AWS Batch 如何与 IAM 一起使用 - AWS Batch
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

AWS Batch 如何与 IAM 一起使用

Before you use IAM to manage access to AWS Batch, learn what IAM features are available to use with AWS Batch.

IAM 功能 可用于 AWS Batch
IAM 的功能 AWS Batch 支持

基于身份的策略

Yes

基于资源的策略

Yes

策略操作

Yes

策略资源

Yes

策略条件键

Yes

ACL

No

ABAC(策略中的标签)

Yes

临时凭证

Yes

委托人权限

Yes

服务角色

Yes

服务相关角色

Yes

要大致了解 AWS Batch 和其他 AWS 服务如何与大多数 IAM 功能结合使用,请参阅 AWS 中的与 配合使用的 IAM IAM 用户指南 服务。

适用于 的基于身份的 策略AWS Batch

Supports identity-based policies

Yes

Identity-based policies are JSON permissions policy documents that you can attach to an identity, such as an IAM user, group of users, or role. These policies control what actions users and roles can perform, on which resources, and under what conditions. To learn how to create an identity-based policy, see Creating IAM policies in the IAM 用户指南.

With IAM identity-based policies, you can specify allowed or denied actions and resources as well as the conditions under which actions are allowed or denied. You can't specify the principal in an identity-based policy because it applies to the user or role to which it is attached. To learn about all of the elements that you can use in a JSON policy, see IAM JSON policy elements reference in the IAM 用户指南.

适用于 AWS Batch 的基于身份的策略示例

To view examples of AWS Batch identity-based policies, see 适用于 AWS Batch 的基于身份的策略示例.

中的基于资源的策略 AWS Batch

Supports resource-based policies

Yes

Resource-based policies are JSON policy documents that you attach to a resource. Examples of resource-based policies are IAM role trust policies and Amazon S3 bucket policies. In services that support resource-based policies, service administrators can use them to control access to a specific resource. For the resource where the policy is attached, the policy defines what actions a specified principal can perform on that resource and under what conditions. You must specify a principal in a resource-based policy. Principals can include accounts, users, roles, federated users, or AWS services.

To enable cross-account access, you can specify an entire account or IAM entities in another account as the principal in a resource-based policy. Adding a cross-account principal to a resource-based policy is only half of establishing the trust relationship. When the principal and the resource are in different AWS accounts, an IAM administrator in the trusted account must also grant the principal entity (user or role) permission to access the resource. They grant permission by attaching an identity-based policy to the entity. However, if a resource-based policy grants access to a principal in the same account, no additional identity-based policy is required. For more information, see How IAM roles differ from resource-based policies in the IAM 用户指南.

的策略操作 AWS Batch

Supports policy actions

Yes

基于 IAM 身份的策略的 Action 元素描述该策略将允许或拒绝的特定操作。策略操作通常与关联的 AWS API 操作同名。此策略用于策略中以授予执行关联操作的权限。

要查看 AWS Batch 操作的列表,请参阅 Actions Defined by AWS Batch 中的 服务授权参考

中的策略操作AWS Batch在操作前使用以下前缀:

batch

要在单个语句中指定多项操作,请使用逗号将它们隔开。

"Action": [ "batch:action1", "batch:action2" ]

您也可以使用通配符 (*) 指定多个操作。例如,要指定以单词 Describe 开头的所有操作,请包括以下操作:

"Action": "batch:Describe*"

To view examples of AWS Batch identity-based policies, see 适用于 AWS Batch 的基于身份的策略示例.

的策略资源 AWS Batch

Supports policy resources

Yes

Resource 元素指定要向其应用操作的对象。语句必须包含 ResourceNotResource 元素。您可使用 ARN 来指定资源,或使用通配符 (*) 以指明该语句适用于所有资源。

要查看AWS Batch资源类型及其 ARNs的列表,请参阅 Resources Defined by AWS Batch 服务授权参考 中的 。要了解您可以使用哪些操作指定每个资源的 ARN,请参阅 Actions Defined by AWS Batch

To view examples of AWS Batch identity-based policies, see 适用于 AWS Batch 的基于身份的策略示例.

