AmazonGlue API 权限:操作和资源参考 - Amazon连接词
相关主题
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

AmazonGlue API 权限:操作和资源参考

使用以下table作为参考,当您设置中的 Identity and Access ManagementAmazon连接词并编写要附加到 IAM 身份(基于身份的策略)或资源(资源策略)的权限策略。这些区域有:表列表 EAccessAmazonGlue API 操作、您可授予执行权限的对应操作以及Amazon资源,您可以授予权限。您可以在策略的 Action 字段中指定这些操作,并在策略的 Resource 字段中指定资源值。

对某些操作AmazonGlue 资源要原级和子资源 ARN 也包含在策略的Resource字段。有关更多信息,请参阅 数据目录 ARN

通常,可将 ARN 分段替换为通配符。有关更多信息,请参阅 。IAM JSON 策略元素中的IAM 用户指南

IAM 策略的条件键由 API 操作列出。您可以使用Amazon-范围的条件键Amazon表达条件的 Glue 政策。有关Amazon-宽键,请参阅Amazon全局条件键中的IAM 用户指南

注意

要指定操作,请在 API 操作名称之前使用 glue: 前缀 (例如,glue:GetTable)。

使用滚动条查看表的其余部分。

AmazonGlue API 和必需的操作权限
AmazonAPI 操作 所需权限(API 操作) 资源 条件键
BatchCreatePartition (batch_create_partition) glue:BatchCreatePartition 

arn:aws:glue:region:account-id:table/database-name/table-name
arn:aws:glue:region:account-id:database/database-name
arn:aws:glue:region:account-id:catalog
BatchDeleteConnection (batch_delete_connection) glue:BatchDeleteConnection 

arn:aws:glue:region:account-id:connection/connection-name
arn:aws:glue:region:account-id:catalog
注意

要通过调用执行的所有连接删除都必须由 IAM 授权。如果其中任何删除未经授权,调用将失败,且不会删除任何连接。
BatchDeletePartition (batch_delete_partition) glue:BatchDeletePartition 

arn:aws:glue:region:account-id:table/database-name/table-name
arn:aws:glue:region:account-id:database/database-name
arn:aws:glue:region:account-id:catalog
注意

要通过调用执行的所有分区删除都必须由 IAM 授权。如果其中任何删除未经授权,调用将失败,且不会删除任何分区。
BatchDeleteTable (batch_delete_table) glue:BatchDeleteTable 

arn:aws:glue:region:account-id:table/database-name/table-name
arn:aws:glue:region:account-id:database/database-name
arn:aws:glue:region:account-id:catalog
注意

要通过调用执行的所有表删除都必须由 IAM 授权。如果其中任何删除未经授权,调用将失败,且不会删除任何表。
BatchDeleteTableVersion (batch_delete_table_version) glue:BatchDeleteTableVersion 

arn:aws:glue:region:account-id:table/database-name/table-name
arn:aws:glue:region:account-id:database/database-name
arn:aws:glue:region:account-id:catalog
BatchGetCrawlers (batch_get_crawlers) glue:BatchGetCrawlers arn:aws:glue:region:account-id:crawler/crawler-name glue:resourceTag
BatchGetDevEndpoints (batch_get_dev_endpoints) glue:BatchGetDevEndpoints arn:aws:glue:region:account-id:devEndpoint/development-endpoint-name glue:resourceTag
BatchGetJobs (batch_get_jobs) glue:BatchGetJobs arn:aws:glue:region:account-id:job/job-name glue:resourceTag
BatchGetPartition (batch_get_partition) glue:BatchGetPartition 

arn:aws:glue:region:account-id:table/database-name/table-name
arn:aws:glue:region:account-id:database/database-name
arn:aws:glue:region:account-id:catalog
BatchGetTriggers (batch_get_triggers) glue:BatchGetTriggers arn:aws:glue:region:account-id:trigger/trigger-name glue:resourceTag
BatchStopJobRun (batch_stop_job_run) glue:BatchStopJobRun *
CreateClassifier (create_classifier) glue:CreateClassifier *
CreateConnection (create_connection) glue:CreateConnection 

arn:aws:glue:region:account-id:connection/connection-name
arn:aws:glue:region:account-id:catalog
CreateCrawler (create_crawler) glue:CreateCrawler arn:aws:glue:region:account-id:crawler/crawler-name

