How Amazon Keyspaces Works with IAM - Amazon Keyspaces(针对 Apache Cassandra)
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

How Amazon Keyspaces Works with IAM

Before you use IAM to manage access to Amazon Keyspaces, you should understand what IAM features are available to use with Amazon Keyspaces. To get a high-level view of how Amazon Keyspaces and other AWS services work with IAM, see AWS Services That Work with IAM in the IAM User Guide.

Amazon Keyspaces Identity-Based Policies

通过使用 IAM 基于身份的策略,您可以指定允许或拒绝的操作和资源以及允许或拒绝操作的条件。Amazon Keyspaces supports specific actions and resources, and condition keys. 要了解在 JSON 策略中使用的所有元素,请参阅 IAM 用户指南 中的 IAM JSON 策略元素参考.

To see the Amazon Keyspaces service-specific resources and actions, and condition context keys that can be used for IAM permissions policies, see the Actions, Resources, and Condition Keys for Amazon Keyspaces (for Apache Cassandra) in the Service Authorization Reference.

Actions

管理员可以使用 AWS JSON 策略来指定谁有权访问什么内容。也就是说,哪个委托人 可以对什么资源 执行操作,以及在什么 条件. 下执行。

JSON 策略的 Action 元素描述可用于在策略中允许或拒绝访问的操作。策略操作通常具有与关联的 AWS API 操作相同的名称。There are some exceptions, such as permission-only actions that don't have a matching API operation. 还有一些操作要求在策略中执行多个操作。这些附加操作称为相关操作.

在策略中包含操作以授予执行相关操作的权限。

Policy actions in Amazon Keyspaces use the following prefix before the action: cassandra:. For example, to grant someone permission to create an Amazon Keyspaces keyspace with the Amazon Keyspaces CREATE CQL statement, you include the cassandra:Create action in their policy. 策略语句必须包含 ActionNotAction 元素。Amazon Keyspaces defines its own set of actions that describe tasks that you can perform with this service.

要在单个语句中指定多项操作,请使用逗号将它们隔开,如下所示:

"Action": [ "cassandra:CREATE", "cassandra:MODIFY" ]

To see a list of Amazon Keyspaces actions, see Actions Defined by Amazon Keyspaces (for Apache Cassandra) in the Service Authorization Reference.

Resources

管理员可以使用 AWS JSON 策略来指定谁有权访问什么内容。也就是说,哪个委托人 可以对什么资源 执行操作,以及在什么 条件. 下执行。

Resource JSON 策略元素指定要向其应用操作的一个或多个对象。语句必须包含 ResourceNotResource 元素。作为最佳实践,请使用其 Amazon 资源名称 (ARN).指定资源。对于支持特定资源类型(称为资源级权限.)的操作,您可以执行此操作。

对于不支持资源级权限的操作(如列出操作),请使用通配符 (*) 指示语句应用于所有资源。

"Resource": "*"

In Amazon Keyspaces keyspaces and tables can be used in the Resource element of IAM permissions.

The Amazon Keyspaces keyspace resource has the following ARN:

arn:${Partition}:cassandra:${Region}:${Account}:/keyspace/${KeyspaceName}

The Amazon Keyspaces table resource has the following ARN:

arn:${Partition}:cassandra:${Region}:${Account}:/keyspace/${KeyspaceName}/table/${tableName}

For more information about the format of ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces.

例如,要在语句中指定 mykeyspace 键空间,请使用以下 ARN:

"Resource": "arn:aws:cassandra:us-east-1:123456789012:keyspace/mykeyspace"

要指定属于特定账户的所有键空间,请使用通配符 (*):

"Resource": "arn:aws:cassandra:us-east-1:123456789012:keyspace/*"

Some Amazon Keyspaces actions, such as those for creating resources, cannot be performed on a specific resource. 在这些情况下,您必须使用通配符 (*)。

"Resource": "*"

To connect to Amazon Keyspaces programmatically with a standard driver, a user must have SELECT access to the system tables, because most drivers read the system keyspaces/tables on connection. For example, to grant SELECT permissions to a user for mytable in mykeyspace, the IAM user must have permissions to read both, mytable and the system keyspace. To specify multiple resources in a single statement, separate the ARNs with commas.

