本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# 客户托管策略示例
在本节中,您可以找到为各种 Amazon Snowball Edge 任务管理操作授予权限的用户策略示例。这些政策在您使用 Amazon SDKs 或时起作用 Amazon CLI。当您使用控制台时,您需要授予特定于控制台的其他权限,[使用 Amazon Snowball Edge 控制台所需的权限](access-control-managing-permissions.md#additional-console-required-permissions) 中对此进行了讨论。
**注意**
所有示例都使用 us-west-2 区域并包含虚构账户。 IDs
**Topics**
+ [示例 1:允许用户创建任务以通过 API 订购 Snowball Edge 设备的角色策略](#access-policy-example-create-api)
+ [示例 2:用于创建导入作业的角色策略](#role-policy-example-import)
+ [示例 3:用于创建导出作业的角色策略](#role-policy-example-export)
+ [示例 4:预期角色权限和信任策略](#expected-role-permissions-and-trust-policy)
+ [Amazon Snowball Edge API 权限:操作、资源和条件参考](#snowball-api-permissions-ref)
## 示例 1:允许用户创建任务以通过 API 订购 Snowball Edge 设备的角色策略
以下权限策略是用于通过作业管理 API 授予作业或集群创建权限的任何策略的必要组成部分。该语句需要作为 Snowball IAM 角色的信任关系策略语句。
------
#### [ JSON ]
****
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "importexport.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
```
------
## 示例 2:用于创建导入作业的角色策略
您可以使用以下角色信任策略为 Snowball Edge 创建使用由 Amazon IoT Greengrass 函数 Amazon Lambda 提供支持的导入任务。
------
#### [ JSON ]
****
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListBucketMultipartUploads"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetBucketPolicy",
"s3:GetBucketLocation",
"s3:ListBucketMultipartUploads",
"s3:ListBucket",
"s3:PutObject",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts",
"s3:PutObjectAcl",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"snowball:*"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"iot:AttachPrincipalPolicy",
"iot:AttachThingPrincipal",
"iot:CreateKeysAndCertificate",
"iot:CreatePolicy",
"iot:CreateThing",
"iot:DescribeEndpoint",
"iot:GetPolicy"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"lambda:GetFunction"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"greengrass:CreateCoreDefinition",
"greengrass:CreateDeployment",
"greengrass:CreateDeviceDefinition",
"greengrass:CreateFunctionDefinition",
"greengrass:CreateGroup",
"greengrass:CreateGroupVersion",
"greengrass:CreateLoggerDefinition",
"greengrass:CreateSubscriptionDefinition",
"greengrass:GetDeploymentStatus",
"greengrass:UpdateGroupCertificateConfiguration",
"greengrass:CreateGroupCertificateAuthority",
"greengrass:GetGroupCertificateAuthority",
"greengrass:ListGroupCertificateAuthorities",
"greengrass:ListDeployments",
"greengrass:GetGroup",
"greengrass:GetGroupVersion",
"greengrass:GetCoreDefinitionVersion"
],
"Resource": [
"*"
]
}
]
}
```
------
## 示例 3:用于创建导出作业的角色策略
您可以使用以下角色信任策略为 Snowball Edge 创建使用由 Amazon IoT Greengrass 函数 Amazon Lambda 提供支持的导出任务。
------
#### [ JSON ]
****
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"snowball:*"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"iot:AttachPrincipalPolicy",
"iot:AttachThingPrincipal",
"iot:CreateKeysAndCertificate",
"iot:CreatePolicy",
"iot:CreateThing",
"iot:DescribeEndpoint",
"iot:GetPolicy"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"lambda:GetFunction"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"greengrass:CreateCoreDefinition",
"greengrass:CreateDeployment",
"greengrass:CreateDeviceDefinition",
"greengrass:CreateFunctionDefinition",
"greengrass:CreateGroup",
"greengrass:CreateGroupVersion",
"greengrass:CreateLoggerDefinition",
"greengrass:CreateSubscriptionDefinition",
"greengrass:GetDeploymentStatus",
"greengrass:UpdateGroupCertificateConfiguration",
"greengrass:CreateGroupCertificateAuthority",
"greengrass:GetGroupCertificateAuthority",
"greengrass:ListGroupCertificateAuthorities",
"greengrass:ListDeployments",
"greengrass:GetGroup",
"greengrass:GetGroupVersion",
"greengrass:GetCoreDefinitionVersion"
