本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
Amazon Batch服务 IAM 角色
Amazon Batch打电话给其他人Amazon Web Services代表您管理与一起使用的资源Amazon Batch. 您必须先具有向 IAM 提供必需权限的 IAM 策略和角色,然后才能使用服务Amazon Batch.
大多数情况下,在控制台首次运行体验中将自动为您创建 Amazon Batch 服务角色。您可使用以下过程来检查您的账户是否已具有 Amazon Batch 服务角色。
AWSBatchServiceRole 策略如下所示。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", "ec2:DescribeInstanceAttribute", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ec2:DescribeKeyPairs", "ec2:DescribeImages", "ec2:DescribeImageAttribute", "ec2:DescribeInstanceStatus", "ec2:DescribeSpotInstanceRequests", "ec2:DescribeSpotFleetInstances", "ec2:DescribeSpotFleetRequests", "ec2:DescribeSpotPriceHistory", "ec2:DescribeVpcClassicLink", "ec2:DescribeLaunchTemplateVersions", "ec2:CreateLaunchTemplate", "ec2:DeleteLaunchTemplate", "ec2:RequestSpotFleet", "ec2:CancelSpotFleetRequests", "ec2:ModifySpotFleetRequest", "ec2:TerminateInstances", "ec2:RunInstances", "autoscaling:DescribeAccountLimits", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeAutoScalingInstances", "autoscaling:CreateLaunchConfiguration", "autoscaling:CreateAutoScalingGroup", "autoscaling:UpdateAutoScalingGroup", "autoscaling:SetDesiredCapacity", "autoscaling:DeleteLaunchConfiguration", "autoscaling:DeleteAutoScalingGroup", "autoscaling:CreateOrUpdateTags", "autoscaling:SuspendProcesses", "autoscaling:PutNotificationConfiguration", "autoscaling:TerminateInstanceInAutoScalingGroup", "ecs:DescribeClusters", "ecs:DescribeContainerInstances", "ecs:DescribeTaskDefinition", "ecs:DescribeTasks", "ecs:ListAccountSettings", "ecs:ListClusters", "ecs:ListContainerInstances", "ecs:ListTaskDefinitionFamilies", "ecs:ListTaskDefinitions", "ecs:ListTasks", "ecs:CreateCluster", "ecs:DeleteCluster", "ecs:RegisterTaskDefinition", "ecs:DeregisterTaskDefinition", "ecs:RunTask", "ecs:StartTask", "ecs:StopTask", "ecs:UpdateContainerAgent", "ecs:DeregisterContainerInstance", "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogGroups", "iam:GetInstanceProfile", "iam:GetRole" ], "Resource": "*" }, { "Effect": "Allow", "Action": "ecs:TagResource", "Resource": [ "arn:aws:ecs:*:*:task/*_Batch_*" ] }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "*" ], "Condition": { "StringEquals": { "iam:PassedToService": [ "ec2.amazonaws.com", "ec2.amazonaws.com.cn", "ecs-tasks.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": [ "spot.amazonaws.com", "spotfleet.amazonaws.com", "autoscaling.amazonaws.com", "ecs.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": [ "*" ], "Condition": { "StringEquals": { "ec2:CreateAction": "RunInstances" } } } ] }
检查是否为AWSServiceRoleForBatchIAM 控制台中的角色
通过以下网址打开 IAM 控制台:https://console.aws.amazon.com/iam/
。 -
在导航窗格中,选择 Roles(角色)。
-
在角色列表中搜索
AWSServiceRoleForBatch。注意 如果
AWSServiceRoleForBatch角色不存在,请按照以下过程操作来创建该角色。 -
选择
AWSServiceRoleForBatch以查看附加的策略。 -
适用于权限策略,请验证BatchServiceRolePolicy策略附加到角色。如果附加该策略,则将正确配置 Amazon Batch 服务角色。
注意 的 Amazon Resource Name(ARN)AWSServiceRoleForBatch角色采用以下格式:
arn:aws:iam::aws_account_id:role/aws-service-role/batch.amazonaws.com/AWSServiceRoleForBatch -
选择 Trust Relationships(信任关系)。
-
验证信任关系是否包含以下内容。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "batch.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
创建AWSServiceRoleForBatchIAM 角色:
通过以下网址打开 IAM 控制台:https://console.aws.amazon.com/iam/
。 -
在导航窗格中,选择角色,然后选择创建角色.
-
适用于可信任的实体类型,选择Amazon服务.
-
In使用案例,对于其他的使用案例Amazon服务,选择批处理,然后选择批处理。
-
选择 Next(下一步)。
-
适用于权限策略,请验证AWSBatchServiceRole已附加策略,然后选择下一步.
注意 的 ARNAWSBatchServiceRole策略采用以下格式:
arn:aws:iam::aws:policy/service-role/AWSBatchServiceRole -
适用于角色名称,输入
AWSServiceRoleForBatch然后输入说明. -
查看其余步骤。选择编辑以更改信任关系或权限。
-
选择Create role(创建角色)。