允许 Athena Federated Query (Preview) 的示例 IAM 权限策略 - Amazon Athena
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门

如果我们为英文版本指南提供翻译,那么如果存在任何冲突,将以英文版本指南为准。在提供翻译时使用机器翻译。

允许 Athena Federated Query (Preview) 的示例 IAM 权限策略

本主题中的权限策略示例演示了需要允许的操作以及允许执行这些操作的资源。仔细检查这些策略并根据您的需求修改它们,然后再将它们附加到 IAM 身份。

有关将策略附加到 IAM 身份的信息,请参阅 IAM 用户指南 中的添加和删除 IAM 身份权限

– 允许 IAM 要使用 Athena Federated Query (Preview)

以下基于身份的权限策略允许用户或其他 IAM 委托人执行使用 Athena Federated Query (Preview) 运行查询所需的操作。允许执行这些操作的委托人可以运行指定与联合数据源关联的 Athena 目录的查询。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "athena:GetWorkGroup", "s3:PutObject", "s3:GetObject", "athena:StartQueryExecution", "s3:AbortMultipartUpload", "lambda:InvokeFunction", "athena:CancelQueryExecution", "athena:StopQueryExecution", "athena:GetQueryExecution", "athena:GetQueryResults", "s3:ListMultipartUploadParts" ], "Resource": [ "arn:aws:athena:*:MyAWSAcctId:workgroup/AmazonAthenaPreviewFunctionality", "arn:aws:s3:::MyQueryResultsBucket/*", "arn:aws:s3:::MyLambdaSpillBucket/MyLambdaSpillPrefix*", "arn:aws:lambda:*:MyAWSAcctId:function:OneAthenaLambdaFunction", "arn:aws:lambda:*:MyAWSAcctId:function:AnotherAthenaLambdaFunction" ] }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": "athena:ListWorkGroups", "Resource": "*" }, { "Sid": "VisualEditor2", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::MyLambdaSpillBucket" } ] }
权限说明
允许的操作 说明
"athena:StartQueryExecution", "athena:GetQueryResults", "athena:GetWorkGroup", "athena:CancelQueryExecution", "athena:StopQueryExecution", "athena:GetQueryExecution",

AmazonAthenaPreviewFunctionality 工作组中运行查询所需的 Athena 权限。

"s3:PutObject", "s3:GetObject", "s3:AbortMultipartUpload"

s3:PutObjects3:AbortMultipartUpload 允许将查询结果写入查询结果桶的所有子文件夹,如由 arn:aws:s3:::MyQueryResultsBucket/* 资源标识符,其中 MyQueryResultsBucket 是 Athena 查询结果栏。有关更多信息,请参阅 使用查询结果、输出文件和查询历史记录。)

s3:GetObject 允许读取指定为“资源”的查询结果和查询历史记录 arn:aws:s3:::MyQueryResultsBucket,其中 MyQueryResultsBucket 是 Athena 查询结果栏。

s3:GetObject 还允许读取指定为 "arn:aws:s3:::MyLambdaSpillBucket/MyLambdaSpillPrefix*",其中 MyLambdaSpillPrefix 在配置 Lambda 调用函数或函数。

"lambda:InvokeFunction"
允许查询为 Resource 块中指定的 AWS Lambda 函数调用 AWS Lambda 函数。例如, arn:aws:lambda:*:MyAWSAcctId:function:MyAthenaLambdaFunction,其中 MyAthenaLambdaFunction 指定名称 Lambda 要调用的函数。如示例中所示,可以指定多个函数。

