步骤 4:创建用于笔记本服务器的 IAM 策略 - Amazon Glue
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 Amazon Web Services 服务入门

步骤 4:创建用于笔记本服务器的 IAM 策略

如果您计划将笔记本与开发终端节点结合使用,则必须在创建笔记本服务器时指定权限。您通过使用 Amazon Identity and Access Management (IAM) 提供这些权限。

此策略为某些 Amazon S3 操作授予管理您账户中某些资源的权限,这些资源是 Amazon Glue 代入使用此策略的角色时需要的资源。此策略中指定的某些资源引用了 Amazon Glue 对 Amazon S3 存储桶、Amazon S3 ETL 脚本和 Amazon EC2 资源使用的默认名称。为简便起见,默认情况下,Amazon Glue 会将某些 Amazon S3 对象写入到您账户中带有前缀 aws-glue-* 的存储桶。

注意

如果您使用了Amazon托管式策略 AWSGlueServiceNotebookRole,则可跳过此步骤。

在此步骤中,您将创建一个类似于 AWSGlueServiceNotebookRole 的策略。您可以在 IAM 控制台中找到最新版本的 AWSGlueServiceNotebookRole

为笔记本创建 IAM 策略

  1. 登录 Amazon Web Services Management Console,然后通过以下网址打开 IAM 控制台:https://console.aws.amazon.com/iam/

  2. 在左侧导航窗格中,选择 Policies (策略)

  3. 选择 Create Policy (创建策略)

  4. Create Policy (创建策略) 屏幕上,导航到用于编辑 JSON 的选项卡。使用以下 JSON 语句创建策略文档,然后选择 Review policy (查看策略)。

    { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "glue:CreateDatabase", "glue:CreatePartition", "glue:CreateTable", "glue:DeleteDatabase", "glue:DeletePartition", "glue:DeleteTable", "glue:GetDatabase", "glue:GetDatabases", "glue:GetPartition", "glue:GetPartitions", "glue:GetTable", "glue:GetTableVersions", "glue:GetTables", "glue:UpdateDatabase", "glue:UpdatePartition", "glue:UpdateTable", "glue:GetJobBookmark", "glue:ResetJobBookmark", "glue:CreateConnection", "glue:CreateJob", "glue:DeleteConnection", "glue:DeleteJob", "glue:GetConnection", "glue:GetConnections", "glue:GetDevEndpoint", "glue:GetDevEndpoints", "glue:GetJob", "glue:GetJobs", "glue:UpdateJob", "glue:BatchDeleteConnection", "glue:UpdateConnection", "glue:GetUserDefinedFunction", "glue:UpdateUserDefinedFunction", "glue:GetUserDefinedFunctions", "glue:DeleteUserDefinedFunction", "glue:CreateUserDefinedFunction", "glue:BatchGetPartition", "glue:BatchDeletePartition", "glue:BatchCreatePartition", "glue:BatchDeleteTable", "glue:UpdateDevEndpoint", "s3:GetBucketLocation", "s3:ListBucket", "s3:ListAllMyBuckets", "s3:GetBucketAcl" ], "Resource":[ "*" ] }, { "Effect":"Allow", "Action":[ "s3:GetObject" ], "Resource":[ "arn:aws:s3:::crawler-public*", "arn:aws:s3:::aws-glue*" ] }, { "Effect":"Allow", "Action":[ "s3:PutObject", "s3:DeleteObject" ], "Resource":[ "arn:aws:s3:::aws-glue*" ] }, { "Effect":"Allow", "Action":[ "ec2:CreateTags", "ec2:DeleteTags" ], "Condition":{ "ForAllValues:StringEquals":{ "aws:TagKeys":[ "aws-glue-service-resource" ] } }, "Resource":[ "arn:aws:ec2:*:*:network-interface/*", "arn:aws:ec2:*:*:security-group/*", "arn:aws:ec2:*:*:instance/*" ] } ] }

    下表描述了此策略授予的权限。

    操作 资源 描述

    "glue:*"

    "*"

    授予运行所有 Amazon Glue API 操作的权限。

    "s3:GetBucketLocation", "s3:ListBucket", "s3:ListAllMyBuckets", "s3:GetBucketAcl"

    "*"

    允许通过笔记本服务器列示 Amazon S3 存储桶。

    "s3:GetObject"

    "arn:aws:s3:::crawler-public*", "arn:aws:s3:::aws-glue-*"

    允许通过笔记本获取示例和教程所使用的 Amazon S3 对象。

    命名约定:Amazon S3 存储桶名称以 crawler-publicaws-glue- 开头。

    "s3:PutObject", "s3:DeleteObject"

    "arn:aws:s3:::aws-glue*"

    允许通过笔记本在您的账户中放置和删除 Amazon S3 对象。

    命名约定:使用名为 aws-glue- 的 Amazon S3 文件夹。

    "ec2:CreateTags", "ec2:DeleteTags"

    "arn:aws:ec2:*:*:network-interface/*", "arn:aws:ec2:*:*:security-group/*", "arn:aws:ec2:*:*:instance/*"

    允许标记为笔记本服务器创建的 Amazon EC2 资源。

    命名约定:Amazon Glue 使用 aws-glue-service-resource 标记 Amazon EC2 实例。

  5. Review Policy (查看策略) 屏幕上,输入您的 Policy Name (策略名称),例如 GlueServiceNotebookPolicyDefault。输入可选描述,然后在您对该策略满意时选择 Create policy (创建策略)