工作组策略示例
本节包含您可以用于启用对工作组执行各种操作的策略示例。每当您使用 IAM policy 时,请确保遵循 IAM 最佳实践。有关更多信息,请参阅《IAM 用户指南》中的 IAM 安全最佳实践。
工作组是由 Athena 管理的 IAM 资源。因此,如果您的工作组策略使用获取 workgroup 作为输入的操作,您必须如下所示指定工作组的 ARN:
"Resource": [arn:aws:athena:<region>:<user-account>:workgroup/<workgroup-name>]
其中,<workgroup-name>test_workgroup 的工作组,指定它作为资源,如下所示:
"Resource": ["arn:aws:athena:us-east-1:123456789012:workgroup/test_workgroup"]
有关 Amazon Athena 操作的完整列表,请参阅 Amazon Athena API 参考中的 API 操作名称。有关 IAM policy 的更多信息,请参阅《IAM 用户指南》中的 使用可视化编辑器创建策略。有关为工作组创建 IAM policy 的更多信息,请参阅 用于访问工作组的 IAM policy。
例 对所有工作组具有完全访问权限的策略示例
以下策略可实现对账户中可能存在的所有工作组资源具有完全访问权限。对于必须为其他所有用户监督和管理工作组的那些用户,我们建议您使用此策略。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "athena:*" ], "Resource": [ "*" ] } ] }
例 对指定工作组具有完全访问权限的策略示例
以下策略可实现对单个名为 workgroupA 的特定工作组资源具有完全访问权限。对于对特定工作组具有完全控制权限的用户,您可以使用此策略。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "athena:ListEngineVersions", "athena:ListWorkGroups", "athena:ListDataCatalogs", "athena:ListDatabases", "athena:GetDatabase", "athena:ListTableMetadata", "athena:GetTableMetadata" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "athena:BatchGetQueryExecution", "athena:GetQueryExecution", "athena:ListQueryExecutions", "athena:StartQueryExecution", "athena:StopQueryExecution", "athena:GetQueryResults", "athena:GetQueryResultsStream", "athena:CreateNamedQuery", "athena:GetNamedQuery", "athena:BatchGetNamedQuery", "athena:ListNamedQueries", "athena:DeleteNamedQuery", "athena:CreatePreparedStatement", "athena:GetPreparedStatement", "athena:ListPreparedStatements", "athena:UpdatePreparedStatement", "athena:DeletePreparedStatement" ], "Resource": [ "arn:aws:athena:us-east-1:123456789012:workgroup/workgroupA" ] }, { "Effect": "Allow", "Action": [ "athena:DeleteWorkGroup", "athena:UpdateWorkGroup", "athena:GetWorkGroup", "athena:CreateWorkGroup" ], "Resource": [ "arn:aws:athena:us-east-1:123456789012:workgroup/workgroupA" ] } ] }
例 运行指定工作组中查询的策略示例
在以下策略中,允许用户运行指定 workgroupA 中的查询并查看它们。不允许用户对工作组本身执行管理任务,例如,更新或删除它。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "athena:ListEngineVersions", "athena:ListWorkGroups", "athena:ListDataCatalogs", "athena:ListDatabases", "athena:GetDatabase", "athena:ListTableMetadata", "athena:GetTableMetadata" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "athena:GetWorkGroup", "athena:BatchGetQueryExecution", "athena:GetQueryExecution", "athena:ListQueryExecutions", "athena:StartQueryExecution", "athena:StopQueryExecution", "athena:GetQueryResults", "athena:GetQueryResultsStream", "athena:CreateNamedQuery", "athena:GetNamedQuery", "athena:BatchGetNamedQuery", "athena:ListNamedQueries", "athena:DeleteNamedQuery", "athena:CreatePreparedStatement", "athena:GetPreparedStatement", "athena:ListPreparedStatements", "athena:UpdatePreparedStatement", "athena:DeletePreparedStatement" ], "Resource": [ "arn:aws:athena:us-east-1:123456789012:workgroup/workgroupA" ] } ] }
例 运行主工作组中查询的策略示例
您可以修改上述示例以允许特定用户在主工作组中运行查询。
注意
对于另行配置为运行指定工作组中查询的所有用户,我们建议您为其添加主工作组资源。在用户的指定工作组已被删除或禁用的情况下,在工作组用户策略中添加此策略资源有用。在这种情况下,他们可以继续运行主工作组中的查询。
要允许您账户中的用户运行主工作组中的查询,请将包含朱总做足 ARN 的行添加到 Example policy for running queries in a specified workgroup 的资源部分,如下例所示。
arn:aws:athena:us-east-1:123456789012:workgroup/primary"
例 管理指定工作组操作的策略示例
在以下策略中,允许用户创建、删除、获取详细信息并更新工作组的 test_workgroup。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "athena:ListEngineVersions" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "athena:CreateWorkGroup", "athena:GetWorkGroup", "athena:DeleteWorkGroup", "athena:UpdateWorkGroup" ], "Resource": [ "arn:aws:athena:us-east-1:123456789012:workgroup/test_workgroup" ] } ] }
例 列出工作组的策略示例
以下策略允许所有用户列出所有工作组:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "athena:ListWorkGroups" ], "Resource": "*" } ] }
例 运行和停止特定工作组中查询的策略示例
在此策略中,允许用户运行工作组中的查询:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "athena:StartQueryExecution", "athena:StopQueryExecution" ], "Resource": [ "arn:aws:athena:us-east-1:123456789012:workgroup/test_workgroup" ] } ] }
例 使用特定工作组中的命名查询的策略示例
在以下策略中,用户具有在指定工作组中创建和删除命名查询以及获取其相关信息的权限:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "athena:CreateNamedQuery", "athena:GetNamedQuery", "athena:DeleteNamedQuery" ], "Resource": [ "arn:aws:athena:us-east-1:123456789012:workgroup/test_workgroup" ] } ] }
例 在 Athena 中使用 Spark 笔记本的示例策略
使用以下策略在 Athena 中使用 Spark 笔记本。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowCreatingWorkGroupWithDefaults", "Action": [ "athena:CreateWorkGroup", "s3:CreateBucket", "iam:CreateRole", "iam:CreatePolicy", "iam:AttachRolePolicy", "s3:GetBucketLocation", "athena:ImportNotebook" ], "Effect": "Allow", "Resource": [ "arn:aws:athena:us-east-1:123456789012:workgroup/Demo*", "arn:aws:s3:::123456789012-us-east-1-athena-results-bucket-*", "arn:aws:iam::123456789012:role/service-role/AWSAthenaSparkExecutionRole-*", "arn:aws:iam::123456789012:policy/service-role/AWSAthenaSparkRolePolicy-*" ] }, { "Sid": "AllowRunningCalculations", "Action": [ "athena:ListWorkGroups", "athena:GetWorkGroup", "athena:StartSession", "athena:CreateNotebook", "athena:ListNotebookMetadata", "athena:ListNotebookSessions", "athena:GetSessionStatus", "athena:GetSession", "athena:GetNotebookMetadata", "athena:CreatePresignedNotebookUrl" ], "Effect": "Allow", "Resource": "arn:aws:athena:us-east-1:123456789012:workgroup/Demo*" }, { "Sid": "AllowListWorkGroupAndEngineVersions", "Action": [ "athena:ListWorkGroups", "athena:ListEngineVersions" ], "Effect": "Allow", "Resource": "*" } ] }