客户托管策略示例 - Amazon Snowball Edge 开发人员指南
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 Amazon Web Services 服务入门

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

客户托管策略示例

在本节,您将查看一些示例用户策略,这些策略可授予执行不同 Amazon Snowball 任务管理操作的权限。当您使用时,可使用这些策略。Amazon开发工具包或Amazon CLI. 当您使用控制台时,您需要授予特定于控制台的其他权限,使用 Amazon Snowball 控制台所需要的权限中对此进行了讨论。

注意

所有示例都使用 us-west-2 区域和虚构的账户 ID。

示例 1:允许用户使用 API 创建Job 的角色策略

以下权限策略是用于通过任务管理 API 授予任务或集群创建权限的任何策略的必要组成部分。该声明是作为 Snowball IAM 角色的信任关系政策声明所必需的。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "importexport.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "AWSIE" } } } ] }

示例 2:用于创建导入任务的角色策略

您可以使用以下角色信任策略为 Snowball Edge 创建使用Amazon Lambda支持的Amazon IoT Greengrass函数。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:ListBucketMultipartUploads" ], "Resource": "arn:aws:s3:::*" }, { "Effect": "Allow", "Action": [ "s3:GetBucketPolicy", "s3:PutObject", "s3:AbortMultipartUpload", "s3:ListMultipartUploadParts", "s3:PutObjectAcl" ], "Resource": "arn:aws:s3:::*" }, { "Effect": "Allow", "Action": [ "snowball:*" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "iot:AttachPrincipalPolicy", "iot:AttachThingPrincipal", "iot:CreateKeysAndCertificate", "iot:CreatePolicy", "iot:CreateThing", "iot:DescribeEndpoint", "iot:GetPolicy" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "lambda:GetFunction" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "greengrass:CreateCoreDefinition", "greengrass:CreateDeployment", "greengrass:CreateDeviceDefinition", "greengrass:CreateFunctionDefinition", "greengrass:CreateGroup", "greengrass:CreateGroupVersion", "greengrass:CreateLoggerDefinition", "greengrass:CreateSubscriptionDefinition", "greengrass:GetDeploymentStatus", "greengrass:UpdateGroupCertificateConfiguration", "greengrass:CreateGroupCertificateAuthority", "greengrass:GetGroupCertificateAuthority", "greengrass:ListGroupCertificateAuthorities", "greengrass:ListDeployments", "greengrass:GetGroup", "greengrass:GetGroupVersion", "greengrass:GetCoreDefinitionVersion" ], "Resource": [ "*" ] } ] }

示例 3:用于创建导出任务的角色策略

您可以使用以下角色信任策略为 Snowball Edge 创建使用Amazon Lambda支持的Amazon IoT Greengrass函数。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:GetObject", "s3:ListBucket" ], "Resource": "arn:aws:s3:::*" }, { "Effect": "Allow", "Action": [ "snowball:*" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "iot:AttachPrincipalPolicy", "iot:AttachThingPrincipal", "iot:CreateKeysAndCertificate", "iot:CreatePolicy", "iot:CreateThing", "iot:DescribeEndpoint", "iot:GetPolicy" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "lambda:GetFunction" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "greengrass:CreateCoreDefinition", "greengrass:CreateDeployment", "greengrass:CreateDeviceDefinition", "greengrass:CreateFunctionDefinition", "greengrass:CreateGroup", "greengrass:CreateGroupVersion", "greengrass:CreateLoggerDefinition", "greengrass:CreateSubscriptionDefinition", "greengrass:GetDeploymentStatus", "greengrass:UpdateGroupCertificateConfiguration", "greengrass:CreateGroupCertificateAuthority", "greengrass:GetGroupCertificateAuthority", "greengrass:ListGroupCertificateAuthorities", "greengrass:ListDeployments", "greengrass:GetGroup", "greengrass:GetGroupVersion", "greengrass:GetCoreDefinitionVersion" ], "Resource": [ "*" ] } ] }

示例 4:预期角色权限和信任策略

以下预期角色权限策略是现有服务角色使用所必需的。这是一次性设置。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sns:Publish", "Resource": ["[[snsArn]]"] }, { "Effect": "Allow", "Action": [ "cloudwatch:ListMetrics", "cloudwatch:GetMetricData", "cloudwatch:PutMetricData" ], "Resource": [ "*" ], "Condition": { "StringEquals": { "cloudwatch:namespace": "AWS/SnowFamily" } } } ] }

以下预期角色信任策略是现有服务角色使用所必需的。这是一次性设置。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "importexport.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }

Amazon SnowballAPI 权限:操作、资源和条件参考

在设置 中的访问控制Amazon Web Services 云 和编写可附加到 IAM 身份的权限策略 (基于身份的策略) 时,可使用下面的 作为参考。后续的表每个 Amazon Snowball任务管理 API 操作以及您可授予执行权限的对应操作。它还包括针对每个 API 操作的Amazon您可以授予权限的资源。您可以在策略的 Action 字段中指定这些操作,并在策略的 Resource 字段中指定资源值。

您可以在 Amazon Snowball 策略中使用 Amazon 范围的条件键来表示条件。有关 Amazon 范围内的键的完整列表,请参阅《IAM 用户指南》https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_elements.html#AvailableKeys中的可用键

注意

要指定操作,请在 API 操作名称之前使用 snowball: 前缀 (例如,snowball:CreateJob)。

使用滚动条查看表的其余部分。

Amazon Snowball 任务管理 API 及所需的操作权限
任务管理 API 操作 所需权限

CancelCluster

snowball:CancelCluster

CancelJob

snowball:CancelJob

CreateAddress

snowball:CreateAddress

CreateCluster

此操作需要以下权限:

CreateJob

DescribeAddress

snowball:DescribeAddress

DescribeAddresses

snowball:DescribeAddresses

DescribeCluster

snowball:DescribeCluster

DescribeJob

snowball:DescribeJob

GetJobManifest

snowball:GetJobManifest

GetJobUnlockCode

snowball:GetJobUnlockCode

GetSnowballUsage

snowball:GetSnowballUsage

ListClusterJobs

snowball:ListClusterJobs

ListClusters

snowball:ListClusters

ListJobs

snowball:ListJobs

UpdateCluster

snowball:UpdateCluster

UpdateJob

snowball:UpdateJob