授予 Amazon S3 分批操作的权限
在创建和运行 S3 分批操作任务之前,您必须授予所需的权限。要创建 Amazon S3 分批操作任务,需要 s3:CreateJob 用户权限。创建任务的同一个实体也必须具有 iam:PassRole 权限,以便将为此任务指定的 Amazon Identity and Access Management (IAM) 角色传递到分批操作。
有关指定 IAM 资源的一般信息,请参阅 IAM 用户指南中的 IAM JSON 策略 – 资源元素。以下各节提供了有关创建 IAM 角色和附加策略的信息。
创建 S3 分批操作 IAM 角色
Amazon S3 必须具有权限才能代表您执行 S3 分批操作。您通过 Amazon Identity and Access Management (IAM) 角色授予这些权限。此部分提供您在创建 IAM 角色时使用的信任和权限策略的示例。有关更多信息,请参阅 IAM 用户指南中的 IAM 角色。有关示例,请参阅 使用任务标签控制 S3 分批操作的权限 和 使用 S3 分批操作复制对象。
在 IAM 策略中,您还可以使用条件键筛选 S3 分批操作任务的访问权限。有关更多信息和 Amazon S3 特定条件键的完整列表,请参阅《Service Authorization Reference》中的 Actions, resources, and condition keys for Amazon S3。
信任策略
要允许 S3 分批操作服务委托人担任 IAM 角色,您可将以下信任策略附加到该角色。
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Principal":{ "Service":"batchoperations.s3.amazonaws.com" }, "Action":"sts:AssumeRole" } ] }
附加权限策略
根据操作的类型,您可以附加以下策略之一。
在配置权限之前,请注意以下事项:
-
不论执行什么操作,Amazon S3 都需要权限来从您的 S3 存储桶读取清单对象并(可选)将报告写入您的存储桶。因此,所有以下策略均包含这些权限。
-
对于 Amazon S3 清单报告清单,S3 分批操作需要读取 manifest.json 对象以及所有关联的 CSV 数据文件的权限。
-
当您指定对象的版本 ID 时,只需要版本特定的权限,如
s3:GetObjectVersion。 -
如果您在加密对象上运行 S3 分批操作,则 IAM 角色还必须拥有对用于加密这些对象的 Amazon KMS 密钥的访问权限。
-
如果您提交使用 Amazon KMS 加密的清单报告清单,则 IAM 策略必须包含对于 manifest.json 对象以及所有关联 CSV 数据文件的
"kms:Decrypt"和"kms:GenerateDataKey"权限。
复制对象:PutObject
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:PutObject", "s3:PutObjectAcl", "s3:PutObjectTagging" ], "Effect": "Allow", "Resource": "arn:aws:s3:::DestinationBucket/*" }, { "Action": [ "s3:GetObject", "s3:GetObjectAcl", "s3:GetObjectTagging", "s3:ListBucket" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::SourceBucket", "arn:aws:s3:::SourceBucket/*" ] }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::ManifestBucket/*" ] }, { "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": [ "arn:aws:s3:::ReportBucket/*" ] } ] }
替换对象标签:PutObjectTagging
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "s3:PutObjectTagging", "s3:PutObjectVersionTagging" ], "Resource": "arn:aws:s3:::TargetResource/*" }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::ManifestBucket/*" ] }, { "Effect":"Allow", "Action":[ "s3:PutObject" ], "Resource":[ "arn:aws:s3:::ReportBucket/*" ] } ] }
删除对象标签:DeleteObjectTagging
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:DeleteObjectTagging", "s3:DeleteObjectVersionTagging" ], "Resource": [ "arn:aws:s3:::TargetResource/*" ] }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::ManifestBucket/*" ] }, { "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": [ "arn:aws:s3:::ReportBucket/*" ] } ] }
替换访问控制列表:PutObjectAcl
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "s3:PutObjectAcl", "s3:PutObjectVersionAcl" ], "Resource": "arn:aws:s3:::TargetResource/*" }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::ManifestBucket/*" ] }, { "Effect":"Allow", "Action":[ "s3:PutObject" ], "Resource":[ "arn:aws:s3:::ReportBucket/*" ] } ] }
还原对象:RestoreObject
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "s3:RestoreObject" ], "Resource": "arn:aws:s3:::TargetResource/*" }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::ManifestBucket/*" ] }, { "Effect":"Allow", "Action":[ "s3:PutObject" ], "Resource":[ "arn:aws:s3:::ReportBucket/*" ] } ] }
应用对象锁定保留:PutObjectRetention
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:GetBucketObjectLockConfiguration", "Resource": [ "arn:aws:s3:::TargetResource" ] }, { "Effect": "Allow", "Action": [ "s3:PutObjectRetention", "s3:BypassGovernanceRetention" ], "Resource": [ "arn:aws:s3:::TargetResource/*" ] }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::ManifestBucket/*" ] }, { "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": [ "arn:aws:s3:::ReportBucket/*" ] } ] }
应用对象锁定依法保留:PutObjectLegalHold
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:GetBucketObjectLockConfiguration", "Resource": [ "arn:aws:s3:::TargetResource" ] }, { "Effect": "Allow", "Action": "s3:PutObjectLegalHold", "Resource": [ "arn:aws:s3:::TargetResource/*" ] }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::ManifestBucket/*" ] }, { "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": [ "arn:aws:s3:::ReportBucket/*" ] } ] }
复制现有对象:使用 S3 生成的清单启动复制
如果使用和存储 S3 生成的清单,请使用此策略。有关使用分批操作复制现有对象的更多信息,请参阅 使用 S3 分批复制以复制现有对象。
{ "Version":"2012-10-17", "Statement":[ { "Action":[ "s3:InitiateReplication" ], "Effect":"Allow", "Resource":[ "arn:aws:s3:::*** replication source bucket ***/*" ] }, { "Action":[ "s3:GetReplicationConfiguration", "s3:PutInventoryConfiguration" ], "Effect":"Allow", "Resource":[ "arn:aws:s3:::*** replication source bucket ***" ] }, { "Action":[ "s3:GetObject", "s3:GetObjectVersion" ], "Effect":"Allow", "Resource":[ "arn:aws:s3:::*** manifest bucket ***/*" ] }, { "Effect":"Allow", "Action":[ "s3:PutObject" ], "Resource":[ "arn:aws:s3:::*** completion report bucket ****/*", "arn:aws:s3:::*** manifest bucket ****/*" ] } ] }
复制现有对象:使用用户清单启动复制
使用用户提供的清单时使用此策略。有关使用分批操作复制现有对象的更多信息,请参阅 使用 S3 分批复制以复制现有对象。
{ "Version":"2012-10-17", "Statement":[ { "Action":[ "s3:InitiateReplication" ], "Effect":"Allow", "Resource":[ "arn:aws:s3:::*** replication source bucket ***/*" ] }, { "Action":[ "s3:GetObject", "s3:GetObjectVersion" ], "Effect":"Allow", "Resource":[ "arn:aws:s3:::*** manifest bucket ***/*" ] }, { "Effect":"Allow", "Action":[ "s3:PutObject" ], "Resource":[ "arn:aws:s3:::*** completion report bucket ****/*" ] } ] }