本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
客户托管策略示例
在本节中,您可以找到为各种 AWS Snowball 任务管理操作授予权限的用户策略示例。这些政策在您使用 AWS SDKs或时起作用 AWS CLI。当您使用控制台时,您需要授予特定于控制台的其他权限,使用 AWS Snowball 控制台所需的权限 中对此进行了讨论。
注意
所有示例都使用 us-west-2 区域并包含虚构账户。IDs
示例
示例 1:允许用户创建 Job 来订购 Snow Family 设备的角色策略 API
以下权限策略是任何用于使用任务管理授予任务或集群创建权限的策略的必要组成部分API。该声明需要作为 Snowball IAM 角色的信任关系政策声明。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "importexport.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
示例 2:用于创建导入作业的角色策略
您可以使用以下角色信任策略为 Snowball Edge 创建使用由 AWS IoT Greengrass 函数 AWS Lambda 提供支持的导入任务。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:ListBucketMultipartUploads" ], "Resource": "arn:aws:s3:::*" }, { "Effect": "Allow", "Action": [ "s3:GetBucketPolicy", "s3:GetBucketLocation", "s3:ListBucketMultipartUploads", "s3:ListBucket", "s3:HeadBucket", "s3:PutObject", "s3:AbortMultipartUpload", "s3:ListMultipartUploadParts", "s3:PutObjectAcl", "s3:GetObject" ], "Resource": "arn:aws:s3:::*" }, { "Effect": "Allow", "Action": [ "snowball:*" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "iot:AttachPrincipalPolicy", "iot:AttachThingPrincipal", "iot:CreateKeysAndCertificate", "iot:CreatePolicy", "iot:CreateThing", "iot:DescribeEndpoint", "iot:GetPolicy" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "lambda:GetFunction" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "greengrass:CreateCoreDefinition", "greengrass:CreateDeployment", "greengrass:CreateDeviceDefinition", "greengrass:CreateFunctionDefinition", "greengrass:CreateGroup", "greengrass:CreateGroupVersion", "greengrass:CreateLoggerDefinition", "greengrass:CreateSubscriptionDefinition", "greengrass:GetDeploymentStatus", "greengrass:UpdateGroupCertificateConfiguration", "greengrass:CreateGroupCertificateAuthority", "greengrass:GetGroupCertificateAuthority", "greengrass:ListGroupCertificateAuthorities", "greengrass:ListDeployments", "greengrass:GetGroup", "greengrass:GetGroupVersion", "greengrass:GetCoreDefinitionVersion" ], "Resource": [ "*" ] } ] }
示例 3:用于创建导出作业的角色策略
您可以使用以下角色信任策略为 Snowball Edge 创建使用由 AWS IoT Greengrass 函数 AWS Lambda 提供支持的导出任务。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:GetObject", "s3:ListBucket" ], "Resource": "arn:aws:s3:::*" }, { "Effect": "Allow", "Action": [ "snowball:*" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "iot:AttachPrincipalPolicy", "iot:AttachThingPrincipal", "iot:CreateKeysAndCertificate", "iot:CreatePolicy", "iot:CreateThing", "iot:DescribeEndpoint", "iot:GetPolicy" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "lambda:GetFunction" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "greengrass:CreateCoreDefinition", "greengrass:CreateDeployment", "greengrass:CreateDeviceDefinition", "greengrass:CreateFunctionDefinition", "greengrass:CreateGroup", "greengrass:CreateGroupVersion", "greengrass:CreateLoggerDefinition", "greengrass:CreateSubscriptionDefinition", "greengrass:GetDeploymentStatus", "greengrass:UpdateGroupCertificateConfiguration", "greengrass:CreateGroupCertificateAuthority", "greengrass:GetGroupCertificateAuthority", "greengrass:ListGroupCertificateAuthorities", "greengrass:ListDeployments", "greengrass:GetGroup", "greengrass:GetGroupVersion", "greengrass:GetCoreDefinitionVersion" ], "Resource": [ "*" ] } ] }
示例 4:预期角色权限和信任策略
以下预期角色权限策略是使用现有服务角色所必需的。这是一次性设置。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sns:Publish", "Resource": ["[[snsArn]]"] }, { "Effect": "Allow", "Action": [ "cloudwatch:ListMetrics", "cloudwatch:GetMetricData", "cloudwatch:PutMetricData" ], "Resource": [ "*" ], "Condition": { "StringEquals": { "cloudwatch:namespace": "AWS/SnowFamily" } } } ] }
以下预期角色信任策略是使用现有服务角色所必需的。这是一次性设置。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "importexport.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
AWS Snowball API权限:操作、资源和条件参考
在设置中的访问控制 AWS Cloud和编写可附加到身份的权限策略(基于IAM身份的策略)时,可以使用下表考。下表每项 AWS Snowball 任务管理API操作以及您可以为其授予执行该操作的权限的相应操作。它还包括您可以为每个API操作授予权限的 AWS 资源。您可以在策略的 Action 字段中指定这些操作,并在策略的 Resource 字段中指定资源值。
您可以在 AWS Snowball 策略中使用 AWS-wide 条件键来表达条件。有关 AWS-wide 密钥的完整列表,请参阅《IAM用户指南》中的可用密钥。
注意
要指定操作,请使用snowball:前缀和API操作名称(例如snowball:CreateJob)。
使用滚动条查看表的其余部分。
