Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅
中国的 Amazon Web Services 服务入门
(PDF)。
本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
设置访问数据来源所需的 IAM 权限(适用于管理员)
管理员应确保 JupyterLab 应用程序使用的执行角色具有通过配置的Amazon Glue连接访问数据所必需的 Amazon IAM 权限。
-
管理员使用以下方式创建的Amazon Glue连接Amazon CLI:要查看管理员创建的连接并访问其数据,用户需要让其管理员为其 JupyterLab应用程序在 Studio 中使用的 SageMaker AI 执行角色附加特定权限。这包括访问权限Amazon Glue、Secrets Manager 和特定于数据库的权限。管理员创建的连接对共享执行角色的所有应用程序可见,该执行角色获得了查看特定 Amazon Glue 目录或数据库的权限。要了解每种数据来源的所需权限列表,请参阅管理员定义的连接需要 IAM 权限中管理员定义的连接权限。
-
用户使用 SQL 扩展 UI 创建的连接也将列出 JupyterLab:由共享相同执行角色的用户配置文件创建的连接,除非其连接的可见性范围仅限于用户创建的连接。用户创建的连接通过用于创建该连接的用户配置文件进行标记。要将查看、更新或删除这些用户创建的连接的权限仅授予创建这些连接的用户,管理员可以向执行角色 IAM 权限添加其他基于标签的访问控制限制。要了解所需的其他基于标签的访问控制,请参阅用户定义的连接需要 IAM 权限。
管理员定义的连接需要 IAM 权限
要向 Studio 中的 JupyterLab 应用程序使用的 SageMaker AI 执行角色授予通过Amazon Glue连接访问数据源的权限,请将以下内联策略附加到该角色。
要查看每个数据来源或身份验证方法的特定权限和策略详细信息,请在下面选择相关的连接类型。
我们建议将策略的权限限制在所需的资源和操作范围内。
要缩小策略范围并授予最低权限访问权限,请将策略"Resource": ["*"]中的通配符替换 ARNs 为需要访问的确切资源的特定通配符。有关如何控制资源访问权限的更多信息,请参阅 使用精细的 ARN 权限微调Amazon资源访问权限。
我们强烈建议将该策略的范围缩小到只需采取的行动和所需的资源。
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "GetS3AndDataSourcesMetadata",
"Effect": "Allow",
"Action": [
"glue:GetDatabases",
"glue:GetSchema",
"glue:GetTables",
"s3:ListBucket",
"s3:GetObject",
"s3:GetBucketLocation",
"glue:GetDatabase",
"glue:GetTable",
"glue:ListSchemas",
"glue:GetPartitions"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket/*",
"arn:aws:glue:us-east-1:111122223333:catalog",
"arn:aws:glue:us-east-1:111122223333:connection/*"
]
},
{
"Sid": "ExecuteQueries",
"Effect": "Allow",
"Action": [
"athena:ListDataCatalogs",
"athena:ListDatabases",
"athena:ListTableMetadata",
"athena:StartQueryExecution",
"athena:GetQueryExecution",
"athena:RunQuery",
"athena:StartSession",
"athena:GetQueryResults",
"athena:ListWorkGroups",
"s3:ListMultipartUploadParts",
"s3:ListBucket",
"s3:GetBucketLocation",
"athena:GetDataCatalog",
"s3:AbortMultipartUpload",
"s3:GetObject",
"s3:PutObject",
"athena:GetWorkGroup"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket/*",
"arn:aws:athena:us-east-1:111122223333:workgroup/workgroup-name"
]
},
{
"Sid": "GetGlueConnections",
"Effect": "Allow",
"Action": [
"glue:GetConnections",
"glue:GetConnection"
],
"Resource": [
"arn:aws:glue:us-east-1:111122223333:catalog",
"arn:aws:glue:us-east-1:111122223333:connection/*"
]
},
{
"Sid": "GetSecrets",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:us-east-1:111122223333:secret:secret-name"
]
},
{
"Sid": "GetClusterCredentials",
"Effect": "Allow",
"Action": [
"redshift:GetClusterCredentials"
],
"Resource": [
"arn:aws:redshift:us-east-1:111122223333:cluster:cluster-name"
]
}
]
}
更多信息,请参阅 Athena 文档中的 IAM 权限策略示例。
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "GetS3AndDataSourcesMetadata",
"Effect": "Allow",
"Action": [
"glue:GetDatabases",
"glue:GetSchema",
"glue:GetTables",
"s3:ListBucket",
"s3:GetObject",
"s3:GetBucketLocation",
"glue:GetDatabase",
"glue:GetTable",
"glue:ListSchemas",
"glue:GetPartitions"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket/*",
"arn:aws:glue:us-east-2:111122223333:catalog",
"arn:aws:glue:us-east-2:111122223333:connection/*"
]
},
{
"Sid": "ExecuteAthenaQueries",
"Effect": "Allow",
"Action": [
"athena:ListDataCatalogs",
"athena:ListDatabases",
"athena:ListTableMetadata",
"athena:StartQueryExecution",
"athena:GetQueryExecution",
"athena:RunQuery",
"athena:StartSession",
"athena:GetQueryResults",
"athena:ListWorkGroups",
"s3:ListMultipartUploadParts",
"s3:ListBucket",
"s3:GetBucketLocation",
"athena:GetDataCatalog",
"s3:AbortMultipartUpload",
"s3:GetObject",
"s3:PutObject",
"athena:GetWorkGroup"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket/*",
"arn:aws:athena:us-east-2:111122223333:workgroup/workgroup-name"
]
},
{
"Sid": "GetGlueConnections",
"Effect": "Allow",
"Action": [
"glue:GetConnections",
"glue:GetConnection"
],
"Resource": [
"arn:aws:glue:us-east-2:111122223333:catalog",
"arn:aws:glue:us-east-2:111122223333:connection/*"
]
},
{
