使用 的先决条件Amazon CloudFormation设置 Neptune - Amazon Neptune
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 Amazon Web Services 服务入门

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

使用 的先决条件Amazon CloudFormation设置 Neptune

在您创建 Amazon Neptune 集群之前,使用Amazon CloudFormation模板,您需要具有:

  • Amazon EC2 key pair。

  • 使用所需的权限Amazon CloudFormation.

使用创建 Amazon EC2 密钥对以启动 Neptune 集群使用Amazon CloudFormation

为 Neptune 用Amazon CloudFormation模板时,在您创建的区域中,您必须具有 Amazon EC2Key 对(及其关联的 PEM 文件)可用。Amazon CloudFormation堆栈。

如果您需要创建 key pair,请参阅使用 Amazon EC2 创建密钥对在适用于 Linux 实例的 Amazon EC2 用户指南中,或使用 Amazon EC2 创建密钥对有关说明,请参阅《适用于 Windows 实例的 Amazon EC2 用户指南》。

添加 IAM 策略以授予使用Amazon CloudFormation模板

首先,您需要设置 IAM 用户,具有使用 Neptune 所需的权限,如中所述创建具有 Neptune 权限的 IAM 用户.

然后你需要添加Amazon托管策略AWSCloudFormationReadOnlyAccess,给那个用户。

最后,您需要创建以下客户管理策略并将其添加到该用户:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "rds:CreateDBCluster", "rds:CreateDBInstance" ], "Resource": [ "arn:aws:rds:*:*:*" ], "Condition": { "StringEquals": { "rds:DatabaseEngine": ["graphdb","neptune"] } } }, { "Action": [ "rds:AddRoleToDBCluster", "rds:AddSourceIdentifierToSubscription", "rds:AddTagsToResource", "rds:ApplyPendingMaintenanceAction", "rds:CopyDBClusterParameterGroup", "rds:CopyDBClusterSnapshot", "rds:CopyDBParameterGroup", "rds:CreateDBClusterParameterGroup", "rds:CreateDBClusterSnapshot", "rds:CreateDBParameterGroup", "rds:CreateDBSubnetGroup", "rds:CreateEventSubscription", "rds:DeleteDBCluster", "rds:DeleteDBClusterParameterGroup", "rds:DeleteDBClusterSnapshot", "rds:DeleteDBInstance", "rds:DeleteDBParameterGroup", "rds:DeleteDBSubnetGroup", "rds:DeleteEventSubscription", "rds:DescribeAccountAttributes", "rds:DescribeCertificates", "rds:DescribeDBClusterParameterGroups", "rds:DescribeDBClusterParameters", "rds:DescribeDBClusterSnapshotAttributes", "rds:DescribeDBClusterSnapshots", "rds:DescribeDBClusters", "rds:DescribeDBEngineVersions", "rds:DescribeDBInstances", "rds:DescribeDBLogFiles", "rds:DescribeDBParameterGroups", "rds:DescribeDBParameters", "rds:DescribeDBSecurityGroups", "rds:DescribeDBSubnetGroups", "rds:DescribeEngineDefaultClusterParameters", "rds:DescribeEngineDefaultParameters", "rds:DescribeEventCategories", "rds:DescribeEventSubscriptions", "rds:DescribeEvents", "rds:DescribeOptionGroups", "rds:DescribeOrderableDBInstanceOptions", "rds:DescribePendingMaintenanceActions", "rds:DescribeValidDBInstanceModifications", "rds:DownloadDBLogFilePortion", "rds:FailoverDBCluster", "rds:ListTagsForResource", "rds:ModifyDBCluster", "rds:ModifyDBClusterParameterGroup", "rds:ModifyDBClusterSnapshotAttribute", "rds:ModifyDBInstance", "rds:ModifyDBParameterGroup", "rds:ModifyDBSubnetGroup", "rds:ModifyEventSubscription", "rds:PromoteReadReplicaDBCluster", "rds:RebootDBInstance", "rds:RemoveRoleFromDBCluster", "rds:RemoveSourceIdentifierFromSubscription", "rds:RemoveTagsFromResource", "rds:ResetDBClusterParameterGroup", "rds:ResetDBParameterGroup", "rds:RestoreDBClusterFromSnapshot", "rds:RestoreDBClusterToPointInTime" ], "Effect": "Allow", "Resource": [ "*" ] }, { "Action": [ "cloudwatch:GetMetricStatistics", "cloudwatch:ListMetrics", "ec2:DescribeAccountAttributes", "ec2:DescribeAvailabilityZones", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcAttribute", "ec2:DescribeVpcs", "kms:ListAliases", "kms:ListKeyPolicies", "kms:ListKeys", "kms:ListRetirableGrants", "logs:DescribeLogStreams", "logs:GetLogEvents", "sns:ListSubscriptions", "sns:ListTopics", "sns:Publish" ], "Effect": "Allow", "Resource": [ "*" ] }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": "*", "Condition": { "StringEquals": { "iam:passedToService": "rds.amazonaws.com" } } }, { "Action": "iam:CreateServiceLinkedRole", "Effect": "Allow", "Resource": "arn:aws:iam::*:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS", "Condition": { "StringLike": { "iam:AWSServiceName": "rds.amazonaws.com" } } } ] }
注意

以下权限仅在删除堆栈时需要:iam:DeleteRoleiam:RemoveRoleFromInstanceProfileiam:DeleteRolePolicyiam:DeleteInstanceProfileec2:DeleteVpcEndpoints

另请注意,ec2:*Vpc 授予 ec2:DeleteVpc 权限。