本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
使用设置亚马逊 Neptune 的先决条件 AWS CloudFormation
在使用 AWS CloudFormation 模板创建 Amazon Neptune 集群之前,您需要具备以下条件:
亚马逊EC2密钥对。
使用所需的权限 AWS CloudFormation。
使用创建用于启动 Neptune 集群的 Amazon EC2 密钥对 AWS CloudFormation
要使用 AWS CloudFormation 模板启动 Neptune 数据库集群,您必须在创建堆栈的区域中提供 Amazon EC2key 配对(及其关联PEM文件)。 AWS CloudFormation
如果您需要创建密钥对,请参阅亚马逊用户指南EC2中的使用亚马逊创建密钥对,或亚马逊EC2用户指南EC2中的使用亚马逊创建密钥对以获取说明。EC2
添加IAM策略以授予使用 AWS CloudFormation 模板所需的权限
首先,您需要为IAM用户设置使用 Neptune 所需的权限,如中所述。创建具有 Neptune 权限的 IAM 用户
然后,您需要向该用户添加 AWS 托管策略。AWSCloudFormationReadOnlyAccess
最后,您需要创建以下客户管理型策略并将其添加到该用户:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "rds:CreateDBCluster", "rds:CreateDBInstance" ], "Resource": [ "arn:aws:rds:*:*:*" ], "Condition": { "StringEquals": { "rds:DatabaseEngine": ["graphdb","neptune"] } } }, { "Action": [ "rds:AddRoleToDBCluster", "rds:AddSourceIdentifierToSubscription", "rds:AddTagsToResource", "rds:ApplyPendingMaintenanceAction", "rds:CopyDBClusterParameterGroup", "rds:CopyDBClusterSnapshot", "rds:CopyDBParameterGroup", "rds:CreateDBClusterParameterGroup", "rds:CreateDBClusterSnapshot", "rds:CreateDBParameterGroup", "rds:CreateDBSubnetGroup", "rds:CreateEventSubscription", "rds:DeleteDBCluster", "rds:DeleteDBClusterParameterGroup", "rds:DeleteDBClusterSnapshot", "rds:DeleteDBInstance", "rds:DeleteDBParameterGroup", "rds:DeleteDBSubnetGroup", "rds:DeleteEventSubscription", "rds:DescribeAccountAttributes", "rds:DescribeCertificates", "rds:DescribeDBClusterParameterGroups", "rds:DescribeDBClusterParameters", "rds:DescribeDBClusterSnapshotAttributes", "rds:DescribeDBClusterSnapshots", "rds:DescribeDBClusters", "rds:DescribeDBEngineVersions", "rds:DescribeDBInstances", "rds:DescribeDBLogFiles", "rds:DescribeDBParameterGroups", "rds:DescribeDBParameters", "rds:DescribeDBSecurityGroups", "rds:DescribeDBSubnetGroups", "rds:DescribeEngineDefaultClusterParameters", "rds:DescribeEngineDefaultParameters", "rds:DescribeEventCategories", "rds:DescribeEventSubscriptions", "rds:DescribeEvents", "rds:DescribeOptionGroups", "rds:DescribeOrderableDBInstanceOptions", "rds:DescribePendingMaintenanceActions", "rds:DescribeValidDBInstanceModifications", "rds:DownloadDBLogFilePortion", "rds:FailoverDBCluster", "rds:ListTagsForResource", "rds:ModifyDBCluster", "rds:ModifyDBClusterParameterGroup", "rds:ModifyDBClusterSnapshotAttribute", "rds:ModifyDBInstance", "rds:ModifyDBParameterGroup", "rds:ModifyDBSubnetGroup", "rds:ModifyEventSubscription", "rds:PromoteReadReplicaDBCluster", "rds:RebootDBInstance", "rds:RemoveRoleFromDBCluster", "rds:RemoveSourceIdentifierFromSubscription", "rds:RemoveTagsFromResource", "rds:ResetDBClusterParameterGroup", "rds:ResetDBParameterGroup", "rds:RestoreDBClusterFromSnapshot", "rds:RestoreDBClusterToPointInTime" ], "Effect": "Allow", "Resource": [ "*" ] }, { "Action": [ "cloudwatch:GetMetricStatistics", "cloudwatch:ListMetrics", "ec2:DescribeAccountAttributes", "ec2:DescribeAvailabilityZones", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcAttribute", "ec2:DescribeVpcs", "kms:ListAliases", "kms:ListKeyPolicies", "kms:ListKeys", "kms:ListRetirableGrants", "logs:DescribeLogStreams", "logs:GetLogEvents", "sns:ListSubscriptions", "sns:ListTopics", "sns:Publish" ], "Effect": "Allow", "Resource": [ "*" ] }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": "*", "Condition": { "StringEquals": { "iam:passedToService": "rds.amazonaws.com" } } }, { "Action": "iam:CreateServiceLinkedRole", "Effect": "Allow", "Resource": "arn:aws:iam::*:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS", "Condition": { "StringLike": { "iam:AWSServiceName": "rds.amazonaws.com" } } } ] }
注意
以下权限仅在删除堆栈时需要:iam:DeleteRole、iam:RemoveRoleFromInstanceProfile、iam:DeleteRolePolicy、iam:DeleteInstanceProfile 和 ec2:DeleteVpcEndpoints。
另请注意,ec2:*Vpc 授予 ec2:DeleteVpc 权限。