或者

arn:aws:glue:region:account-id:crawler/*		 aws:RequestTag
CreateDatabase (create_database) glue:CreateDatabase 

arn:aws:glue:region:account-id:database/database-name
arn:aws:glue:region:account-id:catalog
CreateDevEndpoint (create_dev_endpoint) glue:CreateDevEndpoint arn:aws:glue:region:account-id:devEndpoint/development-endpoint-name

或者

arn:aws:glue:region:account-id:devEndpoint/*		 aws:RequestTag
CreateJob (create_job) glue:CreateJob arn:aws:glue:region:account-id:job/job-name

或者

arn:aws:glue:region:account-id:job/*		 aws:RequestTag
CreatePartition (create_partition) glue:CreatePartition 

arn:aws:glue:region:account-id:table/database-name/table-name
arn:aws:glue:region:account-id:database/database-name
arn:aws:glue:region:account-id:catalog
CreateScript (create_script) glue:CreateScript *
CreateSecurityConfiguration (create_security_configuration) glue:CreateSecurityConfiguration *
CreateTable (create_table) glue:CreateTable 

arn:aws:glue:region:account-id:table/database-name/table-name
arn:aws:glue:region:account-id:database/database-name
arn:aws:glue:region:account-id:catalog
CreateTrigger (create_trigger) glue:CreateTrigger arn:aws:glue:region:account-id:trigger/trigger-name

或者

arn:aws:glue:region:account-id:trigger/*		 aws:RequestTag
CreateUserDefinedFunction (create_user_defined_function) glue:CreateUserDefinedFunction >

arn:aws:glue:region:account-id:userDefinedFunction/database-name/user-defined-function-name
arn:aws:glue:region:account-id:database/database-name
arn:aws:glue:region:account-id:catalog
DeleteClassifier (delete_classifier) glue:DeleteClassifier *
DeleteConnection (delete_connection) glue:DeleteConnection 

arn:aws:glue:region:account-id:connection/connection-name
arn:aws:glue:region:account-id:catalog
DeleteCrawler (delete_crawler) glue:DeleteCrawler arn:aws:glue:region:account-id:crawler/crawler-name

或者

arn:aws:glue:region:account-id:crawler/*		 glue:resourceTag
DeleteDatabase (delete_database) glue:DeleteDatabase 

arn:aws:glue:region:account-id:database/database-name
arn:aws:glue:region:account-id:userDefinedFunction/database-name/*
arn:aws:glue:region:account-id:table/database-name/*            
arn:aws:glue:region:account-id:catalog
DeleteDevEndpoint (delete_dev_endpoint) glue:DeleteDevEndpoint arn:aws:glue:region:account-id:devEndpoint/development-endpoint-name

或者

arn:aws:glue:region:account-id:devEndpoint/*		 glue:resourceTag
DeleteJob (delete_job) glue:DeleteJob arn:aws:glue:region:account-id:job/job-name

或者

arn:aws:glue:region:account-id:job/*		 glue:resourceTag
DeletePartition (delete_partition) glue:DeletePartition 

arn:aws:glue:region:account-id:table/database-name/table-name
arn:aws:glue:region:account-id:database/database-name
arn:aws:glue:region:account-id:catalog
DeleteResourcePolicy (delete_resource_policy) glue:DeleteResourcePolicy *
DeleteSecurityConfiguration (delete_security_configuration) glue:DeleteSecurityConfiguration *
DeleteTable (delete_table) glue:DeleteTable 

arn:aws:glue:region:account-id:table/database-name/table-name
arn:aws:glue:region:account-id:database/database-name
arn:aws:glue:region:account-id:catalog
DeleteTableVersion (delete_table_version) glue:DeleteTableVersion 

arn:aws:glue:region:account-id:table/database-name/table-name
arn:aws:glue:region:account-id:database/database-name
arn:aws:glue:region:account-id:catalog
DeleteTrigger (delete_trigger) glue:DeleteTrigger arn:aws:glue:region:account-id:trigger/trigger-name

