本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
安装程序配置资源的最低 IAM 政策
安装 Amazon IoT Greengrass Core 软件时,您可以为设备预置所需的 Amazon 资源, Amazon IoT 例如设备和 IAM 角色。您也可以将本地开发工具部署到设备。安装程序需要 Amazon 凭据才能在中执行这些操作 Amazon Web Services 账户。有关更多信息,请参阅 安装 Amazon IoT Greengrass Core 软件。
以下示例策略包括安装程序配置这些资源所需的最低操作集。如果您为安装程序指定--provision
参数,则需要这些权限。将帐户 ID 替换为您的 Amazon Web Services 账户 ID,并将 GreenGrassV2 TokenExchangeRole 替换为您在安装程序参数中指定的令牌交换角色的名称。--tes-role-name
注意
只有在为安装程序指定--deploy-dev-tools
参数时,才需要DeployDevTools
策略声明。
- Greengrass nucleus v2.5.0 and later
-
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CreateTokenExchangeRole", "Effect": "Allow", "Action": [ "iam:AttachRolePolicy", "iam:CreatePolicy", "iam:CreateRole", "iam:GetPolicy", "iam:GetRole", "iam:PassRole" ], "Resource": [ "arn:aws:iam::
account-id
:role/GreengrassV2TokenExchangeRole
", "arn:aws:iam::account-id
:policy/GreengrassV2TokenExchangeRole
Access", "arn:aws:iam::aws:policy/GreengrassV2TokenExchangeRole
Access" ] }, { "Sid": "CreateIoTResources", "Effect": "Allow", "Action": [ "iot:AddThingToThingGroup", "iot:AttachPolicy", "iot:AttachThingPrincipal", "iot:CreateKeysAndCertificate", "iot:CreatePolicy", "iot:CreateRoleAlias", "iot:CreateThing", "iot:CreateThingGroup", "iot:DescribeEndpoint", "iot:DescribeRoleAlias", "iot:DescribeThingGroup", "iot:GetPolicy" ], "Resource": "*" }, { "Sid": "DeployDevTools", "Effect": "Allow", "Action": [ "greengrass:CreateDeployment", "iot:CancelJob", "iot:CreateJob", "iot:DeleteThingShadow", "iot:DescribeJob", "iot:DescribeThing", "iot:DescribeThingGroup", "iot:GetThingShadow", "iot:UpdateJob", "iot:UpdateThingShadow" ], "Resource": "*" } ] } - Earlier than v2.5.0
-
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CreateTokenExchangeRole", "Effect": "Allow", "Action": [ "iam:AttachRolePolicy", "iam:CreatePolicy", "iam:CreateRole", "iam:GetPolicy", "iam:GetRole", "iam:PassRole" ], "Resource": [ "arn:aws:iam::
account-id
:role/GreengrassV2TokenExchangeRole
", "arn:aws:iam::account-id
:policy/GreengrassV2TokenExchangeRole
Access", "arn:aws:iam::aws:policy/GreengrassV2TokenExchangeRole
Access" ] }, { "Sid": "CreateIoTResources", "Effect": "Allow", "Action": [ "iot:AddThingToThingGroup", "iot:AttachPolicy", "iot:AttachThingPrincipal", "iot:CreateKeysAndCertificate", "iot:CreatePolicy", "iot:CreateRoleAlias", "iot:CreateThing", "iot:CreateThingGroup", "iot:DescribeEndpoint", "iot:DescribeRoleAlias", "iot:DescribeThingGroup", "iot:GetPolicy" ], "Resource": "*" }, { "Sid": "DeployDevTools", "Effect": "Allow", "Action": [ "greengrass:CreateDeployment", "iot:CancelJob", "iot:CreateJob", "iot:DeleteThingShadow", "iot:DescribeJob", "iot:DescribeThing", "iot:DescribeThingGroup", "iot:GetThingShadow", "iot:UpdateJob", "iot:UpdateThingShadow" ], "Resource": "*" } ] }
授权核心设备与 Amazon
服务交互
Greengrass 服务角色