本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
設定 AWS IoT Events 鬧鐘的權限
使用 AWS IoT Events 警示模型監視 AWS IoT SiteWise 資產屬性時,必須具有下列 IAM 許可:
-
允許 AWS IoT Events 將資料傳送至的 AWS IoT Events 服務角色 AWS IoT SiteWise。如需詳細資訊,請參閱AWS IoT Events 開發人員指南 AWS IoT Events中的身分識別與存取管理。
-
您必須具有下列 AWS IoT SiteWise 動作權限:
iotsitewise:DescribeAssetModel和iotsitewise:UpdateAssetModelPropertyRouting。這些權限允許 AWS IoT SiteWise 將資產屬性值傳送至 AWS IoT Events 警示模型。
如需詳細資訊,請參閱 IAM 使用者指南中的以資源為基礎的政策。
必要的動作權限
管理員可以使用 AWS JSON 政策來指定誰可以存取哪些內容。也就是說,哪個主體在什麼条件下可以對什麼資源執行哪些動作。JSON 政策的 Action 元素描述您可以用來允許或拒絕政策中存取的動作。
在定義 AWS IoT Events 警示模型之前,您必須授與下列權限,以允許 AWS IoT SiteWise 將資產屬性值傳送至警示模型。
-
iotsitewise:DescribeAssetModel-允許檢 AWS IoT Events 查資產屬性是否存在。 -
iotsitewise:UpdateAssetModelPropertyRouting— 允許 AWS IoT SiteWise 自動建立可將資料傳送 AWS IoT SiteWise 至的訂閱 AWS IoT Events。
如需有關 AWS IoT SiteWise 支援動作的詳細資訊,請參閱服務授權參考 AWS IoT SiteWise中所定義的動作。
範例 權限原則範例 1
以下策略允許 AWS IoT SiteWise 將資產屬性值發送到任何 AWS IoT Events 警報模型。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iotevents:CreateAlarmModel", "iotevents:UpdateAlarmModel" ], "Resource": "arn:aws:iotevents:us-east-1:123456789012:alarmModel/*" }, { "Effect": "Allow", "Action": [ "iotsitewise:DescribeAssetModel", "iotsitewise:UpdateAssetModelPropertyRouting" ], "Resource": "arn:aws:iotsitewise:us-east-1:123456789012:asset-model/*" } ] }
範例 權限原則範例 2
以下策略允許 AWS IoT SiteWise 將指定資產屬性的值發送到指定的 AWS IoT Events 警報模型。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iotevents:CreateAlarmModel", "iotevents:UpdateAlarmModel" ], "Resource": "arn:aws:iotevents:us-east-1:123456789012:alarmModel/*" }, { "Effect": "Allow", "Action": [ "iotsitewise:DescribeAssetModel" ], "Resource": "arn:aws:iotsitewise:us-east-1:123456789012:asset-model/*" }, { "Effect": "Allow", "Action": [ "iotsitewise:UpdateAssetModelPropertyRouting" ], "Resource": [ "arn:aws:iotsitewise:us-east-1:123456789012:asset-model/12345678-90ab-cdef-1234-567890abcdef" ], "Condition": { "StringLike": { "iotsitewise:propertyId": "abcdef12-3456-7890-abcd-ef1234567890", "iotevents:alarmModelArn": "arn:aws:iotevents:us-east-1:123456789012:alarmModel/MyAlarmModel" } } } ] }
(可選) ListInputRoutings 權限
更新或刪除資產模型時, AWS IoT SiteWise 可以檢查中的警示模型 AWS IoT Events 是否正在監視與此資產模型相關聯的資產屬性。這可防止您刪除 AWS IoT Events 警示目前正在使用的資產屬性。若要在中啟用此功能 AWS IoT SiteWise,您必須擁有iotevents:ListInputRoutings權限。此權限允許 AWS IoT SiteWise 對支援的 ListInputRoutingsAPI 作業進行呼叫 AWS IoT Events。
注意
強烈建議您新增ListInputRoutings權限。
範例 權限原則範例
下列政策可讓您更新和刪除資產模型,以及使用中的 ListInputRoutings API AWS IoT SiteWise。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iotsitewise:UpdateAssetModel", "iotsitewise:DeleteAssetModel", "iotevents:ListInputRoutings" ], "Resource": "arn:aws:iotsitewise:us-east-1:123456789012:asset-model/*" } ] }
SiteWise 監視器所需的權限
如果您想要使用 SiteWise Monitor 入口網站中的警示功能,您必須使用下列原則更新 SiteWise Monitor 服務角色:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iotsitewise:DescribePortal", "iotsitewise:CreateProject", "iotsitewise:DescribeProject", "iotsitewise:UpdateProject", "iotsitewise:DeleteProject", "iotsitewise:ListProjects", "iotsitewise:BatchAssociateProjectAssets", "iotsitewise:BatchDisassociateProjectAssets", "iotsitewise:ListProjectAssets", "iotsitewise:CreateDashboard", "iotsitewise:DescribeDashboard", "iotsitewise:UpdateDashboard", "iotsitewise:DeleteDashboard", "iotsitewise:ListDashboards", "iotsitewise:CreateAccessPolicy", "iotsitewise:DescribeAccessPolicy", "iotsitewise:UpdateAccessPolicy", "iotsitewise:DeleteAccessPolicy", "iotsitewise:ListAccessPolicies", "iotsitewise:DescribeAsset", "iotsitewise:ListAssets", "iotsitewise:ListAssociatedAssets", "iotsitewise:DescribeAssetProperty", "iotsitewise:GetAssetPropertyValue", "iotsitewise:GetAssetPropertyValueHistory", "iotsitewise:GetAssetPropertyAggregates", "iotsitewise:BatchPutAssetPropertyValue", "iotsitewise:ListAssetRelationships", "iotsitewise:DescribeAssetModel", "iotsitewise:ListAssetModels", "iotsitewise:UpdateAssetModel", "iotsitewise:UpdateAssetModelPropertyRouting", "sso-directory:DescribeUsers", "sso-directory:DescribeUser", "iotevents:DescribeAlarmModel", "iotevents:ListTagsForResource" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iotevents:BatchAcknowledgeAlarm", "iotevents:BatchSnoozeAlarm", "iotevents:BatchEnableAlarm", "iotevents:BatchDisableAlarm" ], "Resource": "*", "Condition": { "Null": { "iotevents:keyValue": "false" } } }, { "Effect": "Allow", "Action": [ "iotevents:CreateAlarmModel", "iotevents:TagResource" ], "Resource": "*", "Condition": { "Null": { "aws:RequestTag/iotsitewisemonitor": "false" } } }, { "Effect": "Allow", "Action": [ "iotevents:UpdateAlarmModel", "iotevents:DeleteAlarmModel" ], "Resource": "*", "Condition": { "Null": { "aws:ResourceTag/iotsitewisemonitor": "false" } } }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": [ "iotevents.amazonaws.com" ] } } } ] }
