AWS适用于 的 托管策略AWS Batch - AWS Batch
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

AWS适用于 的 托管策略AWS Batch

要向用户、组和角色添加权限,使用 AWS 托管策略比自行编写策略更简单。创建仅向您的团队提供所需权限IAM的客户托管策略需要花费时间和专业知识。要快速入门,您可以使用我们的 AWS 托管策略。这些策略涵盖常见使用案例,并且可在您的账户中使用AWS。有关AWS托管策略的更多信息,请参阅 AWS 中的IAM 用户指南托管策略

AWS 服务 维护和更新AWS托管策略。您无法更改 AWS 托管策略中的权限。服务有时会向 AWS 托管策略添加额外的权限以支持新功能。这种类型的更新会影响在其中附加策略的所有身份(用户、组和角色)。当新功能启动或新操作变得可用时,服务最有可能更新 AWS 托管策略。服务不会从 AWS 托管策略中删除权限,因此策略更新不会中断现有权限。

此外, AWS 还支持跨多个服务的工作职能的托管策略。例如ReadOnlyAccess AWS 托管策略提供对所有 AWS 服务和资源的只读访问权限。当服务启动新功能时, 将为新操作和资源AWS添加只读权限。有关工作职能策略的列表和说明,请参阅 中的工作职能AWS的托管策略IAM 用户指南

AWS 托管策略: BatchServiceRolePolicy

BatchServiceRolePolicy 策略附加到服务相关角色。这允许 AWS Batch 代表您执行操作。您不能将此策略附加到您的IAM实体。有关更多信息,请参阅将服务相关角色用于 AWS Batch

此策略授予AWS Batch授予授予对相关 服务(包括 Amazon EC2、Amazon EC2 Auto Scaling、 和 Amazon ECS)的访问权限Amazon CloudWatch Logs。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", "ec2:DescribeInstanceAttribute", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ec2:DescribeKeyPairs", "ec2:DescribeImages", "ec2:DescribeImageAttribute", "ec2:DescribeSpotInstanceRequests", "ec2:DescribeSpotFleetInstances", "ec2:DescribeSpotFleetRequests", "ec2:DescribeSpotPriceHistory", "ec2:DescribeVpcClassicLink", "ec2:DescribeLaunchTemplateVersions", "ec2:RequestSpotFleet", "autoscaling:DescribeAccountLimits", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeAutoScalingInstances", "ecs:DescribeClusters", "ecs:DescribeContainerInstances", "ecs:DescribeTaskDefinition", "ecs:DescribeTasks", "ecs:ListClusters", "ecs:ListContainerInstances", "ecs:ListTaskDefinitionFamilies", "ecs:ListTaskDefinitions", "ecs:ListTasks", "ecs:DeregisterTaskDefinition", "ecs:TagResource", "ecs:ListAccountSettings", "logs:DescribeLogGroups", "iam:GetInstanceProfile", "iam:GetRole" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream" ], "Resource": "arn:aws-cn:logs:*:*:log-group:/aws/batch/job*" }, { "Effect": "Allow", "Action": [ "logs:PutLogEvents" ], "Resource": "arn:aws-cn:logs:*:*:log-group:/aws/batch/job*:log-stream:*" }, { "Effect": "Allow", "Action": [ "autoscaling:CreateOrUpdateTags" ], "Resource": "*", "Condition": { "Null": { "aws:RequestTag/AWSBatchServiceTag": "false" } } }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "*" ], "Condition": { "StringEquals": { "iam:PassedToService": [ "ec2.amazonaws.com", "ec2.amazonaws.com.cn", "ecs-tasks.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": [ "spot.amazonaws.com", "spotfleet.amazonaws.com", "autoscaling.amazonaws.com", "ecs.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "ec2:CreateLaunchTemplate" ], "Resource": "*", "Condition": { "Null": { "aws:RequestTag/AWSBatchServiceTag": "false" } } }, { "Effect": "Allow", "Action": [ "ec2:TerminateInstances", "ec2:CancelSpotFleetRequests", "ec2:ModifySpotFleetRequest", "ec2:DeleteLaunchTemplate" ], "Resource": "*", "Condition": { "Null": { "aws:ResourceTag/AWSBatchServiceTag": "false" } } }, { "Effect": "Allow", "Action": [ "autoscaling:CreateLaunchConfiguration", "autoscaling:DeleteLaunchConfiguration" ], "Resource": "arn:aws-cn:autoscaling:*:*:launchConfiguration:*:launchConfigurationName/AWSBatch*" }, { "Effect": "Allow", "Action": [ "autoscaling:CreateAutoScalingGroup", "autoscaling:UpdateAutoScalingGroup", "autoscaling:SetDesiredCapacity", "autoscaling:DeleteAutoScalingGroup", "autoscaling:SuspendProcesses", "autoscaling:PutNotificationConfiguration", "autoscaling:TerminateInstanceInAutoScalingGroup" ], "Resource": "arn:aws-cn:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/AWSBatch*" }, { "Effect": "Allow", "Action": [ "ecs:DeleteCluster", "ecs:DeregisterContainerInstance", "ecs:RunTask", "ecs:StartTask", "ecs:StopTask" ], "Resource": "arn:aws-cn:ecs:*:*:cluster/AWSBatch*" }, { "Effect": "Allow", "Action": [ "ecs:RunTask", "ecs:StartTask", "ecs:StopTask" ], "Resource": "arn:aws-cn:ecs:*:*:task-definition/*" }, { "Effect": "Allow", "Action": [ "ecs:StopTask" ], "Resource": "arn:aws-cn:ecs:*:*:task/*/*" }, { "Effect": "Allow", "Action": [ "ecs:CreateCluster", "ecs:RegisterTaskDefinition" ], "Resource": "*", "Condition": { "Null": { "aws:RequestTag/AWSBatchServiceTag": "false" } } }, { "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": [ "arn:aws-cn:ec2:*::image/*", "arn:aws-cn:ec2:*::snapshot/*", "arn:aws-cn:ec2:*:*:subnet/*", "arn:aws-cn:ec2:*:*:network-interface/*", "arn:aws-cn:ec2:*:*:security-group/*", "arn:aws-cn:ec2:*:*:volume/*", "arn:aws-cn:ec2:*:*:key-pair/*", "arn:aws-cn:ec2:*:*:launch-template/*", "arn:aws-cn:ec2:*:*:placement-group/*", "arn:aws-cn:ec2:*:*:capacity-reservation/*", "arn:aws-cn:ec2:*:*:elastic-gpu/*", "arn:aws-cn:ec2:*:*:elastic-inference-accelerator/*" ] }, { "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": "arn:aws-cn:ec2:*:*:instance/*", "Condition": { "Null": { "aws:RequestTag/AWSBatchServiceTag": "false" } } }, { "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": [ "*" ], "Condition": { "StringEquals": { "ec2:CreateAction": [ "RunInstances", "CreateLaunchTemplate", "RequestSpotFleet" ] } } } ] }

