授予批处理操作的权限 - Amazon Simple Storage Service
创建 S3 分批操作 IAM 角色附加权限策略
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

授予批处理操作的权限

在创建和运行 S3 分批操作任务之前,您必须授予所需的权限。要创建 Amazon S3 分批操作任务,需要 s3:CreateJob 用户权限。创建任务的同一个实体也必须具有 iam:PassRole 权限,以便将为此任务指定的 Amazon Identity and Access Management(IAM)角色传递到批量操作。

有关指定 IAM 资源的一般信息,请参阅 IAM 用户指南中的 IAM JSON 策略 – 资源元素。以下各节提供了有关创建 IAM 角色和附加策略的信息。

创建 S3 分批操作 IAM 角色

Amazon S3 必须具有权限才能代表您执行 S3 分批操作。您通过 Amazon Identity and Access Management (IAM) 角色授予这些权限。此部分提供您在创建 IAM 角色时使用的信任和权限策略的示例。有关更多信息,请参阅 IAM 用户指南中的 IAM 角色。有关示例,请参阅 使用任务标签控制批量操作的权限使用 S3 分批操作复制对象

在 IAM 策略中,您还可以使用条件键筛选 S3 分批操作任务的访问权限。有关更多信息和 Amazon S3 特定条件键的完整列表,请参阅《Service Authorization Reference》中的 Actions, resources, and condition keys for Amazon S3

有关按 S3 资源类型对 S3 API 操作的权限的更多信息,请参阅 Amazon S3 API 操作所需的权限

信任策略

要允许 S3 分批操作服务委托人担任 IAM 角色,您可将以下信任策略附加到该角色。

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "Service":"batchoperations.s3.amazonaws.com"
         },
         "Action":"sts:AssumeRole"
      }
   ]
}

附加权限策略

根据操作的类型,您可以附加以下策略之一。

在配置权限之前,请注意以下事项:

  • 不论执行什么操作,Amazon S3 都需要权限来从您的 S3 存储桶读取清单对象并(可选)将报告写入您的存储桶。因此,所有以下策略均包含这些权限。

  • 对于 Amazon S3 清单报告清单,S3 分批操作需要读取 manifest.json 对象以及所有关联的 CSV 数据文件的权限。

  • 当您指定对象的版本 ID 时,只需要版本特定的权限,如 s3:GetObjectVersion

  • 如果您在加密对象上运行 S3 分批操作,则 IAM 角色还必须拥有对用于加密这些对象的 Amazon KMS 密钥的访问权限。

  • 如果您提交使用 Amazon KMS 加密的清单报告清单,则 IAM 策略必须包含对于 manifest.json 对象以及所有关联 CSV 数据文件的 "kms:Decrypt""kms:GenerateDataKey" 权限。

  • 如果批量操作任务在已启用访问控制列表(ACL)且位于其它 Amazon Web Services 账户内的存储桶中生成清单,则您必须在为该批量任务配置的 IAM 角色的 IAM 策略中授予 s3:PutObjectAcl 权限。如果没有包含此权限,则批量任务会失败,并显示错误 Error occurred when preparing manifest: Failed to write manifest

复制对象:PutObject

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:PutObjectTagging"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::amzn-s3-demo-destination-bucket/*"
        },
        {
            "Action": [
                "s3:GetObject",
                "s3:GetObjectAcl",
                "s3:GetObjectTagging",
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::amzn-s3-demo-source-bucket",
                "arn:aws:s3:::amzn-s3-demo-source-bucket/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:GetObjectVersion"
            ],
            "Resource": [
                "arn:aws:s3:::amzn-s3-demo-manifest-bucket/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::amzn-s3-demo-completion-report-bucket/*"
            ]
        }
    ]
}

替换对象标记:PutObjectTagging

{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Effect":"Allow",
      "Action":[
        "s3:PutObjectTagging",
        "s3:PutObjectVersionTagging"
      ],
      "Resource": "arn:aws:s3:::amzn-s3-demo-destination-bucket/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:GetObjectVersion"
      ],
      "Resource": [
        "arn:aws:s3:::amzn-s3-demo-manifest-bucket/*"
      ]
    },
    {
      "Effect":"Allow",
      "Action":[
        "s3:PutObject"
      ],
      "Resource":[
        "arn:aws:s3:::amzn-s3-demo-completion-report-bucket/*"
      ]
    }
  ]
}

删除对象标记:DeleteObjectTagging

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
              "s3:DeleteObjectTagging",
              "s3:DeleteObjectVersionTagging"
            ],
            "Resource": [
                "arn:aws:s3:::amzn-s3-demo-destination-bucket/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:GetObjectVersion"
            ],
            "Resource": [
                "arn:aws:s3:::amzn-s3-demo-manifest-bucket/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::amzn-s3-demo-completion-report-bucket/*"
            ]
        }
    ]
}