],
"Resource": [
"*"
]
}
]
}
```
------
## 示例 4:预期角色权限和信任策略
以下预期角色权限策略是使用现有服务角色所必需的。这是一次性设置。
------
#### [ JSON ]
****
```
{
"Version": "2012-10-17",
"Statement":
[
{
"Effect": "Allow",
"Action": "sns:Publish",
"Resource": ["[[snsArn]]"]
},
{
"Effect": "Allow",
"Action":
[
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricData",
"cloudwatch:PutMetricData"
],
"Resource":
[
"*"
],
"Condition": {
"StringEquals": {
"cloudwatch:namespace": "AWS/SnowFamily"
}
}
}
]
}
```
------
以下预期角色信任策略是使用现有服务角色所必需的。这是一次性设置。
------
#### [ JSON ]
****
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "importexport.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
```
------
## Amazon Snowball Edge API 权限:操作、资源和条件参考
在设置 [中的访问控制 Amazon Web Services 云](access-control.md) 和编写可附加到 IAM 身份的权限策略(基于身份的策略)时,可使用下面的表 作为参考。下表每项 Amazon Snowball Edge 任务管理 API 操作以及您可以为其授予执行该操作的权限的相应操作。它还包括您可以为每个 API 操作授予权限的 Amazon 资源。您可以在策略的 `Action` 字段中指定这些操作,并在策略的 `Resource` 字段中指定资源值。
您可以在 Amazon Snowball Edge 策略中使用 Amazon-wide 条件键来表达条件。有关 Amazon范围密钥的完整列表,请参阅 *IAM 用户指南*中的[可用密钥](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_elements.html#AvailableKeys)。
**注意**
要指定操作,请在 API 操作名称之前使用 `snowball:` 前缀(例如,`snowball:CreateJob`)。
使用滚动条查看表的其余部分。
**Amazon Snowball Edge Job Management API 和操作所需的权限**
| 作业管理 API 操作 | 所需权限 |
| --- | --- |
| [CancelCluster](https://docs.amazonaws.cn/snowball/latest/api-reference/API_CancelCluster.html) | snowball:CancelCluster |
| [CancelJob](https://docs.amazonaws.cn/snowball/latest/api-reference/API_CancelJob.html) | `snowball:CancelJob` |
| [CreateAddress](https://docs.amazonaws.cn/snowball/latest/api-reference/API_CreateAddress.html) | snowball:CreateAddress |
| [CreateCluster](https://docs.amazonaws.cn/snowball/latest/api-reference/API_CreateCluster.html) | 此操作需要以下权限: [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/snowball/latest/developer-guide/access-policy-examples-for-sdk-cli.html) |
| [CreateJob](https://docs.amazonaws.cn/snowball/latest/api-reference/API_CreateJob.html) | [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/snowball/latest/developer-guide/access-policy-examples-for-sdk-cli.html) |
| [DescribeAddress](https://docs.amazonaws.cn/snowball/latest/api-reference/API_DescribeAddress.html) | snowball:DescribeAddress |
| [DescribeAddresses](https://docs.amazonaws.cn/snowball/latest/api-reference/API_DescribeAddresses.html) | snowball:DescribeAddresses |
| [DescribeCluster](https://docs.amazonaws.cn/snowball/latest/api-reference/API_DescribeCluster.html) | snowball:DescribeCluster |
| [DescribeJob](https://docs.amazonaws.cn/snowball/latest/api-reference/API_DescribeJob.html) | snowball:DescribeJob |
| [GetJobManifest](https://docs.amazonaws.cn/snowball/latest/api-reference/API_GetJobManifest.html) | snowball:GetJobManifest |
| [GetJobUnlockCode](https://docs.amazonaws.cn/snowball/latest/api-reference/API_GetJobUnlockCode.html) | snowball:GetJobUnlockCode |
| [GetSnowballUsage](https://docs.amazonaws.cn/snowball/latest/api-reference/API_GetSnowballUsage.html) | snowball:GetSnowballUsage |
| [ListClusterJobs](https://docs.amazonaws.cn/snowball/latest/api-reference/API_ListClusterJobs.html) | snowball:ListClusterJobs |
| [ListClusters](https://docs.amazonaws.cn/snowball/latest/api-reference/API_ListClusters.html) | snowball:ListClusters |
| [ListJobs](https://docs.amazonaws.cn/snowball/latest/api-reference/API_ListJobs.html) | snowball:ListJobs |
| [UpdateCluster](https://docs.amazonaws.cn/snowball/latest/api-reference/API_UpdateCluster.html) | snowball:UpdateCluster |
| [UpdateJob](https://docs.amazonaws.cn/snowball/latest/api-reference/API_UpdateJob.html) | snowball:UpdateJob |