使用 AWS CLI 或 AWS SDK 的策略示例 - Application Auto Scaling
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门

使用 AWS CLI 或 AWS SDK 的策略示例

默认情况下,全新的 IAM 用户没有执行任何操作的权限。IAM 管理员必须创建 IAM 策略,以便为用户和角色授予执行 Application Auto Scaling 操作(如配置扩展策略)的权限。然后,管理员必须将这些策略附加到需要这些权限的 IAM 用户或角色。

要了解如何使用这些示例 JSON 策略文档创建 IAM 策略,请参阅 IAM 用户指南 中的在 JSON 选项卡上创建策略

以下策略授予针对常见使用案例的权限。您可以根据您的 IAM 用户所需的访问权限将这些策略附加到这些用户。每个策略授予 Application Auto Scaling 的全部或部分 API 操作的访问权限。

下面显示允许用户对 Application Auto Scaling 执行所有 API 操作的权限策略的示例。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "application-autoscaling:*" ], "Resource": "*" } ] }

下面显示允许用户配置扩展策略的权限策略示例。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "application-autoscaling:RegisterScalableTarget", "application-autoscaling:DescribeScalableTargets", "application-autoscaling:DeregisterScalableTarget", "application-autoscaling:PutScalingPolicy", "application-autoscaling:DescribeScalingPolicies", "application-autoscaling:DescribeScalingActivities", "application-autoscaling:DeleteScalingPolicy" ], "Resource": "*" } ] }

下面显示允许用户配置计划扩展的权限策略示例。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "application-autoscaling:RegisterScalableTarget", "application-autoscaling:DescribeScalableTargets", "application-autoscaling:DeregisterScalableTarget", "application-autoscaling:PutScheduledAction", "application-autoscaling:DescribeScheduledActions", "application-autoscaling:DescribeScalingActivities", "application-autoscaling:DeleteScheduledAction" ], "Resource": "*" } ] }

其他必需的 IAM 权限

对于用户将配置扩展策略的每种类型的资源,用户必须具有额外的权限。您还可以在 IAM 策略声明的 Action 元素中指定以下操作。

ECS 服务

  • ecs:DescribeServices

  • ecs:UpdateService

  • cloudwatch:DeleteAlarms

  • cloudwatch:DescribeAlarms

  • cloudwatch:PutMetricAlarm

EC2 Spot 队列请求

  • ec2:DescribeSpotFleetRequests

  • ec2:ModifySpotFleetRequest

  • cloudwatch:DeleteAlarms

  • cloudwatch:DescribeAlarms

  • cloudwatch:PutMetricAlarm

Amazon EMR 集群

  • elasticmapreduce:ModifyInstanceGroups

  • elasticmapreduce:ListInstanceGroups

  • cloudwatch:DeleteAlarms

  • cloudwatch:DescribeAlarms

  • cloudwatch:PutMetricAlarm

AppStream 2.0 队列

  • appstream:DescribeFleets

  • appstream:UpdateFleet

  • cloudwatch:DeleteAlarms

  • cloudwatch:DescribeAlarms

  • cloudwatch:PutMetricAlarm

DynamoDB 表和全局二级索引

  • dynamodb:DescribeTable

  • dynamodb:UpdateTable

  • cloudwatch:DeleteAlarms

  • cloudwatch:DescribeAlarms

  • cloudwatch:PutMetricAlarm

Aurora 数据库集群

  • rds:AddTagsToResource

  • rds:CreateDBInstance

  • rds:DeleteDBInstance

  • rds:DescribeDBClusters

  • rds:DescribeDBInstances

  • cloudwatch:DeleteAlarms

  • cloudwatch:DescribeAlarms

  • cloudwatch:PutMetricAlarm

Amazon SageMaker 终端节点

  • sagemaker:DescribeEndpoint

  • sagemaker:DescribeEndpointConfig

  • sagemaker:UpdateEndpointWeightsAndCapacities

  • cloudwatch:DeleteAlarms

  • cloudwatch:DescribeAlarms

  • cloudwatch:PutMetricAlarm

自定义资源

  • execute-api:Invoke

  • cloudwatch:DeleteAlarms

  • cloudwatch:DescribeAlarms

  • cloudwatch:PutMetricAlarm

Amazon Comprehend 文档分类终端节点

  • comprehend:UpdateEndpoint

  • comprehend:DescribeEndpoint

  • cloudwatch:DeleteAlarms

  • cloudwatch:DescribeAlarms

  • cloudwatch:PutMetricAlarm

Lambda 函数

  • lambda:PutProvisionedConcurrencyConfig

  • lambda:GetProvisionedConcurrencyConfig

  • lambda:DeleteProvisionedConcurrencyConfig

  • cloudwatch:DeleteAlarms

  • cloudwatch:DescribeAlarms

  • cloudwatch:PutMetricAlarm

Amazon Keyspaces 表

  • cassandra:Select

  • cassandra:Alter

  • cloudwatch:DeleteAlarms

  • cloudwatch:DescribeAlarms

  • cloudwatch:PutMetricAlarm

创建服务相关角色所需的权限

Application Auto Scaling 要求,当 AWS 账户中的任何用户首次对给定服务调用 RegisterScalableTarget 时,都需要具有创建服务相关角色的权限。如果特定于服务的服务相关角色尚不存在,则 Application Auto Scaling 在您的账户中创建此角色。此服务相关角色向 Application Auto Scaling 授予权限,以便它能代表您调用其他服务。

为使自动角色创建操作成功,用户必须具有 iam:CreateServiceLinkedRole 操作的权限。

"Action": "iam:CreateServiceLinkedRole"

下面显示了允许用户为 Spot 队列创建 Application Auto Scaling 服务相关角色的权限策略示例。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws-cn:iam::*:role/aws-service-role/ec2.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_EC2SpotFleetRequest", "Condition": { "StringLike": { "iam:AWSServiceName":"ec2.application-autoscaling.amazonaws.com" } } } ] }

有关更多信息,请参阅 Application Auto Scaling 的服务相关角色