或者

arn:aws:glue:region:account-id:trigger/*		 glue:resourceTag
DeleteUserDefinedFunction (delete_user_defined_function) glue:DeleteUserDefinedFunction 

arn:aws:glue:region:account-id:userDefinedFunction/database-name/user-defined-function-name
arn:aws:glue:region:account-id:database/database-name
arn:aws:glue:region:account-id:catalog
GetCatalogImportStatus (get_catalog_import_status) glue:GetCatalogImportStatus 

arn:aws:glue:region:account-id:catalog
GetClassifier (get_classifier) glue:GetClassifier *
GetClassifiers (get_classifiers) glue:GetClassifiers *
GetConnection (get_connection) glue:GetConnection 

arn:aws:glue:region:account-id:connection/connection-name
arn:aws:glue:region:account-id:catalog
GetConnections (get_connections) glue:GetConnections 

arn:aws:glue:region:account-id:connection/connection-names
arn:aws:glue:region:account-id:catalog
GetCrawler (get_crawler) glue:GetCrawler arn:aws:glue:region:account-id:crawler/crawler-name

或者

arn:aws:glue:region:account-id:crawler/*		 glue:resourceTag
GetCrawlerMetrics (get_crawler_metrics) glue:GetCrawlerMetrics *
GetCrawlers (get_crawlers) glue:GetCrawlers *
GetDatabase (get_database) glue:GetDatabase 

arn:aws:glue:region:account-id:database/database-name
arn:aws:glue:region:account-id:catalog
GetDatabases (get_databases) glue:GetDatabases 

arn:aws:glue:region:account-id:database/database-names
arn:aws:glue:region:account-id:catalog
GetDataCatalogEncryptionSettings (get_data_catalog_encryption_settings) glue:GetDataCatalogEncryptionSettings *
GetDataflowGraph (get_dataflow_graph) glue:GetDataflowGraph *
GetDevEndpoint (get_dev_endpoint) glue:GetDevEndpoint arn:aws:glue:region:account-id:devEndpoint/development-endpoint-name

或者

arn:aws:glue:region:account-id:devEndpoint/*		 glue:resourceTag
GetDevEndpoints (get_dev_endpoints) glue:GetDevEndpoints *
GetJob (get_job) glue:GetJob arn:aws:glue:region:account-id:job/job-name

或者

arn:aws:glue:region:account-id:job/*		 glue:resourceTag
GetJobRun (get_job_run) glue:GetJobRun *
GetJobRuns (get_job_runs) glue:GetJobRuns *
GetJobs (get_jobs) glue:GetJobs *
GetMapping (get_mapping) glue:GetMapping *
GetPartition (get_partition) glue:GetPartition 

arn:aws:glue:region:account-id:table/database-name/table-name
arn:aws:glue:region:account-id:database/database-name
arn:aws:glue:region:account-id:catalog
GetPartitions (get_partitions) glue:GetPartitions 

arn:aws:glue:region:account-id:table/database-name/table-name
arn:aws:glue:region:account-id:database/database-name
arn:aws:glue:region:account-id:catalog
GetPlan (get_plan) glue:GetPlan *
GetResourcePolicy (get_resource_policy) glue:GetResourcePolicy *
GetSecurityConfiguration (get_security_configuration) glue:GetSecurityConfiguration *
GetSecurityConfigurations (get_security_configurations) glue:GetSecurityConfigurations *
GetTable (get_table) glue:GetTable 

arn:aws:glue:region:account-id:table/database-name/table-name
arn:aws:glue:region:account-id:database/database-name
arn:aws:glue:region:account-id:catalog
GetTables (get_tables) glue:GetTables 

arn:aws:glue:region:account-id:table/database-name/table-names
arn:aws:glue:region:account-id:database/database-name
arn:aws:glue:region:account-id:catalog
GetTableVersion (get_table_version) glue:GetTableVersion 

arn:aws:glue:region:account-id:table/database-name/table-name
arn:aws:glue:region:account-id:database/database-name
arn:aws:glue:region:account-id:catalog
GetTableVersions (get_table_versions) glue:GetTableVersions 

arn:aws:glue:region:account-id:table/database-name/table-name
arn:aws:glue:region:account-id:database/database-name
arn:aws:glue:region:account-id:catalog
GetTags (get_tags) glue:GetTags *
GetTrigger (get_trigger) glue:GetTrigger arn:aws:glue:region:account-id:trigger/trigger-name

