Amazon EMR Serverless 的 IAM 政策 - AWS Step Functions

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

Amazon EMR Serverless 的 IAM 政策

使用控制台建立狀態機時,Step Functions會以所需的最低權限自動為狀態機建立執行角色。這些自動產生的IAM角色對於您 AWS 區域 在其中建立狀態機器有效。

下列範例範本顯示如何 AWS Step Functions 根據狀態機器定義中的資源產生 IAM 政策。如需詳細資訊,請參閱 整合式服務的 IAM 政策服務整合模式

建議您在建立IAM原則時,不要在原則中包含萬用字元。作為安全性最佳做法,您應該盡可能縮小原則的範圍。只有在執行階段期間不知道某些輸入參數時,才應使用動態原則。

此外,管理員使用者在授與執行狀態機器的非系統管理員使用者執行角色時,應該小心。如果您要自行建立原則,建議您在執行角色中包含 passRole 原則。我們也建議您在執行角色中新增aws:SourceARNaws:SourceAccount內容索引鍵。

在本主題中

EMR 無伺服器與 Step Functions 整合的 IAM 政策範例

IAM 政策範例 CreateApplication

以下是具有狀態之狀態機器的 IAM 政策範例。 CreateApplication 任務

注意

您必須在帳戶中建立第一個應用程式期間,在 IAM 政策中指定 CreateServiceLinkedRole 許可。此後,您無需添加此權限。如需有關的資訊 CreateServiceLinkedRole,請參閱 https://docs.aws.amazon.com/IAM/latest/APIReference/ CreateServiceLinkedRole中的。

下列原則的靜態和動態資源相同。

Run a Job (.sync)
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "emr-serverless:CreateApplication" ], "Resource": [ "arn:aws:emr-serverless:{{region}}:{{accountId}}:/*" ] }, { "Effect": "Allow", "Action": [ "emr-serverless:GetApplication", "emr-serverless:DeleteApplication" ], "Resource": [ "arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/*" ] }, { "Effect": "Allow", "Action": [ "events:PutTargets", "events:PutRule", "events:DescribeRule" ], "Resource": [ "arn:aws:events:{{region}}:{{accountId}}:rule/StepFunctionsGetEventsForEMRServerlessApplicationRule" ] }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::{{accountId}}:role/aws-service-role/ops.emr-serverless.amazonaws.com/AWS ServiceRoleForAmazonEMRServerless*", "Condition": { "StringLike": { "iam:AWSServiceName": "ops.emr-serverless.amazonaws.com" } } } ] }
Request Response
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "emr-serverless:CreateApplication" ], "Resource": [ "arn:aws:emr-serverless:{{region}}:{{accountId}}:/*" ] }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::{{accountId}}:role/aws-service-role/ops.emr-serverless.amazonaws.com/AWS ServiceRoleForAmazonEMRServerless*", "Condition": { "StringLike": { "iam:AWSServiceName": "ops.emr-serverless.amazonaws.com" } } } ] }

IAM 政策範例 StartApplication

靜態資源

以下是使用具有狀態的狀態機器時,靜態資源的 IAM 政策範例。 StartApplication 任務

Run a Job (.sync)
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "emr-serverless:StartApplication", "emr-serverless:GetApplication", "emr-serverless:StopApplication" ], "Resource": [ "arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/[[applicationId]]" ] }, { "Effect": "Allow", "Action": [ "events:PutTargets", "events:PutRule", "events:DescribeRule" ], "Resource": [ "arn:aws:events:{{region}}:{{accountId}}:rule/StepFunctionsGetEventsForEMRServerlessApplicationRule" ] } ] }
Request Response
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "emr-serverless:StartApplication" ], "Resource": [ "arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/[[applicationId]]" ] } ] }
動態資源

