客户托管策略示例 - Amazon Snowball Edge 开发者指南
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

客户托管策略示例

在本节,您将查看一些示例用户策略,这些策略可授予执行不同 Amazon Snowball 作业管理操作的权限。当您使用 Amazon 开发工具包或 Amazon CLI 时,可以使用这些策略。当您使用控制台时,您需要授予特定于控制台的其他权限,使用 Amazon Snowball 控制台所需要的权限 中对此进行了讨论。

注意

所有示例都使用 us-west-2 区域和虚构的账户 ID。

示例 1:允许用户创建 Job 以通过 API 订购 Snow Family 设备的角色策略

以下权限策略是用于通过作业管理 API 授予作业或集群创建权限的任何策略的必要组成部分。该语句需要作为 Snowball IAM 角色的信任关系策略语句。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "importexport.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }

示例 2:用于创建导入作业的角色策略

您可以使用以下角色信任策略为 Snowball Edge 创建使用由 Amazon IoT Greengrass 函数支持的 Amazon Lambda 的导入作业。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:ListBucketMultipartUploads" ], "Resource": "arn:aws:s3:::*" }, { "Effect": "Allow", "Action": [ "s3:GetBucketPolicy", "s3:GetBucketLocation", "s3:ListBucketMultipartUploads", "s3:ListBucket", "s3:HeadBucket", "s3:PutObject", "s3:AbortMultipartUpload", "s3:ListMultipartUploadParts", "s3:PutObjectAcl", "s3:GetObject" ], "Resource": "arn:aws:s3:::*" }, { "Effect": "Allow", "Action": [ "snowball:*" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "iot:AttachPrincipalPolicy", "iot:AttachThingPrincipal", "iot:CreateKeysAndCertificate", "iot:CreatePolicy", "iot:CreateThing", "iot:DescribeEndpoint", "iot:GetPolicy" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "lambda:GetFunction" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "greengrass:CreateCoreDefinition", "greengrass:CreateDeployment", "greengrass:CreateDeviceDefinition", "greengrass:CreateFunctionDefinition", "greengrass:CreateGroup", "greengrass:CreateGroupVersion", "greengrass:CreateLoggerDefinition", "greengrass:CreateSubscriptionDefinition", "greengrass:GetDeploymentStatus", "greengrass:UpdateGroupCertificateConfiguration", "greengrass:CreateGroupCertificateAuthority", "greengrass:GetGroupCertificateAuthority", "greengrass:ListGroupCertificateAuthorities", "greengrass:ListDeployments", "greengrass:GetGroup", "greengrass:GetGroupVersion", "greengrass:GetCoreDefinitionVersion" ], "Resource": [ "*" ] } ] }

示例 3:用于创建导出作业的角色策略

您可以使用以下角色信任策略为 Snowball Edge 创建使用由 Amazon IoT Greengrass 函数支持的 Amazon Lambda 的导出作业。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:GetObject", "s3:ListBucket" ], "Resource": "arn:aws:s3:::*" }, { "Effect": "Allow", "Action": [ "snowball:*" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "iot:AttachPrincipalPolicy", "iot:AttachThingPrincipal", "iot:CreateKeysAndCertificate", "iot:CreatePolicy", "iot:CreateThing", "iot:DescribeEndpoint", "iot:GetPolicy" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "lambda:GetFunction" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "greengrass:CreateCoreDefinition", "greengrass:CreateDeployment", "greengrass:CreateDeviceDefinition", "greengrass:CreateFunctionDefinition", "greengrass:CreateGroup", "greengrass:CreateGroupVersion", "greengrass:CreateLoggerDefinition", "greengrass:CreateSubscriptionDefinition", "greengrass:GetDeploymentStatus", "greengrass:UpdateGroupCertificateConfiguration", "greengrass:CreateGroupCertificateAuthority", "greengrass:GetGroupCertificateAuthority", "greengrass:ListGroupCertificateAuthorities", "greengrass:ListDeployments", "greengrass:GetGroup", "greengrass:GetGroupVersion", "greengrass:GetCoreDefinitionVersion" ], "Resource": [ "*" ] } ] }

示例 4:预期角色权限和信任策略

以下预期角色权限策略是使用现有服务角色所必需的。这是一次性设置。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sns:Publish", "Resource": ["[[snsArn]]"] }, { "Effect": "Allow", "Action": [ "cloudwatch:ListMetrics", "cloudwatch:GetMetricData", "cloudwatch:PutMetricData" ], "Resource": [ "*" ], "Condition": { "StringEquals": { "cloudwatch:namespace": "AWS/SnowFamily" } } } ] }

以下预期角色信任策略是使用现有服务角色所必需的。这是一次性设置。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "importexport.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }

Amazon Snowball API 权限:操作、资源和条件参考

在设置 Amazon Web Services 云中的访问控制 和编写可附加到 IAM 身份的权限策略 (基于身份的策略) 时,可使用下面的作为参考。后续的表每个 Amazon Snowball作业管理 API 操作以及您可授予执行权限的对应操作。它还包括针对每个 API 操作您可以授予权限的 Amazon 资源。您可以在策略的 Action 字段中指定这些操作,并在策略的 Resource 字段中指定资源值。

您可以在 Amazon Snowball 策略中使用 Amazon 范围的条件键来表示条件。有关 Amazon 范围内的键的完整列表,请参阅《IAM 用户指南》中的可用键

注意

要指定操作,请在 API 操作名称之前使用 snowball: 前缀(例如,snowball:CreateJob)。

使用滚动条查看表的其余部分。