"Sid": "GetSecrets",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:us-east-2:111122223333:secret:secret-name"
]
}
]
}
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "GetS3Metadata",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket/*"
]
},
{
"Sid": "GetGlueConnections",
"Effect": "Allow",
"Action": [
"glue:GetConnections",
"glue:GetConnection"
],
"Resource": [
"arn:aws:glue:us-east-2:111122223333:catalog",
"arn:aws:glue:us-east-2:111122223333:connection/*"
]
},
{
"Sid": "GetSecrets",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:us-east-2:111122223333:secret:secret-name"
]
}
]
}
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "GetS3Metadata",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket/*",
"arn:aws:s3:::amzn-s3-demo-bucket/*"
]
},
{
"Sid": "GetGlueConnections",
"Effect": "Allow",
"Action": [
"glue:GetConnections",
"glue:GetConnection"
],
"Resource": [
"arn:aws:glue:us-east-1:111122223333:catalog",
"arn:aws:glue:us-east-1:111122223333:connection/*",
"arn:aws:glue:us-east-1:111122223333:connection/connection-name"
]
},
{
"Sid": "GetSecrets",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:us-east-1:111122223333:secret:secret-name",
"arn:aws:secretsmanager:us-east-1:111122223333:secret:secret-name-with-suffix"
]
},
{
"Sid": "GetClusterCredentials",
"Effect": "Allow",
"Action": [
"redshift:GetClusterCredentials"
],
"Resource": [
"arn:aws:redshift:us-east-1:111122223333:cluster:cluster-name",
"arn:aws:redshift:us-east-1:111122223333:dbuser:cluster-name/db-user-name"
]
}
]
}
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "GetS3Metadata",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket/*"
]
},
{
"Sid": "GetGlueConnections",
"Effect": "Allow",
"Action": [
"glue:GetConnections",
"glue:GetConnection"
],
"Resource": [
"arn:aws:glue:us-east-2:111122223333:catalog",
"arn:aws:glue:us-east-2:111122223333:connection/*"
]
},
{
"Sid": "GetSecrets",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:us-east-2:111122223333:secret:secret-name"
]
},
{
"Sid": "GetRedshiftServerlessCredentials",
"Effect": "Allow",
"Action": [
"redshift-serverless:GetCredentials"
],
"Resource": [
"arn:aws:redshift-serverless:us-east-2:111122223333:namespace/namespace-id"
]
}
]
}
用户定义的连接需要 IAM 权限
用户的 IAM 策略权限可以说明Amazon Glue连接资源上是否存在UserProfile标签。
为此,管理员必须向用户配置文件 JupyterLab 应用程序使用的执行角色授予其现有管理员定义的连接权限之外的额外权限。具体而言,除了访问管理员定义的Amazon Glue连接所需的权限外,还必须向用户的执行角色授予以下两项额外的 IAM 权限:
此权限根据特定的用户配置文件标签值限制对Amazon Glue连接的访问。使用要定位的用户的配置文件名称更新 UserProfile 标签值。
"Action": [
"glue:GetConnection",
"glue:GetConnections"
],
"Resource": [
"arn:aws:glue:region:account_id:connection/*"
],
"Condition": {
"StringEqualsIfExists": {
"aws:ResourceTag/UserProfile": "user_profile_name"
}
}
此权限仅允许将创建、更新和删除用户创建的连接的功能用于由带指定 UserProfile 标签值的用户配置文件创建的连接。
"Action": [
"glue:DeleteConnection",
"glue:UpdateConnection",
"glue:CreateConnection",
"glue:TagResource"
],
"Resource": [
"arn:aws:glue:region:account_id:connection/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/UserProfile": "user_profile"
}
}
使用精细的 ARN 权限微调Amazon资源访问权限
为了更精细地控制对Amazon资源的访问权限,请将策略"Resource": ["*"]中的通配符资源替换为仅包含需要访问的资源的具体 Amazon 资源名称 (ARNs)。使用精确 ARNs字符而不是通配符会限制对预期资源的访问。
-
使用特定的亚马逊 S3 存储桶 ARNs
例如,"arn:aws:s3:::bucket-name" 或
"arn:aws:s3:::bucket-name/*" 表示存储桶级或对象级操作。
有关 Amazon S3 中所有资源类型的信息,请参阅由 Amazon S3 定义的资源类型。
-
使用特定的Amazon Glue数据库 ARNs
例如, "arn:aws:glue:region:account-id:catalog" 或
"arn:aws:glue:region:account-id:database/db-name"。有关中所有资源类型的信息Amazon Glue,请参阅由定义的资源类型Amazon Glue。
-
使用特定的 Athena 工作组 ARNs
例如 "arn:aws:athena:region:account-id:workgroup/workgroup-name"。有关 Athena 中所有资源类型的信息,请参阅由 Athena 定义的资源类型。
-
使用特定的 S Amazon ecrets Manager 密钥 ARNs
例如 "arn:aws:secretsmanager:region:account-id:secret:secret-name"。有关 Secrets Manager 中所有资源类型的信息,请参阅 S Amazon ecr Amazonets Manager 定义的资源类型
-
使用特定的亚马逊 Redshift 集群 ARNs
例如 "arn:aws:redshift:region:account-id:cluster:cluster-name"。有关 Amazon Redshift 中资源类型的信息,请参阅由 Amazon Redshift 定义的资源类型。有关 Redshift Serverless 中所有资源类型的信息,请参阅由 Redshift Serverless 定义的资源类型。