本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
Amazon Batch服务 IAM 角色
Amazon Batch 代表您调用其他 Amazon 服务以管理服务所使用的资源。您必须先具有提供必需权限的 IAM 策略和角色,然后才能使用服务。Amazon Batch.
大多数情况下,在控制台首次运行体验中将自动为您创建 Amazon Batch 服务角色。您可使用以下过程来检查您的账户是否已具有 Amazon Batch 服务角色。
AWSBatchServiceRole 策略如下所示。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", "ec2:DescribeInstanceAttribute", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ec2:DescribeKeyPairs", "ec2:DescribeImages", "ec2:DescribeImageAttribute", "ec2:DescribeInstanceStatus", "ec2:DescribeSpotInstanceRequests", "ec2:DescribeSpotFleetInstances", "ec2:DescribeSpotFleetRequests", "ec2:DescribeSpotPriceHistory", "ec2:DescribeVpcClassicLink", "ec2:DescribeLaunchTemplateVersions", "ec2:CreateLaunchTemplate", "ec2:DeleteLaunchTemplate", "ec2:RequestSpotFleet", "ec2:CancelSpotFleetRequests", "ec2:ModifySpotFleetRequest", "ec2:TerminateInstances", "ec2:RunInstances", "autoscaling:DescribeAccountLimits", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeAutoScalingInstances", "autoscaling:CreateLaunchConfiguration", "autoscaling:CreateAutoScalingGroup", "autoscaling:UpdateAutoScalingGroup", "autoscaling:SetDesiredCapacity", "autoscaling:DeleteLaunchConfiguration", "autoscaling:DeleteAutoScalingGroup", "autoscaling:CreateOrUpdateTags", "autoscaling:SuspendProcesses", "autoscaling:PutNotificationConfiguration", "autoscaling:TerminateInstanceInAutoScalingGroup", "ecs:DescribeClusters", "ecs:DescribeContainerInstances", "ecs:DescribeTaskDefinition", "ecs:DescribeTasks", "ecs:ListAccountSettings", "ecs:ListClusters", "ecs:ListContainerInstances", "ecs:ListTaskDefinitionFamilies", "ecs:ListTaskDefinitions", "ecs:ListTasks", "ecs:CreateCluster", "ecs:DeleteCluster", "ecs:RegisterTaskDefinition", "ecs:DeregisterTaskDefinition", "ecs:RunTask", "ecs:StartTask", "ecs:StopTask", "ecs:UpdateContainerAgent", "ecs:DeregisterContainerInstance", "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogGroups", "iam:GetInstanceProfile", "iam:GetRole" ], "Resource": "*" }, { "Effect": "Allow", "Action": "ecs:TagResource", "Resource": [ "arn:aws:ecs:*:*:task/*_Batch_*" ] }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "*" ], "Condition": { "StringEquals": { "iam:PassedToService": [ "ec2.amazonaws.com", "ec2.amazonaws.com.cn", "ecs-tasks.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": [ "spot.amazonaws.com", "spotfleet.amazonaws.com", "autoscaling.amazonaws.com", "ecs.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": [ "*" ], "Condition": { "StringEquals": { "ec2:CreateAction": "RunInstances" } } } ] }
您可使用以下过程来确定您的账户是否已有Amazon Batch服务角色并根据需要附加托管 IAM 策略。
在 IAM 控制台中检查 AWSBatchServiceRole
通过以下网址打开 IAM 控制台:https://console.aws.amazon.com/iam/
。 -
在导航窗格中,选择 Roles(角色)。
-
在角色列表中搜索
AWSBatchServiceRole。如果该角色不存在,请使用以下过程创建该角色。如果角色存在,请选择角色以查看附加的策略。 -
请选择权限。
-
确保AWSBatchServiceRole托管策略附加到该角色。如果附加该策略,则将正确配置 Amazon Batch 服务角色。否则,请执行以下子步骤来附加策略。
-
选择 Attach Policy(附加策略)。
-
要缩小要附加的可用策略的列表范围,请为筛选条件,键入AWSBatchServiceRole.
-
请选择AWSBatchServiceRole策略然后选择附加策略.
-
-
选择 Trust Relationships,然后选择 Edit Trust Relationship。
-
验证信任关系是否包含以下策略。如果信任关系符合以下策略,请选择Cancel. 如果信任关系不匹配,请将策略复制到 Policy Document(策略文档)窗口,并选择 Update Trust Policy(更新信任策略)。
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": {"Service": "batch.amazonaws.com"}, "Action": "sts:AssumeRole" }] }
创建AWSBatchServiceRoleIAM 角色
通过以下网址打开 IAM 控制台:https://console.aws.amazon.com/iam/
。 -
在导航窗格中,选择 Roles(角色)和 Create New Role(创建新角色)。
-
对于选择受信任实体的类型,选择 Amazon 服务。对于 Choose the service that will use this role (选择将使用此角色的服务),选择 Batch (批处理)。
-
选择 Next:。Permissions (权限)、后续:标签, 和后续:审核。
-
对于 Role Name (角色名称),键入
AWSBatchServiceRole,然后选择 Create Role (创建角色)。