使用 S3 批次作業啟用 S3 物件鎖定 - Amazon Simple Storage Service

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

使用 S3 批次作業啟用 S3 物件鎖定

您可以搭配 S3 物件鎖定使用 Amazon S3 批次操作,以管理許多 Amazon S3 物件的保留或啟用法務保存。 S3 您可以在資訊清單中指定目標物件的清單,並提交至批次操作以便完成。如需詳細資訊,請參閱 S3 物件鎖定保留S3 物件鎖定法務保存

下列範例示範如何使用 S3 批次操作許可建立 AWS Identity and Access Management (IAM) 角色,並更新角色許可以建立啟用物件鎖定的任務。您也必須有一個CSV清單,可識別 S3 批次操作任務的物件。如需詳細資訊,請參閱指定資訊清單

若要使用下列範例,請取代 使用者輸入預留位置 使用您自己的資訊。

  1. 建立IAM角色並指派要執行的 S3 批次操作許可。

    所有 S3 批次操作任務都需要此步驟。

    export AWS_PROFILE='aws-user' read -d '' batch_operations_trust_policy <<EOF { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "batchoperations.s3.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] } EOF aws iam create-role --role-name batch_operations-objectlock \ --assume-role-policy-document "${batch_operations_trust_policy}"
  2. 設定具有 S3 物件鎖定的 S3 批次操作以便執行。

    在此步驟中,您允許角色執行下列動作:

    1. 對包含要執行批次操作的目標物件的 S3 儲存貯體執行物件鎖定。

    2. 讀取清單CSV檔案和物件所在的 S3 儲存貯體。

    3. 將 S3 批次操作任務的結果寫入報告儲存貯體。

    read -d '' batch_operations_permissions <<EOF { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:GetBucketObjectLockConfiguration", "Resource": [ "arn:aws:s3:::{{amzn-s3-demo-manifest-bucket}}" ] }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::{{amzn-s3-demo-manifest-bucket}}/*" ] }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::{{amzn-s3-demo-completion-report-bucket}}/*" ] } ] } EOF aws iam put-role-policy --role-name batch_operations-objectlock \ --policy-name object-lock-permissions \ --policy-document "${batch_operations_permissions}"

下列範例示範如何使用 S3 批次操作許可建立IAM角色,以及更新角色許可,以使用 建立啟用物件鎖定的任務 AWS SDK for Java。您也必須擁有能識別用於 S3 批次操作任務之物件的 CSV 資訊清單。如需詳細資訊,請參閱指定資訊清單

執行以下步驟:

  1. 建立IAM角色並指派要執行的 S3 批次操作許可。所有 S3 批次操作任務都需要此步驟。

  2. 設定具有 S3 物件鎖定的 S3 批次操作以便執行。

    您允許角色執行下列動作:

    1. 對包含要執行批次操作的目標物件的 S3 儲存貯體執行物件鎖定。

    2. 讀取清單CSV檔案和物件所在的 S3 儲存貯體。

    3. 將 S3 批次操作任務的結果寫入報告儲存貯體。

public void createObjectLockRole() { final String roleName = "batch_operations-object-lock"; final String trustPolicy = "{" + " \"Version\": \"2012-10-17\", " + " \"Statement\": [ " + " { " + " \"Effect\": \"Allow\", " + " \"Principal\": { " + " \"Service\": [" + " \"batchoperations.s3.amazonaws.com\"" + " ]" + " }, " + " \"Action\": \"sts:AssumeRole\" " + " } " + " ]" + "}"; final String bopsPermissions = "{" + " \"Version\": \"2012-10-17\"," + " \"Statement\": [" + " {" + " \"Effect\": \"Allow\"," + " \"Action\": \"s3:GetBucketObjectLockConfiguration\"," + " \"Resource\": [" + " \"arn:aws:s3:::amzn-s3-demo-manifest-bucket\"" + " ]" + " }," + " {" + " \"Effect\": \"Allow\"," + " \"Action\": [" + " \"s3:GetObject\"," + " \"s3:GetObjectVersion\"," + " \"s3:GetBucketLocation\"" + " ]," + " \"Resource\": [" + " \"arn:aws:s3:::amzn-s3-demo-manifest-bucket/*\"" + " ]" + " }," + " {" + " \"Effect\": \"Allow\"," + " \"Action\": [" + " \"s3:PutObject\"," + " \"s3:GetBucketLocation\"" + " ]," + " \"Resource\": [" + " \"arn:aws:s3:::amzn-s3-demo-completion-report-bucket/*\"" + " ]" + " }" + " ]" + "}"; final AmazonIdentityManagement iam = AmazonIdentityManagementClientBuilder.defaultClient(); final CreateRoleRequest createRoleRequest = new CreateRoleRequest() .withAssumeRolePolicyDocument(bopsPermissions) .withRoleName(roleName); final CreateRoleResult createRoleResult = iam.createRole(createRoleRequest); final PutRolePolicyRequest putRolePolicyRequest = new PutRolePolicyRequest() .withPolicyDocument(bopsPermissions) .withPolicyName("batch_operations-permissions") .withRoleName(roleName); final PutRolePolicyResult putRolePolicyResult = iam.putRolePolicy(putRolePolicyRequest); }