AWS Data Pipeline 策略示例 - AWS Data Pipeline
示例 1:基于标签授予用户只读访问权限示例 2:基于标签授予用户完全访问权限示例 3:授予管道所有者完全访问权限示例 4:授予用户对 AWS Data Pipeline 控制台的访问权限

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

AWS Data Pipeline 策略示例

以下示例演示如何授予用户对管道的完全或受限访问权限。

示例 1:基于标签授予用户只读访问权限

以下策略允许用户使用只读 AWS Data Pipeline API 操作,但仅限于具有标签“environment = production”的管道。

ListPipelines API 操作不支持基于标签的授权。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "datapipeline:Describe*",
        "datapipeline:GetPipelineDefinition",
        "datapipeline:ValidatePipelineDefinition",
        "datapipeline:QueryObjects"
      ],
      "Resource": [
        "*"
      ],
      "Condition": {
        "StringEquals": {
          "datapipeline:Tag/environment": "production"
        }
      }
    }
  ]
}

示例 2:基于标签授予用户完全访问权限

以下策略允许用户使用所有 AWS Data Pipeline API 操作(ListPipelines 例外),但仅限于具有标签“environment = test”的管道。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "datapipeline:*"
      ],
      "Resource": [
        "*"
      ],
      "Condition": {
        "StringEquals": {
          "datapipeline:Tag/environment": "test"
        }
      }
    }
  ]
}

示例 3:授予管道所有者完全访问权限

以下策略允许用户使用所有 AWS Data Pipeline API 操作,但仅限其自己的管道。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "datapipeline:*"
      ],
      "Resource": [
        "*"
      ],
      "Condition": {
        "StringEquals": {
          "datapipeline:PipelineCreator": "${aws:userid}"
        }
      }
    }
  ]
}

示例 4:授予用户对 AWS Data Pipeline 控制台的访问权限

以下策略允许用户使用 AWS Data Pipeline 控制台创建和管理管道。

此策略包含 PassRole 权限的操作,该权限用于 AWS Data Pipeline 需要的 roleARN 所关联的特定资源。有关基于身份的 (IAM) PassRole 权限的更多信息,请参阅博文授予权限,以启动具有 IAM 角色的 EC2 实例(PassRole 权限)

{
	"Version": "2012-10-17",
	"Statement": [{
			"Action": [
				"cloudwatch:*",
				"datapipeline:*",
				"dynamodb:DescribeTable",
				"elasticmapreduce:AddJobFlowSteps",
				"elasticmapreduce:ListInstance*",
				"iam:AddRoleToInstanceProfile",
				"iam:CreateInstanceProfile",
				"iam:GetInstanceProfile",
				"iam:GetRole",
				"iam:GetRolePolicy",
				"iam:ListInstanceProfiles",
				"iam:ListInstanceProfilesForRole",
				"iam:ListRoles",
				"rds:DescribeDBInstances",
				"rds:DescribeDBSecurityGroups",
				"redshift:DescribeClusters",
				"redshift:DescribeClusterSecurityGroups",
				"s3:List*",
				"sns:ListTopics"
			],
			"Effect": "Allow",
			"Resource": [
				"*"
			]
		},
		{
			"Action": "iam:PassRole",
			"Effect": "Allow",
			"Resource": [
				"arn:aws:iam::*:role/DataPipelineDefaultResourceRole",
				"arn:aws:iam::*:role/DataPipelineDefaultRole"
			]
		}
	]
}