Amazon Simple Storage Service
开发人员指南 (API 版本 2006-03-01)
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门

授予对 Amazon S3 批量操作的权限

本节介绍如何授予创建和执行 批处理操作 作业所需的必需权限。

创建 Amazon S3 批量操作作业所需的权限

要创建 Amazon S3 批处理操作 作业,需要 s3:CreateJob 权限。创建作业的同一个实体也必须具有 iam:PassRole 权限,以便将为此作业指定的 AWS Identity and Access Management (IAM) 角色传递到 Amazon S3 批处理操作。有关创建此 IAM 角色的信息,请参阅下一个主题创建 Amazon S3 批量操作 IAM 角色

创建 Amazon S3 批量操作 IAM 角色

Amazon S3 必须具有您的权限才能代表您执行批量操作。您通过 AWS Identity and Access Management (IAM) 角色授予这些权限。此部分提供您在创建 IAM 角色时使用的信任和权限策略的示例。有关更多信息,请参阅 IAM 角色

信任策略

您可将以下信任策略附加到 IAM 角色,以允许 Amazon S3 批量操作服务委托人代入角色。

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Principal":{ "Service":"batchoperations.s3.amazonaws.com" }, "Action":"sts:AssumeRole" } ] }

权限策略

根据操作的类型,您可以附加以下策略之一。

注意

  • 不论执行什么操作,Amazon S3 需要权限来从您的 S3 存储桶读取清单对象并(可选)将报告写入您的存储桶。因此,所有以下策略均包含这些权限。

  • 对于 Amazon S3 清单报告清单,Amazon S3 批处理操作需要读取 manifest.json 对象以及所有关联的 CSV 数据文件的权限。

  • 当您指定对象的版本 ID 时,只需要版本特定的权限,如 s3:GetObjectVersion

  • PUT 复制对象

    { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:PutObject", "s3:PutObjectAcl", "s3:PutObjectTagging" ], "Effect": "Allow", "Resource": "arn:aws:s3:::{{DestinationBucket}}/*" }, { "Action": [ "s3:GetObject", "s3:GetObjectAcl", "s3:GetObjectTagging" ], "Effect": "Allow", "Resource": "arn:aws:s3:::{{SourceBucket}}/*" }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::{{ManifestBucket}}/*" ] }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::{{ReportBucket}}/*" ] } ] }
  • PUT 对象标记

    { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "s3:PutObjectTagging", "s3:PutObjectVersionTagging" ], "Resource": "arn:aws:s3:::{{TargetResource}}/*" }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::{{ManifestBucket}}/*" ] }, { "Effect":"Allow", "Action":[ "s3:PutObject", "s3:GetBucketLocation" ], "Resource":[ "arn:aws:s3:::{{ReportBucket}}/*" ] } ] }
  • PUT 对象 ACL

    { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "s3:PutObjectAcl", "s3:PutObjectVersionAcl" ], "Resource": "arn:aws:s3:::{{TargetResource}}/*" }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::{{ManifestBucket}}/*" ] }, { "Effect":"Allow", "Action":[ "s3:PutObject", "s3:GetBucketLocation" ], "Resource":[ "arn:aws:s3:::{{ReportBucket}}/*" ] } ] }
  • 启动 Glacier 还原

    { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "s3:RestoreObject" ], "Resource": "arn:aws:s3:::{{TargetResource}}/*" }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::{{ManifestBucket}}/*" ] }, { "Effect":"Allow", "Action":[ "s3:PutObject", "s3:GetBucketLocation" ], "Resource":[ "arn:aws:s3:::{{ReportBucket}}/*" ] } ] }