AWS 托管策略: BatchFullAccess

BatchFullAccess 策略向 AWS Batch 操作授予对 AWS Batch 资源的完全访问权限。它还为 Amazon EC2、Amazon ECS、 CloudWatch和 IAM 服务授予描述和列出操作访问权限,以便IAM身份(用户或角色)可以查看代表其创建的 AWS Batch 托管资源。最后,此策略还允许将所选IAM角色传递到这些服务。

您可以将 BatchFullAccess 附加到IAM实体。 AWS Batch 还会将此策略附加到允许 代表您AWS Batch执行操作的服务角色。

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "batch:*", "cloudwatch:GetMetricStatistics", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ec2:DescribeKeyPairs", "ec2:DescribeVpcs", "ec2:DescribeImages", "ec2:DescribeLaunchTemplates", "ec2:DescribeLaunchTemplateVersions", "ecs:DescribeClusters", "ecs:Describe*", "ecs:List*", "logs:Describe*", "logs:Get*", "logs:TestMetricFilter", "logs:FilterLogEvents", "iam:ListInstanceProfiles", "iam:ListRoles" ], "Resource":"*" }, { "Effect":"Allow", "Action":[ "iam:PassRole" ], "Resource":[ "arn:aws-cn:iam::*:role/AWSBatchServiceRole", "arn:aws-cn:iam::*:role/service-role/AWSBatchServiceRole", "arn:aws-cn:iam::*:role/ecsInstanceRole", "arn:aws-cn:iam::*:instance-profile/ecsInstanceRole", "arn:aws-cn:iam::*:role/iaws-ec2-spot-fleet-role", "arn:aws-cn:iam::*:role/aws-ec2-spot-fleet-role", "arn:aws-cn:iam::*:role/AWSBatchJobRole*" ] }, { "Effect":"Allow", "Action":[ "iam:CreateServiceLinkedRole" ], "Resource":"arn:aws-cn:iam::*:role/*Batch*", "Condition": { "StringEquals": { "iam:AWSServiceName": "batch.amazonaws.com" } } } ] }

AWS Batch 对AWS托管策略的 更新

查看自此服务开始跟踪这些更改AWS以来对 AWS Batch 托管策略的更新的详细信息。有关此页面更改的自动提醒,请订阅 AWS Batch Document history (文档历史记录) 页面上的 RSS 源。

BatchServiceRolePolicy 策略已更新(2021 年 3 月 26 日)

更新为在 Elastic Inference 中添加对置放群组、容量预留、弹性 GPU Amazon EC2 和资源的支持。

增加了 BatchServiceRolePolicy 策略(2021 年 3 月 10 日)

利用 BatchServiceRolePolicy 托管策略,您可以使用由 管理的服务相关角色,而不是维护您自己的角色以在计算环境中使用。 AWSServiceRoleForBatchAWS Batch

BatchFullAccess - 添加权限以添加服务相关角色(2021 年 3 月 10 日)

添加IAM权限以允许将 AWSServiceRoleForBatch 服务相关角色添加到账户中。

AWS Batch 开始跟踪更改(2021 年 3 月 10 日)

AWS Batch 开始跟踪其AWS托管策略的更改。