的策略条件键 AWS Batch

Supports policy condition keys

Yes

Condition 元素(或 Condition )中,可以指定语句生效的条件。Condition 元素是可选的。您可以构建使用条件运算符(例如,等于或小于)的条件表达式,以使策略中的条件与请求中的值相匹配。

如果您在一个语句中指定多个 Condition 元素,或在单个 Condition 元素中指定多个键,则 AWS 使用逻辑 AND 运算评估它们。如果您为单个条件键指定多个值,则 AWS 使用逻辑 OR 运算来评估条件。在授予语句的权限之前必须满足所有的条件。

在指定条件时,您也可以使用占位符变量。例如,仅当 IAM 用户使用其 IAM 用户名进行标记时,您才可为其授予访问资源的权限。有关更多信息,请参阅 IAM 用户指南 中的 IAM 策略元素:变量和标签

要查看AWS Batch条件键的列表,请参阅 Condition Keys for AWS Batch 中的 服务授权参考 。要了解您可以对哪些操作和资源使用条件键,请参阅 Actions Defined by AWS Batch

To view examples of AWS Batch identity-based policies, see 适用于 AWS Batch 的基于身份的策略示例.

中的访问控制列表 (ACLs) AWS Batch

Supports ACLs

No

Access control lists (ACLs) control which principals (account members, users, or roles) have permissions to access a resource. ACLs are similar to resource-based policies, although they do not use the JSON policy document format.

使用 的基于属性的访问控制 (ABAC) AWS Batch

Supports ABAC (tags in policies)

Yes

Attribute-based access control (ABAC) is an authorization strategy that defines permissions based on attributes. In AWS, these attributes are called tags. You can attach tags to IAM entities (users or roles) and to many AWS resources. Tagging entities and resources is the first step of ABAC. Then you design ABAC policies to allow operations when the principal's tag matches the tag on the resource that they are trying to access.

ABAC is helpful in environments that are growing rapidly and helps with situations where policy management becomes cumbersome.

To control access based on tags, you provide tag information in the condition element of a policy using the aws:ResourceTag/key-name, aws:RequestTag/key-name, or aws:TagKeys condition keys.

For more information about ABAC, see What is ABAC? in the IAM 用户指南. To view a tutorial with steps for setting up ABAC, see Use attribute-based access control (ABAC) in the IAM 用户指南.

将临时凭证用于 AWS Batch

Supports temporary credentials

Yes

Some AWS services don't work when you sign in using temporary credentials. For additional information, including which AWS services work with temporary credentials, see AWS services that work with IAM in the IAM 用户指南.

You are using temporary credentials if you sign in to the AWS 管理控制台 using any method except a user name and password. For example, when you access AWS using your company's single sign-on (SSO) link, that process automatically creates temporary credentials. You also automatically create temporary credentials when you sign in to the console as a user and then switch roles. For more information about switching roles, see Switching to a role (console) in the IAM 用户指南.

You can manually create temporary credentials using the AWS CLI or AWS API. You can then use those temporary credentials to access AWS. AWS recommends that you dynamically generate temporary credentials instead of using long-term access keys. For more information, see Temporary security credentials in IAM.

的跨服务委托人权限 AWS Batch

Supports principal permissions

Yes

When you use an IAM user or role to perform actions in AWS, you are considered a principal. Policies grant permissions to a principal. When you use some services, you might perform an action that then triggers another action in a different service. In this case, you must have permissions to perform both actions. To see whether an action requires additional dependent actions in a policy, see Actions, Resources, and Condition Keys for AWS Batch in the Service Authorization Reference.

的服务角色 AWS Batch

Supports service roles

Yes

服务角色是服务代入以代表您执行操作的 IAM 角色。服务角色只在您的账户内提供访问权限,不能用于为访问其他账户中的服务授权。IAM 管理员可以在 IAM 中创建、修改和删除服务角色。有关更多信息,请参阅 IAM 用户指南 中的创建角色以向 AWS 服务委派权限

警告

更改服务角色的权限可能会中断AWS Batch功能。仅当 AWS Batch 提供相关指导时,才编辑服务角色。

的服务相关角色AWS Batch

Supports service-linked roles

Yes

A service-linked role is a type of service role that is linked to an AWS service. The service can assume the role to perform an action on your behalf. Service-linked roles appear in your IAM account and are owned by the service. An IAM administrator can view, but not edit the permissions for service-linked roles.

有关创建或管理服务相关角色的详细信息,请参阅与 AWS配合使用IAM的服务。在表中查找服务相关角色Yes列中包含 的服务。选择 Yes 链接以查看该服务的服务相关角色文档。