本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
Amazon Batch服务 IAM 角色
Amazon BatchAmazon Web Services代表您致电他人以管理您使用的资源Amazon Batch。在使用该服务之前,您必须拥有向提供必要权限的 IAM 策略和角色Amazon Batch。
大多数情况下,在控制台首次运行体验中将自动为您创建 Amazon Batch 服务角色。您可使用以下过程来检查您的账户是否已具有 Amazon Batch 服务角色。
默认情况下,BatchServiceRolePolicy策略附加到该AWSServiceRoleForBatch角色。BatchServiceRolePolicy 策略如下所示。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:DescribeInstanceAttribute", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ec2:DescribeKeyPairs", "ec2:DescribeImages", "ec2:DescribeImageAttribute", "ec2:DescribeSpotInstanceRequests", "ec2:DescribeSpotFleetInstances", "ec2:DescribeSpotFleetRequests", "ec2:DescribeSpotPriceHistory", "ec2:DescribeVpcClassicLink", "ec2:DescribeLaunchTemplateVersions", "ec2:RequestSpotFleet", "autoscaling:DescribeAccountLimits", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeAutoScalingInstances", "eks:DescribeCluster", "ecs:DescribeClusters", "ecs:DescribeContainerInstances", "ecs:DescribeTaskDefinition", "ecs:DescribeTasks", "ecs:ListClusters", "ecs:ListContainerInstances", "ecs:ListTaskDefinitionFamilies", "ecs:ListTaskDefinitions", "ecs:ListTasks", "ecs:DeregisterTaskDefinition", "ecs:TagResource", "ecs:ListAccountSettings", "logs:DescribeLogGroups", "iam:GetInstanceProfile", "iam:GetRole" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/batch/job*" }, { "Effect": "Allow", "Action": [ "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/batch/job*:log-stream:*" }, { "Effect": "Allow", "Action": [ "autoscaling:CreateOrUpdateTags" ], "Resource": "*", "Condition": { "Null": { "aws:RequestTag/AWSBatchServiceTag": "false" } } }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "*" ], "Condition": { "StringEquals": { "iam:PassedToService": [ "ec2.amazonaws.com", "ec2.amazonaws.com.cn", "ecs-tasks.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": [ "spot.amazonaws.com", "spotfleet.amazonaws.com", "autoscaling.amazonaws.com", "ecs.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "ec2:CreateLaunchTemplate" ], "Resource": "*", "Condition": { "Null": { "aws:RequestTag/AWSBatchServiceTag": "false" } } }, { "Effect": "Allow", "Action": [ "ec2:TerminateInstances", "ec2:CancelSpotFleetRequests", "ec2:ModifySpotFleetRequest", "ec2:DeleteLaunchTemplate" ], "Resource": "*", "Condition": { "Null": { "aws:ResourceTag/AWSBatchServiceTag": "false" } } }, { "Effect": "Allow", "Action": [ "autoscaling:CreateLaunchConfiguration", "autoscaling:DeleteLaunchConfiguration" ], "Resource": "arn:aws:autoscaling:*:*:launchConfiguration:*:launchConfigurationName/AWSBatch*" }, { "Effect": "Allow", "Action": [ "autoscaling:CreateAutoScalingGroup", "autoscaling:UpdateAutoScalingGroup", "autoscaling:SetDesiredCapacity", "autoscaling:DeleteAutoScalingGroup", "autoscaling:SuspendProcesses", "autoscaling:PutNotificationConfiguration", "autoscaling:TerminateInstanceInAutoScalingGroup" ], "Resource": "arn:aws:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/AWSBatch*" }, { "Effect": "Allow", "Action": [ "ecs:DeleteCluster", "ecs:DeregisterContainerInstance", "ecs:RunTask", "ecs:StartTask", "ecs:StopTask" ], "Resource": "arn:aws:ecs:*:*:cluster/AWSBatch*" }, { "Effect": "Allow", "Action": [ "ecs:RunTask", "ecs:StartTask", "ecs:StopTask" ], "Resource": "arn:aws:ecs:*:*:task-definition/*" }, { "Effect": "Allow", "Action": [ "ecs:StopTask" ], "Resource": "arn:aws:ecs:*:*:task/*/*" }, { "Effect": "Allow", "Action": [ "ecs:CreateCluster", "ecs:RegisterTaskDefinition" ], "Resource": "*", "Condition": { "Null": { "aws:RequestTag/AWSBatchServiceTag": "false" } } }, { "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:*::image/*", "arn:aws:ec2:*::snapshot/*", "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:network-interface/*", "arn:aws:ec2:*:*:security-group/*", "arn:aws:ec2:*:*:volume/*", "arn:aws:ec2:*:*:key-pair/*", "arn:aws:ec2:*:*:launch-template/*", "arn:aws:ec2:*:*:placement-group/*", "arn:aws:ec2:*:*:capacity-reservation/*", "arn:aws:ec2:*:*:elastic-gpu/*", "arn:aws:elastic-inference:*:*:elastic-inference-accelerator/*", "arn:aws:resource-groups:*:*:group/*" ] }, { "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "Null": { "aws:RequestTag/AWSBatchServiceTag": "false" } } }, { "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": [ "*" ], "Condition": { "StringEquals": { "ec2:CreateAction": [ "RunInstances", "CreateLaunchTemplate", "RequestSpotFleet" ] } } } ] }
在 IAM 控制台中检查AWSServiceRoleForBatch角色
通过以下网址打开 IAM 控制台:https://console.aws.amazon.com/iam/
。 -
在导航窗格中,选择 Roles(角色)。
-
在角色列表中搜索
AWSServiceRoleForBatch。注意 如果该
AWSServiceRoleForBatch角色不存在,请参阅来创建角色。 -
选择
AWSServiceRoleForBatch查看附加的策略。 -
对于权限策略,请验证该BatchServiceRolePolicy策略是否已附加到该角色。如果附加该策略,则将正确配置 Amazon Batch 服务角色。
注意 该角色的 Amazon 资源名称 (ARN) 采用以下格式来创建AWSServiceRoleForBatch角色。
arn:aws:iam::aws_account_id:role/aws-service-role/batch.amazonaws.com/AWSServiceRoleForBatch -
选择 Trust Relationships(信任关系)。
-
验证信任关系是否包含以下内容。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "batch.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
要创建AWSServiceRoleForBatch IAM 角色,请执行以下操作:
通过以下网址打开 IAM 控制台:https://console.aws.amazon.com/iam/
。 -
在导航窗格中,选择角色,然后选择创建角色。
-
对于可信实体类型,选择Amazon服务。
-
在用例中,对于其他Amazon服务的用例,选择Batc h,然后再次选择B atch。
-
选择 Next(下一步)。
-
对于权限策略,请验证BatchServiceRolePolicy策略是否已附加,然后选择下一步。
注意 BatchServiceRolePolicy策略的 ARN 采用以下格式:
arn:aws:iam::aws:policy/aws-service-role/BatchServiceRolePolicy -
对于角色名称,输入,
AWSServiceRoleForBatch然后输入描述。 -
查看其余步骤。选择 “编辑” 以更改信任关系或权限。
-
选择 Create role(创建角色)。