Amazon Transcribe
开发人员指南
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门

Amazon Transcribe 基于身份的策略示例

默认情况下,IAM 用户和角色没有创建或修改 Amazon Transcribe 资源的权限。它们还无法使用 AWS 管理控制台、AWS CLI 或 AWS API 执行任务。IAM 管理员必须创建 IAM 策略来向用户和角色授予权限,以便对他们所需的资源执行特定的 API 操作。然后,管理员必须将这些策略附加到需要这些权限的 IAM 用户或组。

要了解如何使用这些示例 JSON 策略文档创建 IAM 基于身份的策略,请参阅 IAM 用户指南 中的 JSON 选项卡上的创建策略

策略最佳实践

Identity-based policies are very powerful. They determine whether someone can create, access, or delete Amazon Transcribe resources in your account. These actions can incur costs for your AWS account. When you create or edit identity-based policies, follow these guidelines and recommendations:

  • Get Started Using AWS Managed Policies – To start using Amazon Transcribe quickly, use AWS managed policies to give your employees the permissions they need. These policies are already available in your account and are maintained and updated by AWS. For more information, see Get Started Using Permissions With AWS Managed Policies in the IAM 用户指南.

  • Grant Least Privilege – When you create custom policies, grant only the permissions required to perform a task. Start with a minimum set of permissions and grant additional permissions as necessary. Doing so is more secure than starting with permissions that are too lenient and then trying to tighten them later. For more information, see Grant Least Privilege in the IAM 用户指南.

  • Enable MFA for Sensitive Operations – For extra security, require IAM users to use multi-factor authentication (MFA) to access sensitive resources or API operations. For more information, see Using Multi-Factor Authentication (MFA) in AWS in the IAM 用户指南.

  • Use Policy Conditions for Extra Security – To the extent that it's practical, define the conditions under which your identity-based policies allow access to a resource. For example, you can write conditions to specify a range of allowable IP addresses that a request must come from. You can also write conditions to allow requests only within a specified date or time range, or to require the use of SSL or MFA. For more information, see IAM JSON Policy Elements: Condition in the IAM 用户指南.

使用 Amazon Transcribe 控制台

要访问 Amazon Transcribe 控制台,您必须拥有一组最低的控制台权限。这些权限必须允许您列出和查看有关您的 AWS 账户中的 Amazon Transcribe 资源的详细信息。如果创建一个基于身份的策略,该策略应用比必需的最低权限更为严格的权限,则对于带该策略的实体(IAM 用户或角色),控制台将无法按预期正常运行。

为确保这些实体可使用 Amazon Transcribe 控制台,也可向其附加以下 AWS 托管策略。

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "transcribe:*" ], "Resource": "*", "Effect": "Allow" } ] }

对于仅调用 AWS CLI 或 AWS API 的用户,您不需要允许最低控制台权限。相反,只允许访问与您尝试执行的 API 操作相匹配的操作。

有关更多信息,请参阅 IAM 用户指南 中的为用户添加权限

适用于 Amazon Transcribe 的 AWS 托管(预定义)策略

AWS 通过提供由 AWS 创建和管理的独立 IAM 策略来解决许多常用案例。这些策略称为 AWS 托管策略。与必须自己编写策略相比,通过托管策略可以更轻松地将适当的权限分配给用户、组和角色。有关更多信息,请参阅 IAM 用户指南 中的 AWS 托管策略

以下 AWS 托管策略(可附加到账户中的用户、角色和组) 特定于 Amazon Transcribe:

  • ReadOnly – 授予对 Amazon Transcribe 资源的只读访问权限,以便您能够获取并列出转录任务和自定义词汇表。

  • FullAccess – 授予创建、读取、更新、删除和运行全部 Amazon Transcribe 资源的完全访问权限。它还允许访问存储桶名称中包含 transcribe 的 Amazon Simple Storage Service (Amazon S3) 存储桶。

注意

您可以通过登录到 IAM 控制台并按策略名称搜索来查看托管权限策略。

您还可以创建自己的自定义 IAM 策略,以授予执行 Amazon Transcribe API 操作的相关权限。您可以将这些自定义策略附加到需要这些权限的 IAM 用户、角色或组。

IAM 用户角色所需的权限

在创建一个 IAM 用户来调用 Amazon Transcribe 时,身份必须有权访问 S3 存储桶以及用于加密该存储桶内容的 AWS Key Management Service (AWS KMS) 密钥(如果已提供)。

该用户必须具有以下 IAM 策略来解密 KMS Amazon 资源名称 (ARN) 的权限。

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "kms:Decrypt" ], "Resource": "KMS key ARN", "Effect": "Allow" } ] }

用户的 IAM 策略必须具有 Amazon S3 权限才能访问用于存储音频文件和转录内容的 S3 存储桶。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ “s3:GetObject”, ], "Resource": "S3 bucket location" } ] }

Amazon S3 加密密钥所需的权限

如果您使用 AWS KMS 密钥对 Amazon S3 存储桶进行加密,请在 AWS KMS 密钥策略中包含以下内容。这将向 Amazon Transcribe 提供对存储桶内容的访问权。

{ "Sid": "Allow-Transcribe", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::account id:root", }, "Action": [ "kms:Decrypt" ], "Resource": "KMS key ARN" }

有关允许访问客户主密钥的更多信息,请参阅 AWS KMS 开发人员指南 中的允许外部 AWS 账户访问 CMK

允许用户查看他们自己的权限

This example shows how you might create a policy that allows IAM users to view the inline and managed policies that are attached to their user identity. This policy includes permissions to complete this action on the console or programmatically using the AWS CLI or AWS API.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "ViewOwnUserInfo", "Effect": "Allow", "Action": [ "iam:GetUserPolicy", "iam:ListGroupsForUser", "iam:ListAttachedUserPolicies", "iam:ListUserPolicies", "iam:GetUser" ], "Resource": [ "arn:aws-cn:iam::*:user/${aws:username}" ] }, { "Sid": "NavigateInConsole", "Effect": "Allow", "Action": [ "iam:GetGroupPolicy", "iam:GetPolicyVersion", "iam:GetPolicy", "iam:ListAttachedGroupPolicies", "iam:ListGroupPolicies", "iam:ListPolicyVersions", "iam:ListPolicies", "iam:ListUsers" ], "Resource": "*" } ] }