本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
Amazon Batch服务 IAM 角色
Amazon Batch 代表您调用其他 Amazon 服务以管理服务所使用的资源。您必须先具有向提供必需权限的 IAM 策略和角色,然后才能使用服务。Amazon Batch。
大多数情况下,在控制台首次运行体验中将自动为您创建 Amazon Batch 服务角色。您可使用以下过程来检查您的账户是否已具有 Amazon Batch 服务角色。
AWSBatchServiceRole 策略如下所示。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", "ec2:DescribeInstanceAttribute", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ec2:DescribeKeyPairs", "ec2:DescribeImages", "ec2:DescribeImageAttribute", "ec2:DescribeSpotInstanceRequests", "ec2:DescribeSpotFleetInstances", "ec2:DescribeSpotFleetRequests", "ec2:DescribeSpotPriceHistory", "ec2:DescribeVpcClassicLink", "ec2:DescribeLaunchTemplateVersions", "ec2:CreateLaunchTemplate", "ec2:DeleteLaunchTemplate", "ec2:RequestSpotFleet", "ec2:CancelSpotFleetRequests", "ec2:ModifySpotFleetRequest", "ec2:TerminateInstances", "ec2:RunInstances", "autoscaling:DescribeAccountLimits", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeAutoScalingInstances", "autoscaling:CreateLaunchConfiguration", "autoscaling:CreateAutoScalingGroup", "autoscaling:UpdateAutoScalingGroup", "autoscaling:SetDesiredCapacity", "autoscaling:DeleteLaunchConfiguration", "autoscaling:DeleteAutoScalingGroup", "autoscaling:CreateOrUpdateTags", "autoscaling:SuspendProcesses", "autoscaling:PutNotificationConfiguration", "autoscaling:TerminateInstanceInAutoScalingGroup", "ecs:DescribeClusters", "ecs:DescribeContainerInstances", "ecs:DescribeTaskDefinition", "ecs:DescribeTasks", "ecs:ListAccountSettings", "ecs:ListClusters", "ecs:ListContainerInstances", "ecs:ListTaskDefinitionFamilies", "ecs:ListTaskDefinitions", "ecs:ListTasks", "ecs:CreateCluster", "ecs:DeleteCluster", "ecs:RegisterTaskDefinition", "ecs:DeregisterTaskDefinition", "ecs:RunTask", "ecs:StartTask", "ecs:StopTask", "ecs:UpdateContainerAgent", "ecs:DeregisterContainerInstance", "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogGroups", "iam:GetInstanceProfile", "iam:GetRole" ], "Resource": "*" }, { "Effect": "Allow", "Action": "ecs:TagResource", "Resource": [ "arn:aws:ecs:*:*:task/*_Batch_*" ] }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "*" ], "Condition": { "StringEquals": { "iam:PassedToService": [ "ec2.amazonaws.com", "ec2.amazonaws.com.cn", "ecs-tasks.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": [ "spot.amazonaws.com", "spotfleet.amazonaws.com", "autoscaling.amazonaws.com", "ecs.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": [ "*" ], "Condition": { "StringEquals": { "ec2:CreateAction" : "RunInstances" } } } ] }
您可使用以下过程来确定您的账户是否已具有Amazon Batch服务角色,并根据需要附加托管 IAM 策略。
要检查AWSBatchServiceRoleIAM 控制台中
-
通过以下网址打开 IAM 控制台:https://console.aws.amazon.com/iam/
。 -
在导航窗格中,选择 Roles。
-
在角色列表中搜索
AWSBatchServiceRole。如果该角色不存在,请使用以下过程创建该角色。如果角色存在,请选择角色以查看附加的策略。 -
选择 Permissions。
-
确保将 AWSBatchServiceRole 托管策略附加到该角色。如果附加该策略,则将正确配置 Amazon Batch 服务角色。否则,请执行以下子步骤来附加策略。
-
选择 Attach Policy。
-
要缩小要附加的可用策略的列表范围,请为 Filter (筛选条件) 键入 AWSBatchServiceRole。
-
选择 AWSBatchServiceRole 策略,然后选择 Attach Policy。
-
-
选择 Trust Relationships,然后选择 Edit Trust Relationship。
-
验证信任关系是否包含以下策略。如果信任关系符合以下策略,请选择Cancel。如果信任关系不匹配,请将策略复制到策略文档窗口,然后选择更新信任策略。
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": {"Service": "batch.amazonaws.com"}, "Action": "sts:AssumeRole" }] }
创建AWSBatchServiceRoleIAM 角色
-
通过以下网址打开 IAM 控制台:https://console.aws.amazon.com/iam/
。 -
在导航窗格中,选择 Roles 和 Create New Role。
-
对于 Select type of trusted entity(选择受信任实体的类型),选择 Amazon service(亚马逊云科技服务)。对于 Choose the service that will use this role (选择将使用此角色的服务),选择 Batch (批处理)。
-
选择 Next:。Permissions (权限)、后续:标签, 和后续:审核。
-
对于 Role Name (角色名称),键入
AWSBatchServiceRole,然后选择 Create Role (创建角色)。