# 表优化的先决条件
表优化器会代入您在为表启用优化选项(压缩、快照保留和孤立文件删除)时指定的 Amazon Identity and Access Management(IAM)角色的权限。可以创建单个角色并用于所有优化器,也可以为每个优化器分别创建单独的角色。
**注意**
孤立文件删除优化器不需要 `glue:updateTable` 或 `s3:putObject` 权限。快照过期和压缩优化器需要相同的权限集。
该 IAM 角色必须具有读取数据和更新数据目录中元数据的权限。您可以创建一个 IAM 角色并附加以下内联策略:
+ 添加以下内联策略,以向 Amazon S3 授予对未注册到 Amazon Lake Formation 的数据位置的读/写权限。此策略还包括更新数据目录中表的权限,以及允许 Amazon Glue 在 Amazon CloudWatch 日志中添加日志并发布指标的权限。对于 Amazon S3 中未注册到 Lake Formation 的源数据,访问权限由 Amazon S3 和 Amazon Glue 操作的 IAM 权限策略决定。
请将以下内联策略中的 `bucket-name` 替换为您的 Amazon S3 存储桶名称,请将 `aws-account-id` 和 `region` 替换为有效的 Amazon 账户和数据目录所在的区域,将 `database_name` 替换为数据库的名称,并将 `table_name` 替换为表的名称。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket"
]
},
{
"Effect": "Allow",
"Action": [
"glue:UpdateTable",
"glue:GetTable"
],
"Resource": [
"arn:aws:glue:us-east-1:111122223333:table//",
"arn:aws:glue:us-east-1:111122223333:database/",
"arn:aws:glue:us-east-1:111122223333:catalog"
]
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:us-east-1:111122223333:log-group:/aws-glue/iceberg-compaction/logs:*",
"arn:aws:logs:us-east-1:111122223333:log-group:/aws-glue/iceberg-retention/logs:*",
"arn:aws:logs:us-east-1:111122223333:log-group:/aws-glue/iceberg-orphan-file-deletion/logs:*"
]
}
]
}
```
------
+ 使用以下策略为注册到 Lake Formation 的数据启用压缩功能。
如果该优化角色不具有对表的 `IAM_ALLOWED_PRINCIPALS` 组权限,则该角色需要具有对该表的 Lake Formation `ALTER`、`DESCRIBE`、`INSERT` 和 `DELETE` 权限。
有关向 Lake Formation 注册 Amazon S3 存储桶的更多信息,请参阅 [Adding an Amazon S3 location to your data lake](https://docs.amazonaws.cn/lake-formation/latest/dg/register-data-lake.html)。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"lakeformation:GetDataAccess"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"glue:UpdateTable",
"glue:GetTable"
],
"Resource": [
"arn:aws:glue:us-east-1:111122223333:table/databaseName/tableName",
"arn:aws:glue:us-east-1:111122223333:database/databaseName",
"arn:aws:glue:us-east-1:111122223333:catalog"
]
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:us-east-1:111122223333:log-group:/aws-glue/iceberg-compaction/logs:*",
"arn:aws:logs:us-east-1:111122223333:log-group:/aws-glue/iceberg-retention/logs:*",
"arn:aws:logs:us-east-1:111122223333:log-group:/aws-glue/iceberg-orphan-file-deletion/logs:*"
]
}
]
}
```
------
+ (可选)如果要优化的 Iceberg 表包含使用[服务器端加密](https://docs.amazonaws.cn/AmazonS3/latest/userguide/UsingKMSEncryption.html)进行加密的 Amazon S3 存储桶中数据,则该压缩角色需要具有解密 Amazon S3 对象并生成新数据密钥,以将对象写入加密存储桶的权限。将以下策略添加到需要的 Amazon KMS 密钥。我们仅支持在存储桶级加密。
```
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam:::role/"
},
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": "*"
}
```
+ (可选)对于注册到 Lake Formation 的数据位置,用于注册该位置的角色需要具有解密 Amazon S3 对象并生成新数据密钥以将对象写入加密存储桶的权限。有关更多信息,请参阅 [Registering an encrypted Amazon S3 location](https://docs.amazonaws.cn/lake-formation/latest/dg/register-encrypted.html)。
+ (可选)如果 Amazon KMS 密钥存储在其他 Amazon 账户中,则需要为该压缩角色添加以下权限。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": [
"arn:aws:kms:us-east-1:111122223333:key/key-id"
]
}
]
}
```
------
+ 用于运行压缩的角色必须拥有该角色的 `iam:PassRole` 权限。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::111122223333:role/"
]
}
]
}
```
------
+ 将以下信任策略添加到该角色,以便 Amazon Glue 服务代入该 IAM 角色来运行压缩进程。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "glue.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
```
------
+ (可选)要更新 Data Catalog 设置以启用目录级表优化,使用的 IAM 角色必须对根目录具有 `glue:UpdateCatalog` 权限或 Amazon Lake Formation `ALTER CATALOG` 权限。您可以使用 `GetCatalog` API 来验证目录属性。