授予 Firehose 访问权限以将数据库更改复制到 Apache 冰山表 - Amazon Data Firehose
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

授予 Firehose 访问权限以将数据库更改复制到 Apache 冰山表

注意

Amazon Web Services 区域中国地区和亚太地区(马来西亚)外,Firehose 在所有地区都支持数据库作为来源。 Amazon GovCloud (US) Regions此功能为预览版,可能会发生变化。请勿将其用于生产工作负载。

在使用 Amazon Glue创建 Firehose 流和 Apache Iceberg 表之前,您必须具有 IAM 角色。使用以下步骤创建策略和 IAM 角色。Firehose 承担此 IAM 角色并执行所需的操作。

  1. 登录 Amazon Web Services Management Console 并打开 IAM 控制台,网址为https://console.aws.amazon.com/iam/

  2. 创建策略并在策略编辑器中选择 JSON

  3. 添加以下内联策略,授予 Amazon S3 read/write 权限,例如权限、更新数据目录中表的权限等。

    JSON
    {
"Version": "2012-10-17",  
    "Statement":
    [    
        {
            "Effect": "Allow",      
            "Action": [
                "glue:GetTable",
                "glue:GetDatabase",
                "glue:UpdateTable",
                "glue:CreateTable",
                "glue:CreateDatabase"
            ],      
            "Resource": [   
                "arn:aws:glue:<region>:<aws-account-id>:catalog",
                "arn:aws:glue:<region>:<aws-account-id>:database/*",
                "arn:aws:glue:<region>:<aws-account-id>:table/*/*"             
            ]    
        },        
        {
            "Effect": "Allow",      
            "Action": [
                "s3:AbortMultipartUpload",
                "s3:GetBucketLocation",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:ListBucketMultipartUploads",
                "s3:PutObject",
                "s3:DeleteObject"
            ],      
            "Resource": [   
                "arn:aws:s3:::amzn-s3-demo-bucket",
                "arn:aws:s3:::amzn-s3-demo-bucket/*"              
            ]    
        },      
        {
           "Effect": "Allow",
           "Action": [
               "kms:Decrypt",
               "kms:GenerateDataKey"
           ],
           "Resource": [
               "arn:aws:kms:<region>:<aws-account-id>:key/<key-id>"           
           ],
           "Condition": {
            "StringEquals": {
                "kms:ViaService": "s3.region.amazonaws.com"
               },
               "StringLike": {
                "kms:EncryptionContext:aws:s3:arn": "arn:aws:s3:::amzn-s3-demo-bucket/prefix*"
               }
           }
        },
        {
           "Effect": "Allow",
           "Action": [
               "logs:PutLogEvents"
           ],
           "Resource": [
               "arn:aws:logs:<region>:<aws-account-id>:log-group:<log-group-name>:log-stream:<log-stream-name>"
           ]
        },
        {
            "Effect": "Allow",
            "Action": "secretsmanager:GetSecretValue",
            "Resource": "<Secret ARN>"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeVpcEndpointServices"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}