AWS Batch 服务 IAM 角色 - AWS Batch
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门

AWS Batch 服务 IAM 角色

AWS Batch 代表您调用其他 AWS 服务以管理服务所使用的资源。您必须先具有向 AWS Batch 提供必需权限的 IAM 策略和角色,然后才能使用服务。

大多数情况下,在控制台首次运行体验中将自动为您创建 AWS Batch 服务角色。您可使用以下过程来检查您的账户是否已具有 AWS Batch 服务角色。

AWSBatchServiceRole 策略如下所示。 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceAttribute",
                "ec2:DescribeSubnets",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeImages",
                "ec2:DescribeImageAttribute",
                "ec2:DescribeSpotInstanceRequests",
                "ec2:DescribeSpotFleetInstances",
                "ec2:DescribeSpotFleetRequests",
                "ec2:DescribeSpotPriceHistory",
                "ec2:DescribeVpcClassicLink",
                "ec2:DescribeLaunchTemplateVersions",
                "ec2:CreateLaunchTemplate",
                "ec2:DeleteLaunchTemplate",
                "ec2:RequestSpotFleet",
                "ec2:CancelSpotFleetRequests",
                "ec2:ModifySpotFleetRequest",
                "ec2:TerminateInstances",
                "ec2:RunInstances",
                "autoscaling:DescribeAccountLimits",
                "autoscaling:DescribeAutoScalingGroups",
                "autoscaling:DescribeLaunchConfigurations",
                "autoscaling:DescribeAutoScalingInstances",
                "autoscaling:CreateLaunchConfiguration",
                "autoscaling:CreateAutoScalingGroup",
                "autoscaling:UpdateAutoScalingGroup",
                "autoscaling:SetDesiredCapacity",
                "autoscaling:DeleteLaunchConfiguration",
                "autoscaling:DeleteAutoScalingGroup",
                "autoscaling:CreateOrUpdateTags",
                "autoscaling:SuspendProcesses",
                "autoscaling:PutNotificationConfiguration",
                "autoscaling:TerminateInstanceInAutoScalingGroup",
                "ecs:DescribeClusters",
                "ecs:DescribeContainerInstances",
                "ecs:DescribeTaskDefinition",
                "ecs:DescribeTasks",
                "ecs:ListClusters",
                "ecs:ListContainerInstances",
                "ecs:ListTaskDefinitionFamilies",
                "ecs:ListTaskDefinitions",
                "ecs:ListTasks",
                "ecs:CreateCluster",
                "ecs:DeleteCluster",
                "ecs:RegisterTaskDefinition",
                "ecs:DeregisterTaskDefinition",
                "ecs:RunTask",
                "ecs:StartTask",
                "ecs:StopTask",
                "ecs:UpdateContainerAgent",
                "ecs:DeregisterContainerInstance",
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents",
                "logs:DescribeLogGroups",
                "iam:GetInstanceProfile",
                "iam:GetRole"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": [
                "*"
            ],
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": [
                        "ec2.amazonaws.com",
                        "ec2.amazonaws.com.cn",
                        "ecs-tasks.amazonaws.com"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": "iam:CreateServiceLinkedRole",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "iam:AWSServiceName": [
                        "spot.amazonaws.com",
                        "spotfleet.amazonaws.com",
                        "autoscaling.amazonaws.com",
                        "ecs.amazonaws.com"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:CreateTags"
            ],
            "Resource": [
                "*"
            ],
            "Condition": {
                "StringEquals": {
                    "ec2:CreateAction": "RunInstances"
                }
            }
        }
    ]
}

您可以使用以下过程检查您的账户是否已拥有 AWS Batch 服务角色并附加托管 IAM 策略(如果需要)。

在 IAM 控制台中检查 AWSBatchServiceRole

  1. 通过以下网址打开 IAM 控制台:https://console.amazonaws.cn/iam/

  2. 在导航窗格中,选择 Roles

  3. 在角色列表中搜索 AWSBatchServiceRole。如果该角色不存在,请使用以下过程创建该角色。如果角色存在,请选择角色以查看附加的策略。

  4. 选择 Permissions

  5. 确保将 AWSBatchServiceRole 托管策略附加到该角色。如果附加该策略,则将正确配置 AWS Batch 服务角色。否则,请执行以下子步骤来附加策略。

    1. 选择 Attach Policy

    2. 要缩小要附加的可用策略的列表范围,请为 Filter (筛选条件) 键入 AWSBatchServiceRole

    3. 选择 AWSBatchServiceRole 策略,然后选择 Attach Policy

  6. 选择 Trust Relationships,然后选择 Edit Trust Relationship

  7. 验证信任关系是否包含以下策略。如果信任关系符合以下策略,请选择 Cancel。如果信任关系不符合,请将策略复制到 Policy Document 窗口中并选择 Update Trust Policy

    {
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Principal": {"Service": "batch.amazonaws.com"},
        "Action": "sts:AssumeRole"
    }]
}

创建 AWSBatchServiceRole IAM 角色

  1. 通过以下网址打开 IAM 控制台:https://console.amazonaws.cn/iam/

  2. 在导航窗格中,选择 RolesCreate New Role

  3. 对于 Select type of trusted entity (选择受信任实体的类型),选择 AWS service (AWS 服务)。对于 Choose the service that will use this role (选择将使用此角色的服务),选择 Batch (批处理)

  4. 依次选择 Next: Permissions (下一步: 权限)Next: Tags (下一步: 标签)Next: Review (下一步: 复查)

  5. 对于 Role Name (角色名称),键入 AWSBatchServiceRole,然后选择 Create Role (创建角色)