替换访问控制列表:PutObjectAcl

{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Effect":"Allow",
      "Action":[
        "s3:PutObjectAcl",
        "s3:PutObjectVersionAcl"
      ],
      "Resource": "arn:aws:s3:::amzn-s3-demo-destination-bucket/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:GetObjectVersion"
      ],
      "Resource": [
        "arn:aws:s3:::amzn-s3-demo-manifest-bucket/*"
      ]
    },
    {
      "Effect":"Allow",
      "Action":[
        "s3:PutObject"
      ],
      "Resource":[
        "arn:aws:s3:::amzn-s3-demo-completion-report-bucket/*"
      ]
    }
  ]
}

还原对象:RestoreObject

{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Effect":"Allow",
      "Action":[
          "s3:RestoreObject"
      ],
      "Resource": "arn:aws:s3:::amzn-s3-demo-destination-bucket/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:GetObjectVersion"
      ],
      "Resource": [
        "arn:aws:s3:::amzn-s3-demo-manifest-bucket/*"
      ]
    },
    {
      "Effect":"Allow",
      "Action":[
        "s3:PutObject"
      ],
      "Resource":[
        "arn:aws:s3:::amzn-s3-demo-completion-report-bucket/*"
      ]
    }
  ]
}

应用对象锁定保留:PutObjectRetention

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:GetBucketObjectLockConfiguration",
            "Resource": [
                "arn:aws:s3:::amzn-s3-demo-destination-bucket"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObjectRetention",
                "s3:BypassGovernanceRetention"
            ],
            "Resource": [
                "arn:aws:s3:::amzn-s3-demo-destination-bucket/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:GetObjectVersion"
            ],
            "Resource": [
                "arn:aws:s3:::amzn-s3-demo-manifest-bucket/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::amzn-s3-demo-completion-report-bucket/*"
            ]
        }
    ]
}
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:GetBucketObjectLockConfiguration",
            "Resource": [
                "arn:aws:s3:::amzn-s3-demo-destination-bucket"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "s3:PutObjectLegalHold",
            "Resource": [
                "arn:aws:s3:::amzn-s3-demo-destination-bucket/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:GetObjectVersion"
            ],
            "Resource": [
                "arn:aws:s3:::amzn-s3-demo-manifest-bucket/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::amzn-s3-demo-completion-report-bucket/*"
            ]
        }
    ]
}

复制现有对象:InitiateReplication(使用 S3 生成的清单)

如果您使用和存储 S3 生成的清单,请使用此策略。有关使用批量操作来复制现有对象的更多信息,请参阅使用批量复制以复制现有对象

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Action":[
            "s3:InitiateReplication"
         ],
         "Effect":"Allow",
         "Resource":[
            "arn:aws:s3:::amzn-s3-demo-source-bucket/*"
         ]
      },
      {
         "Action":[
            "s3:GetReplicationConfiguration",
            "s3:PutInventoryConfiguration"
         ],
         "Effect":"Allow",
         "Resource":[
            "arn:aws:s3:::amzn-s3-demo-source-bucket"
         ]
      },
      {
         "Action":[
            "s3:GetObject",
            "s3:GetObjectVersion"
         ],
         "Effect":"Allow",
         "Resource":[
            "arn:aws:s3:::amzn-s3-demo-manifest-bucket/*"
         ]
      },
      {
         "Effect":"Allow",
         "Action":[
            "s3:PutObject"
         ],
         "Resource":[
            "arn:aws:s3:::amzn-s3-demo-completion-report-bucket/*",
            "arn:aws:s3:::amzn-s3-demo-manifest-bucket/*"    
         ]
      }
   ]
}

复制现有对象:InitiateReplication(使用用户清单)

如果您使用用户提供的清单,请使用此策略。有关使用批量操作来复制现有对象的更多信息,请参阅使用批量复制以复制现有对象

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Action":[
            "s3:InitiateReplication"
         ],
         "Effect":"Allow",
         "Resource":[
            "arn:aws:s3:::amzn-s3-demo-source-bucket/*"
         ]
      },
      {
         "Action":[
            "s3:GetObject",
            "s3:GetObjectVersion"
         ],
         "Effect":"Allow",
         "Resource":[
            "arn:aws:s3:::amzn-s3-demo-manifest-bucket/*"
         ]
      },
      {
         "Effect":"Allow",
         "Action":[
            "s3:PutObject"
         ],
         "Resource":[
            "arn:aws:s3:::amzn-s3-demo-completion-report-bucket/*"    
         ]
      }
   ]
}