或者

arn:aws:glue:region:account-id:trigger/*		 glue:resourceTag
GetTriggers (get_triggers) glue:GetTriggers *
GetUserDefinedFunction (get_user_defined_function) glue:GetUserDefinedFunction 

arn:aws:glue:region:account-id:userDefinedFunction/database-name/user-defined-function-name
arn:aws:glue:region:account-id:database/database-name
arn:aws:glue:region:account-id:catalog
GetUserDefinedFunctions (get_user_defined_functions) glue:GetUserDefinedFunctions 

arn:aws:glue:region:account-id:userDefinedFunction/database-name/user-defined-function-names
arn:aws:glue:region:account-id:database/database-name
arn:aws:glue:region:account-id:catalog
ImportCatalogToGlue (import_catalog_to_glue) glue:ImportCatalogToGlue 

arn:aws:glue:region:account-id:catalog
ListCrawlers (list_crawlers) glue:ListCrawlers *
ListDevEndpoints (list_dev_endpoints) glue:ListDevEndpoints *
ListJobs (list_jobs) glue:ListJobs *
ListTriggers (list_triggers) glue:ListTriggers *
PutResourcePolicy (put_resource_policy) glue:PutResourcePolicy *
PutDataCatalogEncryptionSettings (put_data_catalog_encryption_settings) glue:PutDataCatalogEncryptionSettings *
ResetJobBookmark (reset_job_bookmark) glue:ResetJobBookmark *
StartCrawler (start_crawler) glue:StartCrawler arn:aws:glue:region:account-id:crawler/crawler-name

或者

arn:aws:glue:region:account-id:crawler/*		 glue:resourceTag
StartCrawlerSchedule (start_crawler_schedule) glue:StartCrawlerSchedule *
StartJobRun (start_job_run) glue:StartJobRun *
StartTrigger (start_trigger) glue:StartTrigger arn:aws:glue:region:account-id:trigger/trigger-name

或者

arn:aws:glue:region:account-id:trigger/*		 glue:resourceTag
StopCrawler (stop_crawler) glue:StopCrawler arn:aws:glue:region:account-id:crawler/crawler-name

或者

arn:aws:glue:region:account-id:crawler/*		 glue:resourceTag
StopCrawlerSchedule (stop_crawler_schedule) glue:StopCrawlerSchedule *
StopTrigger (stop_trigger) glue:StopTrigger arn:aws:glue:region:account-id:trigger/trigger-name

或者

arn:aws:glue:region:account-id:trigger/*		 glue:resourceTag
TagResource (tag_resource) glue:TagResource * aws:RequestTag
UntagResource (untag_resource) glue:UntagResource * aws:TagKeys
UpdateClassifier (update_classifier) glue:UpdateClassifier *
UpdateConnection (update_connection) glue:UpdateConnection 

arn:aws:glue:region:account-id:connection/connection-name
arn:aws:glue:region:account-id:catalog
UpdateCrawler (update_crawler) glue:UpdateCrawler arn:aws:glue:region:account-id:crawler/crawler-name

或者

arn:aws:glue:region:account-id:crawler/*		 glue:resourceTag
UpdateCrawlerSchedule (update_crawler_schedule) glue:UpdateCrawlerSchedule *
UpdateDatabase (update_database) glue:UpdateDatabase 

arn:aws:glue:region:account-id:database/database-name
arn:aws:glue:region:account-id:catalog
UpdateDevEndpoint (update_dev_endpoint) glue:UpdateDevEndpoint arn:aws:glue:region:account-id:devEndpoint/development-endpoint-name

或者

arn:aws:glue:region:account-id:devEndpoint/*		 glue:resourceTag
UpdateJob (update_job) glue:UpdateJob arn:aws:glue:region:account-id:job/job-name

或者

arn:aws:glue:region:account-id:job/*		 glue:resourceTag
UpdatePartition (update_partition) glue:UpdatePartition 

arn:aws:glue:region:account-id:table/database-name/table-name
arn:aws:glue:region:account-id:database/database-name
arn:aws:glue:region:account-id:catalog
UpdateTable (update_table) glue:UpdateTable 

arn:aws:glue:region:account-id:table/database-name/table-name
arn:aws:glue:region:account-id:database/database-name
arn:aws:glue:region:account-id:catalog
UpdateTrigger (update_trigger) glue:UpdateTrigger arn:aws:glue:region:account-id:trigger/trigger-name

或者

arn:aws:glue:region:account-id:trigger/*		 glue:resourceTag
UpdateUserDefinedFunction (update_user_defined_function) glue:UpdateUserDefinedFunction 

arn:aws:glue:region:account-id:userDefinedFunction/database-name/user-defined-function-name
arn:aws:glue:region:account-id:database/database-name
arn:aws:glue:region:account-id:catalog