使用的示例策略Amazon CLI或开发工具包 - Application Auto Scaling
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 Amazon Web Services 服务入门

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

使用的示例策略Amazon CLI或开发工具包

默认情况下,全新的 IAM 用户没有执行任何操作的权限。IAM 管理员必须创建 IAM 策略,以便为用户和角色授予执行 Application Auto Scaling 操作(如配置扩展策略)的权限。然后,管理员必须将这些策略附加到需要权限的 IAM 用户或角色。

要了解如何使用以下示例 JSON 策略文档创建 IAM 策略,请参阅在“JSON”选项卡上创建策略中的IAM 用户指南

Application Auto Scaling 操作所需的权限

以下策略授予针对常用案例的权限。在设置访问控制并编写可附加到 IAM 用户或角色的权限策略。每个策略授予的全部或部分 Application Auto Scaling 操作的访问权限。您还需要确保 IAM 用户或角色具有目标服务和 CloudWatch 的权限策略(有关详细信息,请参阅下一节)。

以下权限策略授予对所有 Application Auto Scaling 操作的访问权限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "application-autoscaling:*" ], "Resource": "*" } ] }

以下权限策略授予对配置扩展策略而非计划操作所需的所有 Application Auto Scaling 操作的访问权限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "application-autoscaling:RegisterScalableTarget", "application-autoscaling:DescribeScalableTargets", "application-autoscaling:DeregisterScalableTarget", "application-autoscaling:PutScalingPolicy", "application-autoscaling:DescribeScalingPolicies", "application-autoscaling:DescribeScalingActivities", "application-autoscaling:DeleteScalingPolicy" ], "Resource": "*" } ] }

以下权限策略授予对配置计划操作而不是扩展策略所需的所有 Application Auto Scaling 操作的访问权限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "application-autoscaling:RegisterScalableTarget", "application-autoscaling:DescribeScalableTargets", "application-autoscaling:DeregisterScalableTarget", "application-autoscaling:PutScheduledAction", "application-autoscaling:DescribeScheduledActions", "application-autoscaling:DescribeScalingActivities", "application-autoscaling:DeleteScheduledAction" ], "Resource": "*" } ] }

对目标服务和云监视执行操作所需的权限

要在目标服务中成功配置和使用应用程序 Auto Scaling,IAM 用户必须获得 Amazon CloudWatch 以及他们将为其配置扩展的每个目标服务所需的权限。使用以下策略为用户授予使用目标服务和 CloudWatch 所需的最低权限。

ECS 服务

以下权限策略授予的所有云服务器和 CloudWatch 操作的权限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecs:DescribeServices", "ecs:UpdateService", "cloudwatch:DeleteAlarms", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm" ], "Resource": "*" } ] }

EC2 Spot 队列请求

以下权限策略授予对所需的所有竞价型队列和 CloudWatch 操作的访问权限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeSpotFleetRequests", "ec2:ModifySpotFleetRequest", "cloudwatch:DeleteAlarms", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm" ], "Resource": "*" } ] }

Amazon EMR 集群

以下权限策略授予访问所需的所有亚马逊 EMR 和 CloudWatch 操作的权限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticmapreduce:ModifyInstanceGroups", "elasticmapreduce:ListInstanceGroups", "cloudwatch:DeleteAlarms", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm" ], "Resource": "*" } ] }

AppStream 2.0 队列

以下权限策略授予对所需的所有 AppStream 2.0 和 CloudWatch 操作的访问权限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "appstream:DescribeFleets", "appstream:UpdateFleet", "cloudwatch:DeleteAlarms", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm" ], "Resource": "*" } ] }

DynamoDB 表和全局二级索引

以下权限策略授予的所有 DynamoDB 和 CloudWatch 操作的访问权限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:DescribeTable", "dynamodb:UpdateTable", "cloudwatch:DeleteAlarms", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm" ], "Resource": "*" } ] }

Aurora 数据库集群

以下权限策略授予的所有 Aurora 和 CloudWatch 操作的访问权限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "rds:AddTagsToResource", "rds:CreateDBInstance", "rds:DeleteDBInstance", "rds:DescribeDBClusters", "rds:DescribeDBInstances", "cloudwatch:DeleteAlarms", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm" ], "Resource": "*" } ] }

SageMaker 终端节点

以下权限策略向访问所需的所有 SageMaker 和 CloudWatch 操作授予访问权限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sagemaker:DescribeEndpoint", "sagemaker:DescribeEndpointConfig", "sagemaker:UpdateEndpointWeightsAndCapacities", "cloudwatch:DeleteAlarms", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm" ], "Resource": "*" } ] }

自定义资源

以下权限策略授予用户执行 API Gateway API 操作所需的权限。此策略还授予访问所有需要的 CloudWatch 操作的权限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "execute-api:Invoke", "cloudwatch:DeleteAlarms", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm" ], "Resource": "*" } ] }

Amazon Comprehend 文档分类终端节点

以下权限策略授予访问所需的所有 Amazon Comprehend 和 CloudWatch 操作的权限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "comprehend:UpdateEndpoint", "comprehend:DescribeEndpoint", "cloudwatch:DeleteAlarms", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm" ], "Resource": "*" } ] }

Lambda 函数

以下权限策略授予的所有 Lambda 和 CloudWatch 操作的访问权限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "lambda:PutProvisionedConcurrencyConfig", "lambda:GetProvisionedConcurrencyConfig", "lambda:DeleteProvisionedConcurrencyConfig", "cloudwatch:DeleteAlarms", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm" ], "Resource": "*" } ] }

Amazon Keyspaces 表

以下权限策略授予访问所需的所有亚马逊 Keyspaces 和 CloudWatch 操作的权限。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cassandra:Select", "cassandra:Alter", "cloudwatch:DeleteAlarms", "cloudwatch:DescribeAlarms", "cloudwatch:PutMetricAlarm" ], "Resource": "*" } ] }

创建服务相关角色所需的权限

应用 Application Auto Scaling 要求具有创建服务相关角色的权限。 Amazon Web Services 账户 CALLRegisterScalableTarget对于给定服务。如果服务相关角色不存在,Application Auto Scaling 为账户中的目标服务创建服务相关角色。此服务相关角色向 Application Auto Scaling 授予权限,以便它能代表您调用目标服务。

为使自动角色创建操作成功,用户必须具有iam:CreateServiceLinkedRoleaction.

"Action": "iam:CreateServiceLinkedRole"

以下示例是允许 IAM 用户或角色为 Scaling 队列创建应用 Application Auto Scaling 服务相关角色的权限策略。您可以在策略的Resource字段作为 ARN,并将服务相关角色的服务委托人作为条件,如所示。有关 Application Auto Scaling 的 ARN 的完整列表,请参阅服务相关角色 ARN 参考

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/ec2.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_EC2SpotFleetRequest", "Condition": { "StringLike": { "iam:AWSServiceName":"ec2.application-autoscaling.amazonaws.com" } } } ] }
注意

这些区域有:iam:AWSServiceNameIAM 条件密钥指定角色附加到的服务委托人,此示例策略中将其指示为ec2.application-autoscaling.amazonaws.com。请勿尝试猜测服务委托人。要查看服务的服务委托人,请参阅服务相关角色文档