用于 Amazon Chime SDK 消息传递的 IAM 角色示例
要让用户访问 Amazon Chime SDK 消息传递功能,您必须定义一个 IAM 角色和策略,以便在用户登录时向他们提供凭证。IAM 策略定义了用户可以访问的资源。
本节中的示例提供了您可以根据需要进行调整的基本策略。有关策略工作原理的更多信息,请参阅 如何从后端服务发出 SDK 调用以便进行 Amazon Chime SDK 消息传递。
此示例介绍了针对使用 Amazon Chime SDK 消息构建应用程序的开发人员的策略。
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "chime:CreateAppInstance", "chime:DescribeAppInstance", "chime:ListAppInstances", "chime:UpdateAppInstance", "chime:DeleteAppInstance", "chime:CreateAppInstanceUser", "chime:DeleteAppInstanceUser", "chime:ListAppInstanceUsers", "chime:UpdateAppInstanceUser", "chime:DescribeAppInstanceUser", "chime:CreateAppInstanceAdmin", "chime:DescribeAppInstanceAdmin", "chime:ListAppInstanceAdmins", "chime:DeleteAppInstanceAdmin", "chime:PutAppInstanceRetentionSettings", "chime:GetAppInstanceRetentionSettings", "chime:PutAppInstanceStreamingConfigurations", "chime:GetAppInstanceStreamingConfigurations", "chime:DeleteAppInstanceStreamingConfigurations", "chime:TagResource", "chime:UntagResource", "chime:ListTagsForResource" "chime:CreateChannelFlow", "chime:UpdateChannelFlow", "chime:DescribeChannelFlow", "chime:DeleteChannelFlow", "chime:ListChannelFlows", "chime:ListChannelsAssociatedWithChannelFlow", "chime:ChannelFlowCallback", ], "Effect": "Allow", "Resource": "*" } ] }
此示例介绍了一项允许用户访问 Amazon Chime SDK 用户操作的策略。
{ "Version": "2012-10-17", "Statement": [ { "Action": "chime:GetMessagingSessionEndpoint", "Effect": "Allow", "Resource": "*" }, { "Action": [ "chime:CreateChannel", "chime:DescribeChannel", "chime:DeleteChannel", "chime:UpdateChannel", "chime:ListChannels", "chime:Listsubchannels", "chime:ListChannelMembershipsForAppInstanceUser", "chime:DescribeChannelMembershipForAppInstanceUser", "chime:ListChannelsModeratedByAppInstanceUser", "chime:DescribeChannelModeratedByAppInstanceUser", "chime:UpdateChannelReadMarker", "chime:CreateChannelModerator", "chime:DescribeChannelModerator", "chime:ListChannelModerators", "chime:DeleteChannelModerator", "chime:SendChannelMessage", "chime:GetChannelMessage", "chime:DeleteChannelMessage", "chime:UpdateChannelMessage", "chime:RedactChannelMessage", "chime:ListChannelMessages", "chime:CreateChannelMembership", "chime:DescribeChannelMembership", "chime:DeleteChannelMembership", "chime:ListChannelMemberships", "chime:CreateChannelBan", "chime:DeleteChannelBan", "chime:ListChannelBans", "chime:DescribeChannelBan", "chime:Connect" "chime:AssociateChannelFlow", "chime:DisassociateChannelFlow", "chime:GetChannelMessageStatus" ], "Effect": "Allow", "Resource": [ "arn:aws:chime:
region
:{aws_account_id
}:app-instance/{app_instance_id
}/user/{app_instance_user_id
}", "arn:aws:chime:region
:{aws_account_id
}:app-instance/{app_instance_id
}/channel/*" ] } ] }
此示例介绍了一项策略,该策略允许用户尽量减少对 Amazon Chime SDK 用户操作的访问权限。
{ "Version": "2012-10-17", "Statement": [ { "Action": "chime:GetMessagingSessionEndpoint", "Effect": "Allow", "Resource": "*" }, { "Action": [ "chime:ListChannels", "chime:DescribeChannel", "chime:ListChannelMembershipsForAppInstanceUser", "chime:DescribeChannelMembershipForAppInstanceUser", "chime:ListChannelsModeratedByAppInstanceUser", "chime:DescribeChannelModeratedByAppInstanceUser", "chime:SendChannelMessage", "chime:GetChannelMessage", "chime:ListChannelMessages", "chime:Connect" ], "Effect": "Allow", "Resource": [ "arn:aws:chime:
region
:{aws_account_id
}:app-instance/{app_instance_id
}/user/{app_instance_user_id
}", "arn:aws:chime:region
:{aws_account_id
}:app-instance/{app_instance_id
}/channel/*" ] } ] }
此示例介绍了建立 AppInstanceUser
WebSocket 连接的策略。有关 WebSocket 连接的更多信息,请参阅 在 Amazon Chime SDK 消息传递中使用 WebSocket 接收消息。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "chime:Connect" ], "Resource": [ "arn:aws:chime:
region
:{aws_account_id
}:app-instance/{app_instance_id
}/user/{app_instance_user_id
}" ] } ] }