使用 S3 分批操作启用 S3 对象锁定
可以将 Amazon S3 批量操作与 S3 对象锁定结合使用,以便同时为许多 Amazon S3 对象管理保留或启用法定保留。您可以在清单中指定目标对象的列表并将该列表提交到分批操作以完成操作。有关更多信息,请参阅S3 对象锁定保留和S3 对象锁定依法保留。
以下示例说明如何创建具有 S3 批量操作权限的 Amazon Identity and Access Management(IAM)角色并更新角色权限,来创建启用对象锁定的任务。还必须有一个 CSV 清单来标识 S3 批量操作任务的对象。有关更多信息,请参阅 指定清单。
要使用以下示例,请将 user input
placeholders
-
创建 IAM 角色并为 S3 分批操作分配运行权限。
所有 S3 分批操作任务都必须执行此步骤。
export AWS_PROFILE='aws-user' read -d ''batch_operations_trust_policy<<EOF { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "batchoperations.s3.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] } EOF aws iam create-role --role-namebatch_operations-objectlock\ --assume-role-policy-document "${batch_operations_trust_policy}" -
设置要运行的 S3 分批操作和 S3 对象锁定。
在此步骤中,允许角色执行以下操作:
-
在包含您希望在其上运行分批操作的目标对象的 S3 存储桶上运行对象锁定。
-
读取清单 CSV 文件和对象所在的 S3 存储桶。
-
将 S3 分批操作任务的结果写入报告存储桶。
read -d ''batch_operations_permissions<<EOF { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:GetBucketObjectLockConfiguration", "Resource": [ "arn:aws:s3:::{{amzn-s3-demo-manifest-bucket}}" ] }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::{{amzn-s3-demo-manifest-bucket}}/*" ] }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::{{amzn-s3-demo-completion-report-bucket}}/*" ] } ] } EOF aws iam put-role-policy --role-namebatch_operations-objectlock\ --policy-nameobject-lock-permissions\ --policy-document "${batch_operations_permissions}" -
以下示例说明如何使用适用于 Java 的 Amazon SDK 创建具有 S3 批量操作权限的 IAM 角色并更新角色权限,来创建启用对象锁定的任务。您还必须有一个 CSV 清单来标识 S3 分批操作任务的对象。有关更多信息,请参阅 指定清单。
执行以下步骤:
-
创建 IAM 角色并为 S3 分批操作分配运行权限。所有 S3 分批操作任务都必须执行此步骤。
-
设置要运行的 S3 分批操作和 S3 对象锁定。
允许角色执行以下操作:
-
在包含您希望在其上运行分批操作的目标对象的 S3 存储桶上运行对象锁定。
-
读取清单 CSV 文件和对象所在的 S3 存储桶。
-
将 S3 分批操作任务的结果写入报告存储桶。
-
public void createObjectLockRole() { final String roleName = "batch_operations-object-lock"; final String trustPolicy = "{" + " \"Version\": \"2012-10-17\", " + " \"Statement\": [ " + " { " + " \"Effect\": \"Allow\", " + " \"Principal\": { " + " \"Service\": [" + " \"batchoperations.s3.amazonaws.com\"" + " ]" + " }, " + " \"Action\": \"sts:AssumeRole\" " + " } " + " ]" + "}"; final String bopsPermissions = "{" + " \"Version\": \"2012-10-17\"," + " \"Statement\": [" + " {" + " \"Effect\": \"Allow\"," + " \"Action\": \"s3:GetBucketObjectLockConfiguration\"," + " \"Resource\": [" + " \"arn:aws:s3:::amzn-s3-demo-manifest-bucket\"" + " ]" + " }," + " {" + " \"Effect\": \"Allow\"," + " \"Action\": [" + " \"s3:GetObject\"," + " \"s3:GetObjectVersion\"," + " \"s3:GetBucketLocation\"" + " ]," + " \"Resource\": [" + " \"arn:aws:s3:::amzn-s3-demo-manifest-bucket/*\"" + " ]" + " }," + " {" + " \"Effect\": \"Allow\"," + " \"Action\": [" + " \"s3:PutObject\"," + " \"s3:GetBucketLocation\"" + " ]," + " \"Resource\": [" + " \"arn:aws:s3:::amzn-s3-demo-completion-report-bucket/*\"" + " ]" + " }" + " ]" + "}"; final AmazonIdentityManagement iam = AmazonIdentityManagementClientBuilder.defaultClient(); final CreateRoleRequest createRoleRequest = new CreateRoleRequest() .withAssumeRolePolicyDocument(bopsPermissions) .withRoleName(roleName); final CreateRoleResult createRoleResult = iam.createRole(createRoleRequest); final PutRolePolicyRequest putRolePolicyRequest = new PutRolePolicyRequest() .withPolicyDocument(bopsPermissions) .withPolicyName("batch_operations-permissions") .withRoleName(roleName); final PutRolePolicyResult putRolePolicyResult = iam.putRolePolicy(putRolePolicyRequest); }