本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
适用于工作流程的 IAM 策略
向服务器添加工作流程时,必须选择执行角色。服务器在执行工作流程时使用此角色。如果该角色没有适当的权限,则 AWS Transfer Family 无法运行工作流程。
本节介绍一组可能的 AWS Identity and Access Management (IAM) 权限,您可以使用这些权限来执行工作流程。本主题的后续部分中描述了其他示例。
如果您的 Amazon S3 文件有标签,则需要在 IAM 策略中添加一两个权限。
为您的工作流程创建执行角色
-
创建新的 IAM 角色,并将 AWS 托管策略AWSTransferFullAccess
添加到该角色中。有关创建 IAM 角色的更多信息,请参见 创建 IAM 角色和策略。
-
按以下策略创建其他策略,然后将其内联至您的角色。将每个 user input
placeholder
替换为您自己的信息。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ConsoleAccess",
"Effect": "Allow",
"Action": "s3:GetBucketLocation",
"Resource": "*"
},
{
"Sid": "ListObjectsInBucket",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket"
]
},
{
"Sid": "AllObjectActions",
"Effect": "Allow",
"Action": "s3:*Object",
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket/*"
]
},
{
"Sid": "GetObjectVersion",
"Effect": "Allow",
"Action": "s3:GetObjectVersion",
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket/*"
]
},
{
"Sid": "Custom",
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction"
],
"Resource": [
"arn:aws:lambda:us-east-1
:123456789012
:function:function-name
"
]
},
{
"Sid": "Tag",
"Effect": "Allow",
"Action": [
"s3:PutObjectTagging",
"s3:PutObjectVersionTagging"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket/*"
]
}
]
}
-
保存此角色并在向服务器添加工作流程时将其指定为执行角色。
在构建 IAM 角色时, AWS 建议您尽可能限制工作流程对资源的访问权限。
工作流程信任关系
工作流程执行角色还需要与 transfer.amazonaws.com
建立信任关系。若要为 AWS Transfer Family建立信任关系,请参见 建立信任关系。
在建立信任关系的同时,您也可以采取措施避免混淆代理问题。有关此问题的描述以及如何避免该问题的示例,请参见 防止跨服务混淆代理。
执行角色示例:解密、复制和标记
如果您的工作流程包括标记、复制和解密步骤,则可以使用以下 IAM 策略。将每个 user input
placeholder
替换为您自己的信息。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CopyRead",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectTagging",
"s3:GetObjectVersionTagging"
],
"Resource": "arn:aws:s3:::amzn-s3-demo-source-bucket
/*"
},
{
"Sid": "CopyWrite",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectTagging"
],
"Resource": "arn:aws:s3:::amzn-s3-demo-destination-bucket
/*"
},
{
"Sid": "CopyList",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": [
"arn:aws:s3:::amzn-s3-demo-source-bucket
",
"arn:aws:s3:::amzn-s3-demo-destination-bucket
"
]
},
{
"Sid": "Tag",
"Effect": "Allow",
"Action": [
"s3:PutObjectTagging",
"s3:PutObjectVersionTagging"
],
"Resource": "arn:aws:s3:::amzn-s3-demo-destination-bucket
/*",
"Condition": {
"StringEquals": {
"s3:RequestObjectTag/Archive": "yes"
}
}
},
{
"Sid": "ListBucket",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": [
"arn:aws:s3:::amzn-s3-demo-destination-bucket
"
]
},
{
"Sid": "HomeDirObjectAccess",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObjectVersion",
"s3:DeleteObject",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::amzn-s3-demo-destination-bucket
/*"
},
{
"Sid": "Decrypt",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": "arn:aws:secretsmanager:us-east-1
:123456789012
:secret:aws/transfer/*"
}
]
}
执行角色示例:运行函数并删除
在此示例中,您有一个 AWS Lambda 调用函数的工作流程。如果工作流程删除了上传的文件,并且有异常处理程序步骤可以对上一步中失败的工作流程执行采取行动,请使用以下 IAM 策略。将每个 user input placeholder
替换为您自己的信息。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Delete",
"Effect": "Allow",
"Action": [
"s3:DeleteObject",
"s3:DeleteObjectVersion"
],
"Resource": "arn:aws:s3:::bucket-name
"
},
{
"Sid": "Custom",
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction"
],
"Resource": [
"arn:aws:lambda:us-east-1
:123456789012
:function:function-name
"
]
}
]
}