Amazon Batch服务 IAM 角色 - Amazon Batch
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 Amazon Web Services 服务入门

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

Amazon Batch服务 IAM 角色

Amazon Batch打电话给其他人Amazon Web Services代表您管理与一起使用的资源Amazon Batch. 您必须先具有向 IAM 提供必需权限的 IAM 策略和角色,然后才能使用服务Amazon Batch.

大多数情况下,在控制台首次运行体验中将自动为您创建 Amazon Batch 服务角色。您可使用以下过程来检查您的账户是否已具有 Amazon Batch 服务角色。

AWSBatchServiceRole 策略如下所示。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", "ec2:DescribeInstanceAttribute", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ec2:DescribeKeyPairs", "ec2:DescribeImages", "ec2:DescribeImageAttribute", "ec2:DescribeInstanceStatus", "ec2:DescribeSpotInstanceRequests", "ec2:DescribeSpotFleetInstances", "ec2:DescribeSpotFleetRequests", "ec2:DescribeSpotPriceHistory", "ec2:DescribeVpcClassicLink", "ec2:DescribeLaunchTemplateVersions", "ec2:CreateLaunchTemplate", "ec2:DeleteLaunchTemplate", "ec2:RequestSpotFleet", "ec2:CancelSpotFleetRequests", "ec2:ModifySpotFleetRequest", "ec2:TerminateInstances", "ec2:RunInstances", "autoscaling:DescribeAccountLimits", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeAutoScalingInstances", "autoscaling:CreateLaunchConfiguration", "autoscaling:CreateAutoScalingGroup", "autoscaling:UpdateAutoScalingGroup", "autoscaling:SetDesiredCapacity", "autoscaling:DeleteLaunchConfiguration", "autoscaling:DeleteAutoScalingGroup", "autoscaling:CreateOrUpdateTags", "autoscaling:SuspendProcesses", "autoscaling:PutNotificationConfiguration", "autoscaling:TerminateInstanceInAutoScalingGroup", "ecs:DescribeClusters", "ecs:DescribeContainerInstances", "ecs:DescribeTaskDefinition", "ecs:DescribeTasks", "ecs:ListAccountSettings", "ecs:ListClusters", "ecs:ListContainerInstances", "ecs:ListTaskDefinitionFamilies", "ecs:ListTaskDefinitions", "ecs:ListTasks", "ecs:CreateCluster", "ecs:DeleteCluster", "ecs:RegisterTaskDefinition", "ecs:DeregisterTaskDefinition", "ecs:RunTask", "ecs:StartTask", "ecs:StopTask", "ecs:UpdateContainerAgent", "ecs:DeregisterContainerInstance", "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogGroups", "iam:GetInstanceProfile", "iam:GetRole" ], "Resource": "*" }, { "Effect": "Allow", "Action": "ecs:TagResource", "Resource": [ "arn:aws:ecs:*:*:task/*_Batch_*" ] }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "*" ], "Condition": { "StringEquals": { "iam:PassedToService": [ "ec2.amazonaws.com", "ec2.amazonaws.com.cn", "ecs-tasks.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": [ "spot.amazonaws.com", "spotfleet.amazonaws.com", "autoscaling.amazonaws.com", "ecs.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": [ "*" ], "Condition": { "StringEquals": { "ec2:CreateAction": "RunInstances" } } } ] }

检查是否为AWSServiceRoleForBatchIAM 控制台中的角色

  1. 通过以下网址打开 IAM 控制台:https://console.aws.amazon.com/iam/

  2. 在导航窗格中,选择 Roles(角色)。

  3. 在角色列表中搜索 AWSServiceRoleForBatch

    注意

    如果AWSServiceRoleForBatch角色不存在,请按照以下过程操作来创建该角色。

  4. 选择AWSServiceRoleForBatch以查看附加的策略。

  5. 适用于权限策略,请验证BatchServiceRolePolicy策略附加到角色。如果附加该策略,则将正确配置 Amazon Batch 服务角色。

    注意

    的 Amazon Resource Name(ARN)AWSServiceRoleForBatch角色采用以下格式:

    arn:aws:iam::aws_account_id:role/aws-service-role/batch.amazonaws.com/AWSServiceRoleForBatch

  6. 选择 Trust Relationships(信任关系)。

  7. 验证信任关系是否包含以下内容。

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "batch.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }

创建AWSServiceRoleForBatchIAM 角色:

  1. 通过以下网址打开 IAM 控制台:https://console.aws.amazon.com/iam/

  2. 在导航窗格中,选择角色,然后选择创建角色.

  3. 适用于可信任的实体类型,选择Amazon服务.

  4. In使用案例,对于其他的使用案例Amazon服务,选择批处理,然后选择批处理

  5. 选择 Next(下一步)。

  6. 适用于权限策略,请验证AWSBatchServiceRole已附加策略,然后选择下一步.

    注意

    的 ARNAWSBatchServiceRole策略采用以下格式:

    arn:aws:iam::aws:policy/service-role/AWSBatchServiceRole

  7. 适用于角色名称,输入AWSServiceRoleForBatch然后输入说明.

  8. 查看其余步骤。选择编辑以更改信任关系或权限。

  9. 选择Create role(创建角色)