Amazon Batch服务 IAM 角色 - Amazon Batch
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 Amazon Web Services 服务入门

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

Amazon Batch服务 IAM 角色

Amazon Batch 代表您调用其他 Amazon 服务以管理服务所使用的资源。您必须先具有向提供必需权限的 IAM 策略和角色,然后才能使用服务。Amazon Batch。

大多数情况下,在控制台首次运行体验中将自动为您创建 Amazon Batch 服务角色。您可使用以下过程来检查您的账户是否已具有 Amazon Batch 服务角色。

AWSBatchServiceRole 策略如下所示。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", "ec2:DescribeInstanceAttribute", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ec2:DescribeKeyPairs", "ec2:DescribeImages", "ec2:DescribeImageAttribute", "ec2:DescribeSpotInstanceRequests", "ec2:DescribeSpotFleetInstances", "ec2:DescribeSpotFleetRequests", "ec2:DescribeSpotPriceHistory", "ec2:DescribeVpcClassicLink", "ec2:DescribeLaunchTemplateVersions", "ec2:CreateLaunchTemplate", "ec2:DeleteLaunchTemplate", "ec2:RequestSpotFleet", "ec2:CancelSpotFleetRequests", "ec2:ModifySpotFleetRequest", "ec2:TerminateInstances", "ec2:RunInstances", "autoscaling:DescribeAccountLimits", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeAutoScalingInstances", "autoscaling:CreateLaunchConfiguration", "autoscaling:CreateAutoScalingGroup", "autoscaling:UpdateAutoScalingGroup", "autoscaling:SetDesiredCapacity", "autoscaling:DeleteLaunchConfiguration", "autoscaling:DeleteAutoScalingGroup", "autoscaling:CreateOrUpdateTags", "autoscaling:SuspendProcesses", "autoscaling:PutNotificationConfiguration", "autoscaling:TerminateInstanceInAutoScalingGroup", "ecs:DescribeClusters", "ecs:DescribeContainerInstances", "ecs:DescribeTaskDefinition", "ecs:DescribeTasks", "ecs:ListAccountSettings", "ecs:ListClusters", "ecs:ListContainerInstances", "ecs:ListTaskDefinitionFamilies", "ecs:ListTaskDefinitions", "ecs:ListTasks", "ecs:CreateCluster", "ecs:DeleteCluster", "ecs:RegisterTaskDefinition", "ecs:DeregisterTaskDefinition", "ecs:RunTask", "ecs:StartTask", "ecs:StopTask", "ecs:UpdateContainerAgent", "ecs:DeregisterContainerInstance", "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogGroups", "iam:GetInstanceProfile", "iam:GetRole" ], "Resource": "*" }, { "Effect": "Allow", "Action": "ecs:TagResource", "Resource": [ "arn:aws:ecs:*:*:task/*_Batch_*" ] }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "*" ], "Condition": { "StringEquals": { "iam:PassedToService": [ "ec2.amazonaws.com", "ec2.amazonaws.com.cn", "ecs-tasks.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": [ "spot.amazonaws.com", "spotfleet.amazonaws.com", "autoscaling.amazonaws.com", "ecs.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": [ "*" ], "Condition": { "StringEquals": { "ec2:CreateAction" : "RunInstances" } } } ] }

您可使用以下过程来确定您的账户是否已具有Amazon Batch服务角色,并根据需要附加托管 IAM 策略。

要检查AWSBatchServiceRoleIAM 控制台中

  1. 通过以下网址打开 IAM 控制台:https://console.aws.amazon.com/iam/

  2. 在导航窗格中,选择 Roles

  3. 在角色列表中搜索 AWSBatchServiceRole。如果该角色不存在,请使用以下过程创建该角色。如果角色存在,请选择角色以查看附加的策略。

  4. 选择 Permissions

  5. 确保将 AWSBatchServiceRole 托管策略附加到该角色。如果附加该策略,则将正确配置 Amazon Batch 服务角色。否则,请执行以下子步骤来附加策略。

    1. 选择 Attach Policy

    2. 要缩小要附加的可用策略的列表范围,请为 Filter (筛选条件) 键入 AWSBatchServiceRole

    3. 选择 AWSBatchServiceRole 策略,然后选择 Attach Policy

  6. 选择 Trust Relationships,然后选择 Edit Trust Relationship

  7. 验证信任关系是否包含以下策略。如果信任关系符合以下策略,请选择Cancel。如果信任关系不匹配,请将策略复制到策略文档窗口,然后选择更新信任策略

    { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": {"Service": "batch.amazonaws.com"}, "Action": "sts:AssumeRole" }] }

创建AWSBatchServiceRoleIAM 角色

  1. 通过以下网址打开 IAM 控制台:https://console.aws.amazon.com/iam/

  2. 在导航窗格中,选择 RolesCreate New Role

  3. 对于 Select type of trusted entity(选择受信任实体的类型),选择 Amazon service(亚马逊云科技服务)。对于 Choose the service that will use this role (选择将使用此角色的服务),选择 Batch (批处理)

  4. 选择 Next:。Permissions (权限)后续:标签, 和后续:审核

  5. 对于 Role Name (角色名称),键入 AWSBatchServiceRole,然后选择 Create Role (创建角色)