本指南不再进行更新。有关当前信息和说明,请参阅新的 Amazon S3 用户指南

授予 Amazon S3 批处理操作的权限

本节介绍如何授予创建和执行 S3 批处理操作作业所需的必需权限。

创建 S3 批处理操作作业所需的权限

要创建 Amazon S3 批处理操作作业,需要 s3:CreateJob 权限。创建作业的同一个实体也必须具有 iam:PassRole 权限,以便将为此作业指定的 AWS Identity and Access Management (IAM) 角色传递到 Amazon S3 批处理操作。有关创建此 IAM 角色的信息,请参阅下一个主题创建 S3 批处理操作 IAM 角色

创建 S3 批处理操作 IAM 角色

Amazon S3 必须具有您的权限才能代表您执行 S3 批处理操作。您通过 AWS Identity and Access Management (IAM) 角色授予这些权限。此部分提供您在创建 IAM 角色时使用的信任和权限策略的示例。有关更多信息,请参阅 IAM 角色。有关示例,请参阅 示例:使用作业标签来控制 S3 批处理操作的权限

在 IAM 策略中,您还可以使用条件键筛选 S3 批处理操作作业的访问权限。有关更多信息和 Amazon S3 特定的条件键的完整列表,请参阅Amazon S3 的操作、资源和条件键

以下视频演示如何使用 AWS 管理控制台设置批处理操作作业的 IAM 权限。

信任策略

要允许 S3 批处理操作服务委托人担任 IAM 角色,您可将以下信任策略附加到该角色。

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Principal":{ "Service":"batchoperations.s3.amazonaws.com" }, "Action":"sts:AssumeRole" } ] }

权限策略

根据操作的类型,您可以附加以下策略之一。

注意
  • 不论执行什么操作,Amazon S3 都需要权限来从您的 S3 存储桶读取清单对象并(可选)将报告写入您的存储桶。因此,所有以下策略均包含这些权限。

  • 对于 Amazon S3 清单报告清单,S3 批处理操作需要读取 manifest.json 对象以及所有关联的 CSV 数据文件的权限。

  • 当您指定对象的版本 ID 时,只需要版本特定的权限,如 s3:GetObjectVersion

  • 如果您在加密对象上运行 S3 批处理操作,则 IAM 角色还必须拥有对用于加密这些对象的 AWS KMS 密钥的访问权限。

  • PUT 复制对象

    { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:PutObject", "s3:PutObjectAcl", "s3:PutObjectTagging" ], "Effect": "Allow", "Resource": "arn:aws:s3:::{{DestinationBucket}}/*" }, { "Action": [ "s3:GetObject", "s3:GetObjectAcl", "s3:GetObjectTagging" ], "Effect": "Allow", "Resource": "arn:aws:s3:::{{SourceBucket}}/*" }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::{{ManifestBucket}}/*" ] }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::{{ReportBucket}}/*" ] } ] }
  • PUT 对象标签

    { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "s3:PutObjectTagging", "s3:PutObjectVersionTagging" ], "Resource": "arn:aws:s3:::{{TargetResource}}/*" }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::{{ManifestBucket}}/*" ] }, { "Effect":"Allow", "Action":[ "s3:PutObject", "s3:GetBucketLocation" ], "Resource":[ "arn:aws:s3:::{{ReportBucket}}/*" ] } ] }
  • PUT 对象 ACL

    { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "s3:PutObjectAcl", "s3:PutObjectVersionAcl" ], "Resource": "arn:aws:s3:::{{TargetResource}}/*" }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::{{ManifestBucket}}/*" ] }, { "Effect":"Allow", "Action":[ "s3:PutObject", "s3:GetBucketLocation" ], "Resource":[ "arn:aws:s3:::{{ReportBucket}}/*" ] } ] }
  • 启动 S3 Glacier 还原

    { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "s3:RestoreObject" ], "Resource": "arn:aws:s3:::{{TargetResource}}/*" }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::{{ManifestBucket}}/*" ] }, { "Effect":"Allow", "Action":[ "s3:PutObject", "s3:GetBucketLocation" ], "Resource":[ "arn:aws:s3:::{{ReportBucket}}/*" ] } ] }
  • PUT S3 对象锁定保留

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:GetBucketObjectLockConfiguration", "Resource": [ "arn:aws:s3:::{{TargetResource}}" ] }, { "Effect": "Allow", "Action": [ "s3:PutObjectRetention", "s3:BypassGovernanceRetention" ], "Resource": [ "arn:aws:s3:::{{TargetResource}}/*" ] }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::{{ManifestBucket}}/*" ] }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::{{ReportBucket}}/*" ] } ] }
  • PUT S3 对象锁定依法保留

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:GetBucketObjectLockConfiguration", "Resource": [ "arn:aws:s3:::{{TargetResource}}" ] }, { "Effect": "Allow", "Action": "s3:PutObjectLegalHold", "Resource": [ "arn:aws:s3:::{{TargetResource}}/*" ] }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::{{ManifestBucket}}/*" ] }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::{{ReportBucket}}/*" ] } ] }