– 允许 IAM 主要用于创建数据源连接器

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "lambda:CreateFunction", "lambda:ListVersionsByFunction", "iam:CreateRole", "lambda:GetFunctionConfiguration", "iam:AttachRolePolicy", "iam:PutRolePolicy", "lambda:PutFunctionConcurrency", "iam:PassRole", "iam:DetachRolePolicy", "lambda:ListTags", "iam:ListAttachedRolePolicies", "iam:DeleteRolePolicy", "lambda:DeleteFunction", "lambda:GetAlias", "iam:ListRolePolicies", "iam:GetRole", "iam:GetPolicy", "lambda:InvokeFunction", "lambda:GetFunction", "lambda:ListAliases", "lambda:UpdateFunctionConfiguration", "iam:DeleteRole", "lambda:UpdateFunctionCode", "s3:GetObject", "lambda:AddPermission", "iam:UpdateRole", "lambda:DeleteFunctionConcurrency", "lambda:RemovePermission", "iam:GetRolePolicy", "lambda:GetPolicy" ], "Resource": [ "arn:aws:lambda:*:MyAWSAcctId:function:MyAthenaLambdaFunctionsPrefix*", "arn:aws:s3:::awsserverlessrepo-changesets-1iiv3xa62ln3m/*", "arn:aws:iam::*:role/*", "arn:aws:iam::MyAWSAcctId:policy/*" ] }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "cloudformation:CreateUploadBucket", "cloudformation:DescribeStackDriftDetectionStatus", "cloudformation:ListExports", "cloudformation:ListStacks", "cloudformation:ListImports", "lambda:ListFunctions", "iam:ListRoles", "lambda:GetAccountSettings", "ec2:DescribeSecurityGroups", "cloudformation:EstimateTemplateCost", "ec2:DescribeVpcs", "lambda:ListEventSourceMappings", "cloudformation:DescribeAccountLimits", "ec2:DescribeSubnets", "cloudformation:CreateStackSet", "cloudformation:ValidateTemplate" ], "Resource": "*" }, { "Sid": "VisualEditor2", "Effect": "Allow", "Action": "cloudformation:*", "Resource": [ "arn:aws:cloudformation:*:MyAWSAcctId:stack/aws-serverless-repository-MyCFStackPrefix*/*", "arn:aws:cloudformation:*:MyAWSAcctId:stack/serverlessrepo-MyCFStackPrefix*/*", "arn:aws:cloudformation:*:*:transform/Serverless-*", "arn:aws:cloudformation:*:MyAWSAcctId:stackset/aws-serverless-repository-MyCFStackPrefix*:*", "arn:aws:cloudformation:*:MyAWSAcctId:stackset/serverlessrepo-MyCFStackPrefix*:*" ] }, { "Sid": "VisualEditor3", "Effect": "Allow", "Action": "serverlessrepo:*", "Resource": "arn:aws:serverlessrepo:*:*:applications/*" } ] }
权限说明
允许的操作 说明
"lambda:CreateFunction", "lambda:ListVersionsByFunction", "lambda:GetFunctionConfiguration", "lambda:PutFunctionConcurrency", "lambda:ListTags", "lambda:DeleteFunction", "lambda:GetAlias", "lambda:InvokeFunction", "lambda:GetFunction", "lambda:ListAliases", "lambda:UpdateFunctionConfiguration", "lambda:UpdateFunctionCode", "lambda:AddPermission", "lambda:DeleteFunctionConcurrency", "lambda:RemovePermission", "lambda:GetPolicy" "lambda:GetAccountSettings", "lambda:ListFunctions", "lambda:ListEventSourceMappings",

允许创建和管理列为资源的 Lambda 函数。在示例中,资源标识符中使用名称前缀 arn:aws:lambda:*:MyAWSAcctId:function:MyAthenaLambdaFunctionsPrefix*,其中 MyAthenaLambdaFunctionsPrefix 是用于在组名称中使用的共享前缀 Lambda 功能,以便他们不需要单独指定为资源。您可以指定一个或多个 Lambda 函数资源。

"s3:GetObject"
允许读取桶的读数 AWS Serverless Application Repository 按资源标识符指定 arn:aws:s3:::awsserverlessrepo-changesets-1iiv3xa62ln3m/*。此桶可能是您的帐户。
"cloudformation:*"

允许创建和管理 AWS CloudFormation 资源指定的堆栈 MyCFStackPrefix这些堆栈和堆栈集是 AWS Serverless Application Repository 部署连接器和 UDF 的方式。

"serverlessrepo:*"
允许在由资源标识符 arn:aws:serverlessrepo:*:*:applications/* 指定的 AWS Serverless Application Repository 中搜索、查看、发布和更新应用程序。