本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# 使用设置亚马逊 Neptune 的先决条件 Amazon CloudFormation
在使用 Amazon CloudFormation 模板创建 Amazon Neptune 集群之前,您需要具备以下条件:
+ Amazon EC2 密钥对。
+ 使用所需的权限 Amazon CloudFormation。
## 使用创建用于启动 Neptune 集群的 Amazon EC2 密钥对 Amazon CloudFormation
要使用 Amazon CloudFormation 模板启动 Neptune 数据库集群,您必须在创建堆栈的区域中提供 Amazon EC2key 配对(及其关联的 PEM 文件)。 Amazon CloudFormation
如果您需要创建密钥对,请参阅《Amazon EC2 用户指南》中的[使用 Amazon EC2 创建密钥对](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/ec2-key-pairs.html#having-ec2-create-your-key-pair),或《Amazon EC2 用户指南》中的[使用 Amazon EC2 创建密钥对](https://docs.amazonaws.cn/AWSEC2/latest/WindowsGuide/ec2-key-pairs.html#having-ec2-create-your-key-pair),了解相关说明。
## 添加 IAM 策略以授予使用 Amazon CloudFormation 模板所需的权限
首先,您需要设置一个拥有使用 Neptune 所需权限的 IAM 用户,如[创建具有 Neptune 权限的 IAM 用户](manage-console-iam-user.md)中所述。
然后,您需要向该用户添加 Amazon 托管策略。`AWSCloudFormationReadOnlyAccess`
最后,您需要创建以下客户管理型策略并将其添加到该用户:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::111122223333:role/*",
"Condition": {
"StringEquals": {
"iam:passedToService": "rds.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "rds.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Action": [
"sns:ListTopics",
"sns:ListSubscriptions",
"sns:Publish"
],
"Resource": "arn:aws:sns:*:111122223333:*"
},
{
"Effect": "Allow",
"Action": [
"kms:ListRetirableGrants",
"kms:ListKeys",
"kms:ListAliases",
"kms:ListKeyPolicies"
],
"Resource": "arn:aws:kms:*:111122223333:key/*"
},
{
"Effect": "Allow",
"Action": [
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics"
],
"Resource": "arn:aws:cloudwatch:*:111122223333:service/*-*",
"Condition": {
"StringLike": {
"cloudwatch:namespace": "AWS/Neptune"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeSecurityGroups",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeVpcs",
"ec2:DescribeAccountAttributes",
"ec2:DescribeSubnets",
"ec2:DescribeVpcAttribute"
],
"Resource": [
"arn:aws:ec2:*:111122223333:vpc/*",
"arn:aws:ec2:*:111122223333:subnet/*",
"arn:aws:ec2:*:111122223333:security-group/*"
]
},
{
"Effect": "Allow",
"Action": [
"rds:CreateDBCluster",
"rds:CreateDBInstance",
"rds:AddTagsToResource",
"rds:ListTagsForResource",
"rds:RemoveTagsFromResource",
"rds:RemoveRoleFromDBCluster",
"rds:ResetDBParameterGroup",
"rds:CreateDBSubnetGroup",
"rds:ModifyDBParameterGroup",
"rds:DownloadDBLogFilePortion",
"rds:CopyDBParameterGroup",
"rds:AddRoleToDBCluster",
"rds:ModifyDBInstance",
"rds:ModifyDBClusterParameterGroup",
"rds:ModifyDBClusterSnapshotAttribute",
"rds:DeleteDBInstance",
"rds:CopyDBClusterParameterGroup",
"rds:CreateDBParameterGroup",
"rds:DescribeDBSecurityGroups",
"rds:DeleteDBSubnetGroup",
"rds:DescribeValidDBInstanceModifications",
"rds:ModifyDBCluster",
"rds:CreateDBClusterSnapshot",
"rds:DeleteDBParameterGroup",
"rds:CreateDBClusterParameterGroup",
"rds:RemoveTagsFromResource",
"rds:PromoteReadReplicaDBCluster",
"rds:RestoreDBClusterFromSnapshot",
"rds:DescribeDBSubnetGroups",
"rds:DescribePendingMaintenanceActions",
"rds:DescribeDBParameterGroups",
"rds:FailoverDBCluster",
"rds:DescribeDBInstances",
"rds:DescribeDBParameters",
"rds:DeleteDBCluster",
"rds:ResetDBClusterParameterGroup",
"rds:RestoreDBClusterToPointInTime",
"rds:DescribeDBClusterSnapshotAttributes",
"rds:AddTagsToResource",
"rds:DescribeDBClusterParameters",
"rds:CopyDBClusterSnapshot",
"rds:DescribeDBLogFiles",
"rds:DeleteDBClusterSnapshot",
"rds:ListTagsForResource",
"rds:RebootDBInstance",
"rds:DescribeDBClusterSnapshots",
"rds:DeleteDBClusterParameterGroup",
"rds:ApplyPendingMaintenanceAction",
"rds:DescribeDBClusters",
"rds:DescribeDBClusterParameterGroups",
"rds:ModifyDBSubnetGroup"
],
"Resource": [
"arn:aws:rds:*:111122223333:cluster-snapshot:*",
"arn:aws:rds:*:111122223333:cluster:*",
"arn:aws:rds:*:111122223333:pg:*",
"arn:aws:rds:*:111122223333:cluster-pg:*",
"arn:aws:rds:*:111122223333:secgrp:*",
"arn:aws:rds:*:111122223333:db:*",
"arn:aws:rds:*:111122223333:subgrp:*"
],
"Condition": {
"StringEquals": {
"rds:DatabaseEngine": [
"graphdb",
"neptune"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"logs:GetLogEvents",
"logs:DescribeLogStreams"
],
"Resource": [
"arn:aws:logs:*:111122223333:log-group:*:log-stream:*",
"arn:aws:logs:*:111122223333:log-group:*"
]
}
]
}
```
------
**注意**
以下权限仅在删除堆栈时需要:`iam:DeleteRole`、`iam:RemoveRoleFromInstanceProfile`、`iam:DeleteRolePolicy`、`iam:DeleteInstanceProfile` 和 `ec2:DeleteVpcEndpoints`。
另请注意,`ec2:*Vpc` 授予 `ec2:DeleteVpc` 权限。