本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
AWS Batch 服务 IAM 角色
AWS Batch 代表您调用其他 AWS 服务以管理服务所使用的资源。您必须先具有向 IAM 提供必需权限的 AWS Batch. 策略和角色,然后才能使用服务。
大多数情况下,在控制台首次运行体验中将自动为您创建 AWS Batch 服务角色。您可使用以下过程来检查您的账户是否已具有 AWS Batch 服务角色。
AWSBatchServiceRole 策略如下所示。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", "ec2:DescribeInstanceAttribute", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ec2:DescribeKeyPairs", "ec2:DescribeImages", "ec2:DescribeImageAttribute", "ec2:DescribeSpotInstanceRequests", "ec2:DescribeSpotFleetInstances", "ec2:DescribeSpotFleetRequests", "ec2:DescribeSpotPriceHistory", "ec2:DescribeVpcClassicLink", "ec2:DescribeLaunchTemplateVersions", "ec2:CreateLaunchTemplate", "ec2:DeleteLaunchTemplate", "ec2:RequestSpotFleet", "ec2:CancelSpotFleetRequests", "ec2:ModifySpotFleetRequest", "ec2:TerminateInstances", "ec2:RunInstances", "autoscaling:DescribeAccountLimits", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeAutoScalingInstances", "autoscaling:CreateLaunchConfiguration", "autoscaling:CreateAutoScalingGroup", "autoscaling:UpdateAutoScalingGroup", "autoscaling:SetDesiredCapacity", "autoscaling:DeleteLaunchConfiguration", "autoscaling:DeleteAutoScalingGroup", "autoscaling:CreateOrUpdateTags", "autoscaling:SuspendProcesses", "autoscaling:PutNotificationConfiguration", "autoscaling:TerminateInstanceInAutoScalingGroup", "ecs:DescribeClusters", "ecs:DescribeContainerInstances", "ecs:DescribeTaskDefinition", "ecs:DescribeTasks", "ecs:ListAccountSettings", "ecs:ListClusters", "ecs:ListContainerInstances", "ecs:ListTaskDefinitionFamilies", "ecs:ListTaskDefinitions", "ecs:ListTasks", "ecs:CreateCluster", "ecs:DeleteCluster", "ecs:RegisterTaskDefinition", "ecs:DeregisterTaskDefinition", "ecs:RunTask", "ecs:StartTask", "ecs:StopTask", "ecs:UpdateContainerAgent", "ecs:DeregisterContainerInstance", "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogGroups", "iam:GetInstanceProfile", "iam:GetRole" ], "Resource": "*" }, { "Effect": "Allow", "Action": "ecs:TagResource", "Resource": [ "arn:aws-cn:ecs:*:*:task/*_Batch_*" ] }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "*" ], "Condition": { "StringEquals": { "iam:PassedToService": [ "ec2.amazonaws.com", "ec2.amazonaws.com.cn", "ecs-tasks.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": [ "spot.amazonaws.com", "spotfleet.amazonaws.com", "autoscaling.amazonaws.com", "ecs.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": [ "*" ], "Condition": { "StringEquals": { "ec2:CreateAction" : "RunInstances" } } } ] }
您可以使用以下过程检查您的账户是否已拥有 AWS Batch 服务角色并附加托管 IAM 策略(如果需要)。
在 AWSBatchServiceRole 控制台中检查 IAM
-
通过以下网址打开 IAM 控制台:https://console.amazonaws.cn/iam/
。 -
在导航窗格中,选择 Roles.
-
在角色列表中搜索
AWSBatchServiceRole。 如果该角色不存在,请使用以下过程创建该角色。如果角色存在,请选择角色以查看附加的策略。 -
选择 Permissions.
-
确保将 AWSBatchServiceRole 托管策略附加到角色。如果附加该策略,则将正确配置 AWS Batch 服务角色。否则,请执行以下子步骤来附加策略。
-
选择 Attach Policy.
-
要缩小要附加的可用策略的列表,请为 Filter (筛选条件) 键入 AWSBatchServiceRole 。
-
选择AWSBatchServiceRole策略,然后选择 Attach Policy (附加策略)。
-
-
选择 Trust Relationships,然后选择 Edit Trust Relationship.
-
验证信任关系是否包含以下策略。如果信任关系符合以下策略,请选择 Cancel. 如果信任关系不符合,请将策略复制到 Policy Document 窗口中并选择 Update Trust Policy.
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": {"Service": "batch.amazonaws.com"}, "Action": "sts:AssumeRole" }] }
创建 AWSBatchServiceRole IAM 角色
-
通过以下网址打开 IAM 控制台:https://console.amazonaws.cn/iam/
。 -
在导航窗格中,选择 Roles 和 Create New Role.
-
对于 Select type of trusted entity (选择受信任实体的类型),选择 AWS service (AWS 服务). 对于 Choose the service that will use this role (选择将使用此角色的服务),选择 Batch (批处理).
-
依次选择 Next: Permissions (下一步: 权限)、Next: Tags (下一步: 标签) 和 Next: Review (下一步: 复查).
-
对于 Role Name (角色名称),键入
AWSBatchServiceRole,然后选择 Create Role (创建角色).