"Resource": "arn:aws:cassandra:us-east-1:111122223333:/keyspace/mykeyspace/table/mytable", "arn:aws:cassandra:us-east-1:111122223333:/keyspace/system*"

To see a list of Amazon Keyspaces resource types and their ARNs, see Resources Defined by Amazon Keyspaces (for Apache Cassandra) in the Service Authorization Reference. To learn with which actions you can specify the ARN of each resource, see Actions Defined by Amazon Keyspaces (for Apache Cassandra).

条件键

管理员可以使用 AWS JSON 策略来指定谁有权访问什么内容。也就是说,哪个委托人 可以对什么资源 执行操作,以及在什么 条件. 下执行。

The Condition element (or Condition block) lets you specify conditions in which a statement is in effect. Condition 元素是可选的。You can create conditional expressions that use condition operators, such as equals or less than, to match the condition in the policy with values in the request.

如果在语句中指定多个 Condition 元素,或者在单个 Condition 元素中指定多个键,则 AWS 使用逻辑 AND 运算计算它们的值。如果为单个条件键指定多个值,则 AWS 使用逻辑 OR 运算计算条件的值。在授予语句的权限之前必须满足所有的条件。

在指定条件时,您也可以使用占位符变量。例如,只有在使用 IAM 用户名标记 IAM 用户时,您才能为其授予访问资源的权限。有关更多信息,请参阅 IAM 用户指南 中的 IAM 策略元素:变量和标签.

AWS 支持全局条件键和特定于服务的条件键。要查看所有 AWS 全局条件键,请参阅 IAM 用户指南 中的 AWS 全局条件上下文键.

Amazon Keyspaces defines its own set of condition keys and also supports using some global condition keys. 要查看所有 AWS 全局条件键,请参阅 IAM 用户指南 中的 AWS 全局条件上下文键.

All Amazon Keyspaces actions support the aws:RequestTag/${TagKey}, the aws:ResourceTag/${TagKey}, and the aws:TagKeys condition keys. 有关更多信息,请参阅 Amazon Keyspaces Resource Access Based on Tags.

To see a list of Amazon Keyspaces condition keys, see Condition Keys for Amazon Keyspaces (for Apache Cassandra) in the Service Authorization Reference. To learn with which actions and resources you can use a condition key, see Actions Defined by Amazon Keyspaces (for Apache Cassandra).

Examples

To view examples of Amazon Keyspaces identity-based policies, see Amazon Keyspaces Identity-Based Policy Examples.

Amazon Keyspaces Resource-Based Policies

Amazon Keyspaces does not support resource-based policies. 要查看详细的基于资源的策略页面的示例,请参阅 https://docs.amazonaws.cn/lambda/latest/dg/access-control-resource-based.html.

Authorization Based on Amazon Keyspaces Tags

You can manage access to your Amazon Keyspaces resources by using tags. To manage resource access based on tags, you provide tag information in the condition element of a policy using the cassandra:ResourceTag/key-name, aws:RequestTag/key-name, or aws:TagKeys condition keys. For more information about tagging Amazon Keyspaces resources, see 向 Amazon Keyspaces 资源添加标签和标签.

要查看基于身份的策略(用于根据资源上的标签来限制对该资源的访问)的示例,请参阅 Amazon Keyspaces Resource Access Based on Tags.

Amazon Keyspaces IAM Roles

An IAM role is an entity within your AWS account that has specific permissions.

Using Temporary Credentials with Amazon Keyspaces

您可以使用临时凭证进行联合身份登录,担任 IAM 角色或担任跨账户角色。You obtain temporary security credentials by calling AWS STS API operations such as AssumeRole or GetFederationToken.

Amazon Keyspaces supports using temporary credentials with the Amazon Keyspaces authentication plugin. 要查看如何使用身份验证插件以编程方式访问表的示例,请参阅Accessing Amazon Keyspaces Using the Authentication Plugin.

服务相关角色

服务相关角色允许 AWS 服务访问其他服务中的资源以代表您完成操作。服务相关角色显示在您的 IAM 账户中,并归该服务所有。IAM 管理员可以查看但不能编辑服务相关角色的权限。

For details about creating or managing Amazon Keyspaces service-linked roles, see Using Service-Linked Roles for Amazon Keyspaces.

服务角色

Amazon Keyspaces does not support service roles.