授予 Amazon S3 分批操作的权限 - Amazon Simple Storage Service
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 Amazon Web Services 服务入门

授予 Amazon S3 分批操作的权限

在创建和运行 S3 分批操作任务之前,您必须授予所需的权限。要创建 Amazon S3 分批操作任务,需要 s3:CreateJob 用户权限。创建任务的同一个实体也必须具有 iam:PassRole 权限,以便将为此任务指定的 Amazon Identity and Access Management (IAM) 角色传递到分批操作。

有关指定 IAM 资源的一般信息,请参阅 IAM 用户指南中的 IAM JSON 策略 – 资源元素。以下各节提供了有关创建 IAM 角色和附加策略的信息。

创建 S3 分批操作 IAM 角色

Amazon S3 必须具有权限才能代表您执行 S3 分批操作。您通过 Amazon Identity and Access Management (IAM) 角色授予这些权限。此部分提供您在创建 IAM 角色时使用的信任和权限策略的示例。有关更多信息,请参阅 IAM 用户指南中的 IAM 角色。有关示例,请参阅 使用任务标签控制 S3 分批操作的权限使用 S3 分批操作复制对象

在 IAM 策略中,您还可以使用条件键筛选 S3 分批操作任务的访问权限。有关更多信息和 Amazon S3 特定的条件键的完整列表,请参阅 Amazon S3 的操作、资源和条件键

信任策略

要允许 S3 分批操作服务委托人担任 IAM 角色,您可将以下信任策略附加到该角色。

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Principal":{ "Service":"batchoperations.s3.amazonaws.com" }, "Action":"sts:AssumeRole" } ] }

附加权限策略

根据操作的类型,您可以附加以下策略之一。

在配置权限之前,请注意以下事项:

  • 不论执行什么操作,Amazon S3 都需要权限来从您的 S3 存储桶读取清单对象并(可选)将报告写入您的存储桶。因此,所有以下策略均包含这些权限。

  • 对于 Amazon S3 清单报告清单,S3 分批操作需要读取 manifest.json 对象以及所有关联的 CSV 数据文件的权限。

  • 当您指定对象的版本 ID 时,只需要版本特定的权限,如 s3:GetObjectVersion

  • 如果您在加密对象上运行 S3 分批操作,则 IAM 角色还必须拥有对用于加密这些对象的 Amazon KMS 密钥的访问权限。

复制对象:PutObject

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:PutObject", "s3:PutObjectAcl", "s3:PutObjectTagging" ], "Effect": "Allow", "Resource": "arn:aws:s3:::{{DestinationBucket}}/*" }, { "Action": [ "s3:GetObject", "s3:GetObjectAcl", "s3:GetObjectTagging", "s3:ListBucket" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::{{SourceBucket}}", "arn:aws:s3:::{{SourceBucket}}/*" ] }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::{{ManifestBucket}}/*" ] }, { "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": [ "arn:aws:s3:::{{ReportBucket}}/*" ] } ] }

替换对象标签:PutObjectTagging

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "s3:PutObjectTagging", "s3:PutObjectVersionTagging" ], "Resource": "arn:aws:s3:::{{TargetResource}}/*" }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::{{ManifestBucket}}/*" ] }, { "Effect":"Allow", "Action":[ "s3:PutObject" ], "Resource":[ "arn:aws:s3:::{{ReportBucket}}/*" ] } ] }

删除对象标签:DeleteObjectTagging

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:DeleteObjectTagging", "s3:DeleteObjectVersionTagging" ], "Resource": [ "arn:aws:s3:::{{TargetResource}}/*" ] }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::{{ManifestBucket}}/*" ] }, { "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": [ "arn:aws:s3:::{{ReportBucket}}/*" ] } ] }

替换访问控制列表:PutObjectAcl

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "s3:PutObjectAcl", "s3:PutObjectVersionAcl" ], "Resource": "arn:aws:s3:::{{TargetResource}}/*" }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::{{ManifestBucket}}/*" ] }, { "Effect":"Allow", "Action":[ "s3:PutObject" ], "Resource":[ "arn:aws:s3:::{{ReportBucket}}/*" ] } ] }

还原对象:RestoreObject

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "s3:RestoreObject" ], "Resource": "arn:aws:s3:::{{TargetResource}}/*" }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::{{ManifestBucket}}/*" ] }, { "Effect":"Allow", "Action":[ "s3:PutObject" ], "Resource":[ "arn:aws:s3:::{{ReportBucket}}/*" ] } ] }

应用对象锁定保留:PutObjectRetention

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:GetBucketObjectLockConfiguration", "Resource": [ "arn:aws:s3:::{{TargetResource}}" ] }, { "Effect": "Allow", "Action": [ "s3:PutObjectRetention", "s3:BypassGovernanceRetention" ], "Resource": [ "arn:aws:s3:::{{TargetResource}}/*" ] }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::{{ManifestBucket}}/*" ] }, { "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": [ "arn:aws:s3:::{{ReportBucket}}/*" ] } ] }
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:GetBucketObjectLockConfiguration", "Resource": [ "arn:aws:s3:::{{TargetResource}}" ] }, { "Effect": "Allow", "Action": "s3:PutObjectLegalHold", "Resource": [ "arn:aws:s3:::{{TargetResource}}/*" ] }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::{{ManifestBucket}}/*" ] }, { "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": [ "arn:aws:s3:::{{ReportBucket}}/*" ] } ] }