本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
使用 Studio JupyterLab 筆記本連接 Amazon S3 Access Grants
使用下列資訊在 Studio JupyterLab 筆記本中授予 Amazon S3 存取授權。
設定 Amazon S3 Access Grants 之後,請將下列許可新增至您的網域或使用者執行角色。
-
us-east-1 -
111122223333 -
S3-ACCESS-GRANT-ROLE
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowDataAccessAPI", "Effect": "Allow", "Action": [ "s3:GetDataAccess" ], "Resource": [ "arn:aws:s3:us-east-1:111122223333:access-grants/default" ] }, { "Sid": "RequiredForTIP", "Effect": "Allow", "Action": "sts:SetContext", "Resource": "arn:aws:iam::111122223333:role/S3-ACCESS-GRANT-ROLE" } ] }
請確定您的 Amazon S3 Access Grants 角色的信任政策允許 sts:SetContext和 sts:AssumeRole動作。以下是當您更新角色信任政策時 的範例政策。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "access-grants.s3.amazonaws.com" ] }, "Action": [ "sts:AssumeRole", "sts:SetContext" ], "Condition": { "StringEquals": { "aws:SourceAccount": "111122223333", "aws:SourceArn": "arn:aws:s3:us-east-1:111122223333:access-grants/default" } } } ] }
使用 Amazon S3 Access Grants 呼叫 Amazon S3
以下是 Python 指令碼範例,示範如何使用 Amazon S3 Access Grants 來呼叫 Amazon S3。假設您已成功使用 SageMaker AI 設定信任的身分傳播。
import boto3 from botocore.config import Config def get_access_grant_credentials(account_id: str, target: str, permission: str = 'READ'): s3control = boto3.client('s3control') response = s3control.get_data_access( AccountId=account_id, Target=target, Permission=permission ) return response['Credentials'] def create_s3_client_from_credentials(credentials) -> boto3.client: return boto3.client( 's3', aws_access_key_id=credentials['AccessKeyId'], aws_secret_access_key=credentials['SecretAccessKey'], aws_session_token=credentials['SessionToken'] ) # Create client credentials = get_access_grant_credentials('111122223333', "s3://tip-enabled-bucket/tip-enabled-path/") s3 = create_s3_client_from_credentials(credentials) s3.list_objects(Bucket="tip-enabled-bucket", Prefix="tip-enabled-path/")
如果您使用未啟用 Amazon S3 存取授權的 Amazon S3 儲存貯體路徑,呼叫將會失敗。
如需其他程式設計語言,請參閱使用 Amazon S3 Access Grants 管理存取以取得詳細資訊。
