的服务角色 AWS HealthOmics - AWS HealthOmics

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

的服务角色 AWS HealthOmics

服务角色是一个 AWS Identity and Access Management (IAM) 角色,它向 AWS 服务授予访问您账户中资源的权限。当您启动导入任务或开始运行 AWS HealthOmics 时,您可以为其提供服务角色。

HealthOmics 控制台可以为您创建所需的角色。如果您使用 HealthOmics API 管理资源,请使用 IAM 控制台创建服务角色。有关更多信息,请参阅创建角色以向委派权限 AWS 服务

服务角色必须具有以下信任策略。

JSON
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "omics.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }

信任策略允许 HealthOmics 服务担任该角色。

IAM 服务策略示例

在这些示例中,资源名称和帐户 IDs 是您可以用实际值替换的占位符。

以下示例显示了可用于启动运行的服务角色的策略。该策略授予访问用于运行的 Amazon S3 输出位置、工作流程日志组和 Amazon ECR 容器的权限。

注意

如果您使用呼叫缓存进行运行,请在 s3 权限中添加运行缓存 Amazon S3 位置作为资源。

例 用于启动运行的服务角色策略
JSON
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-bucket1/*" ] }, { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-bucket1" ] }, { "Effect": "Allow", "Action": [ "logs:DescribeLogStreams", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": [ "arn:aws:logs:us-east-1:123456789012:log-group:/aws/omics/WorkflowLog:log-stream:*" ] }, { "Effect": "Allow", "Action": [ "logs:CreateLogGroup" ], "Resource": [ "arn:aws:logs:us-east-1:123456789012:log-group:/aws/omics/WorkflowLog:*" ] }, { "Effect": "Allow", "Action": [ "ecr:BatchGetImage", "ecr:GetDownloadUrlForLayer", "ecr:BatchCheckLayerAvailability" ], "Resource": [ "arn:aws:ecr:us-east-1:123456789012:repository/*" ] } ] }

以下示例显示了可用于商店导入任务的服务角色的策略。该策略授予访问 Amazon S3 输入位置的权限。

例 参考商店作业的服务角色
JSON
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-bucket/*" ] }, { "Effect": "Allow", "Action": [ "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-bucket" ] } ] }

示例 AWS CloudFormation 模板

以下示例 AWS CloudFormation 模板创建了一个服务角色,该角色授予访问名称前缀为前缀的 Amazon S3 存储桶和上传工作流程日志的 HealthOmics 权限。omics-

例 参考存储、Amazon S3 和 CloudWatch 日志权限
Parameters: bucketName: Description: Bucket name Type: String Resources: serviceRole: Type: AWS::IAM::Role Properties: Policies: - PolicyName: read-reference PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - omics:* Resource: !Sub arn:${AWS::Partition}:omics:${AWS::Region}:${AWS::AccountId}:referenceStore/* - PolicyName: read-s3 PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - s3:ListBucket Resource: !Sub arn:${AWS::Partition}:s3:::${bucketName} - Effect: Allow Action: - s3:GetObject - s3:PutObject Resource: !Sub arn:${AWS::Partition}:s3:::${bucketName}/* - PolicyName: upload-logs PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - logs:DescribeLogStreams - logs:CreateLogStream - logs:PutLogEvents Resource: !Sub arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:loggroup:/aws/omics/WorkflowLog:log-stream:* - Effect: Allow Action: - logs:CreateLogGroup Resource: !Sub arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:loggroup:/aws/omics/WorkflowLog:* AssumeRolePolicyDocument: | { "Version": "2012-10-17", "Statement": [ { "Action": [ "sts:AssumeRole" ], "Effect": "Allow", "Principal": { "Service": [ "omics.amazonaws.com" ] } } ] }