允许访问 Athena 联合查询:示例策略
本主题中的权限策略示例演示了需要允许的操作以及允许执行这些操作的资源。仔细检查这些策略并根据您的需求修改它们,然后再将它们附加到 IAM 身份。
有关将 IAM 策略添加到用户的信息,请参阅 IAM 用户指南 中的 添加和删除 IAM 身份权限。
例 – 允许 IAM 委托人运行并使用 Athena 联合查询返回结果
以下基于身份的权限策略允许用户或其他 IAM 委托人执行使用 Athena 联合查询所需的操作。允许执行这些操作的委托人可以运行指定与联合数据源关联的 Athena 目录的查询。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Athena", "Effect": "Allow", "Action": [ "athena:GetDataCatalog", "athena:GetQueryExecution", "athena:GetQueryResults", "athena:GetWorkGroup", "athena:StartQueryExecution", "athena:StopQueryExecution" ], "Resource": [ "arn:aws:athena:*:
111122223333
:workgroup/WorkgroupName
", "arn:aws:athena:aws_region
:111122223333
:datacatalog/DataCatalogName
" ] }, { "Sid": "ListAthenaWorkGroups", "Effect": "Allow", "Action": "athena:ListWorkGroups", "Resource": "*" }, { "Sid": "Lambda", "Effect": "Allow", "Action": "lambda:InvokeFunction", "Resource": [ "arn:aws:lambda:*:111122223333
:function:OneAthenaLambdaFunction
", "arn:aws:lambda:*:111122223333
:function:AnotherAthenaLambdaFunction
" ] }, { "Sid": "S3", "Effect": "Allow", "Action": [ "s3:AbortMultipartUpload", "s3:GetBucketLocation", "s3:GetObject", "s3:ListBucket", "s3:ListMultipartUploadParts", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::MyLambdaSpillBucket
", "arn:aws:s3:::MyLambdaSpillBucket
/*", "arn:aws:s3:::MyQueryResultsBucket
", "arn:aws:s3:::MyQueryResultsBucket
/*" ] } ] }
允许的操作 | 说明 |
---|---|
|
运行联合查询所需的 Athena 权限。 |
|
运行联合视图查询所需的 Athena 权限。视图需要 |
|
允许查询为 Resource 块中指定的 Amazon Lambda 函数调用 Amazon Lambda 函数。例如 arn:aws:lambda:*: ,其中 MyAthenaLambdaFunction 指定要调用的 Lambda 函数的名称。如示例中所示,可以指定多个函数。 |
|
必须具备
|
例 – 允许 IAM 委托人创建数据源连接器
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "lambda:CreateFunction", "lambda:ListVersionsByFunction", "iam:CreateRole", "lambda:GetFunctionConfiguration", "iam:AttachRolePolicy", "iam:PutRolePolicy", "lambda:PutFunctionConcurrency", "iam:PassRole", "iam:DetachRolePolicy", "lambda:ListTags", "iam:ListAttachedRolePolicies", "iam:DeleteRolePolicy", "lambda:DeleteFunction", "lambda:GetAlias", "iam:ListRolePolicies", "iam:GetRole", "iam:GetPolicy", "lambda:InvokeFunction", "lambda:GetFunction", "lambda:ListAliases", "lambda:UpdateFunctionConfiguration", "iam:DeleteRole", "lambda:UpdateFunctionCode", "s3:GetObject", "lambda:AddPermission", "iam:UpdateRole", "lambda:DeleteFunctionConcurrency", "lambda:RemovePermission", "iam:GetRolePolicy", "lambda:GetPolicy" ], "Resource": [ "arn:aws:lambda:*:
111122223333
:function:MyAthenaLambdaFunctionsPrefix
*", "arn:aws:s3:::awsserverlessrepo-changesets-1iiv3xa62ln3m
/*", "arn:aws:iam::*:role/RoleName
", "arn:aws:iam::111122223333
:policy/*" ] }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "cloudformation:CreateUploadBucket", "cloudformation:DescribeStackDriftDetectionStatus", "cloudformation:ListExports", "cloudformation:ListStacks", "cloudformation:ListImports", "lambda:ListFunctions", "iam:ListRoles", "lambda:GetAccountSettings", "ec2:DescribeSecurityGroups", "cloudformation:EstimateTemplateCost", "ec2:DescribeVpcs", "lambda:ListEventSourceMappings", "cloudformation:DescribeAccountLimits", "ec2:DescribeSubnets", "cloudformation:CreateStackSet", "cloudformation:ValidateTemplate" ], "Resource": "*" }, { "Sid": "VisualEditor2", "Effect": "Allow", "Action": "cloudformation:*", "Resource": [ "arn:aws:cloudformation:*:111122223333
:stack/aws-serverless-repository-MyCFStackPrefix
*/*", "arn:aws:cloudformation:*:111122223333
:stack/serverlessrepo-MyCFStackPrefix
*/*", "arn:aws:cloudformation:*:*:transform/Serverless-*", "arn:aws:cloudformation:*:111122223333
:stackset/aws-serverless-repository-MyCFStackPrefix
*:*", "arn:aws:cloudformation:*:111122223333
:stackset/serverlessrepo-MyCFStackPrefix
*:*" ] }, { "Sid": "VisualEditor3", "Effect": "Allow", "Action": "serverlessrepo:*", "Resource": "arn:aws:serverlessrepo:*:*:applications/*" }, { "Sid": "ECR", "Effect": "Allow", "Action": [ "ecr:BatchGetImage", "ecr:GetDownloadUrlForLayer" ], "Resource": "arn:aws:ecr:*:*:repository/*" } ] }
允许的操作 | 说明 |
---|---|
|
允许创建和管理列为资源的 Lambda 函数。在此示例中,资源标识符 |
|
允许读取 Amazon Serverless Application Repository 所需的存储桶,如资源标识符 arn:aws:s3:::awsserverlessrepo-changesets- 所指定。此存储桶可能特定于您的账户。 |
|
允许创建和管理由资源 |
|
允许在由资源标识符 arn:aws:serverlessrepo:*:*:applications/* 指定的 Amazon Serverless Application Repository 中搜索、查看、发布和更新应用程序。 |
|
允许创建的 Lambda 函数访问联合身份验证连接器 ECR 映像。 |