以下是使用具有狀態的狀態機器時,動態資源的 IAM 政策範例。 StartApplication 任務

Run a Job (.sync)
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "emr-serverless:StartApplication", "emr-serverless:GetApplication", "emr-serverless:StopApplication" ], "Resource": [ "arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/*" ] }, { "Effect": "Allow", "Action": [ "events:PutTargets", "events:PutRule", "events:DescribeRule" ], "Resource": [ "arn:aws:events:{{region}}:{{accountId}}:rule/StepFunctionsGetEventsForEMRServerlessApplicationRule" ] } ] }
Request Response
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "emr-serverless:StartApplication" ], "Resource": [ "arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/*" ] } ] }

IAM 政策範例 StopApplication

靜態資源

以下是使用具有狀態的狀態機器時,靜態資源的 IAM 政策範例。 StopApplication 任務

Run a Job (.sync)
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "emr-serverless:StopApplication", "emr-serverless:GetApplication" ], "Resource": [ "arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/[[applicationId]]" ] }, { "Effect": "Allow", "Action": [ "events:PutTargets", "events:PutRule", "events:DescribeRule" ], "Resource": [ "arn:aws:events:{{region}}:{{accountId}}:rule/StepFunctionsGetEventsForEMRServerlessApplicationRule" ] } ] }
Request Response
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "emr-serverless:StopApplication" ], "Resource": [ "arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/[[applicationId]]" ] } ] }
動態資源

以下是使用具有狀態的狀態機器時,動態資源的 IAM 政策範例。 StopApplication 任務

Run a Job (.sync)
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "emr-serverless:StopApplication", "emr-serverless:GetApplication" ], "Resource": [ "arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/*" ] }, { "Effect": "Allow", "Action": [ "events:PutTargets", "events:PutRule", "events:DescribeRule" ], "Resource": [ "arn:aws:events:{{region}}:{{accountId}}:rule/StepFunctionsGetEventsForEMRServerlessApplicationRule" ] } ] }
Request Response
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "emr-serverless:StopApplication" ], "Resource": [ "arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/*" ] } ] }

IAM 政策範例 DeleteApplication

靜態資源

以下是使用具有狀態的狀態機器時,靜態資源的 IAM 政策範例。 DeleteApplication 任務

Run a Job (.sync)
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "emr-serverless:DeleteApplication", "emr-serverless:GetApplication" ], "Resource": [ "arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/[[applicationId]]" ] }, { "Effect": "Allow", "Action": [ "events:PutTargets", "events:PutRule", "events:DescribeRule" ], "Resource": [ "arn:aws:events:{{region}}:{{accountId}}:rule/StepFunctionsGetEventsForEMRServerlessApplicationRule" ] } ] }
Request Response
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "emr-serverless:DeleteApplication" ], "Resource": [ "arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/[[applicationId]]" ] } ] }
動態資源

以下是使用具有狀態的狀態機器時,動態資源的 IAM 政策範例。 DeleteApplication 任務

Run a Job (.sync)
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "emr-serverless:DeleteApplication", "emr-serverless:GetApplication" ], "Resource": [ "arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/*" ] }, { "Effect": "Allow", "Action": [ "events:PutTargets", "events:PutRule", "events:DescribeRule" ], "Resource": [ "arn:aws:events:{{region}}:{{accountId}}:rule/StepFunctionsGetEventsForEMRServerlessApplicationRule" ] } ] }
Request Response
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "emr-serverless:DeleteApplication" ], "Resource": [ "arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/*" ] } ] }

IAM 政策範例 StartJobRun

靜態資源

以下是使用具有狀態的狀態機器時,靜態資源的 IAM 政策範例。 StartJobRun 任務

Run a Job (.sync)
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "emr-serverless:StartJobRun" ], "Resource": [ "arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/[[applicationId]]" ] }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "[[jobExecutionRoleArn]]" ], "Condition": { "StringEquals": { "iam:PassedToService": "emr-serverless.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "emr-serverless:GetJobRun", "emr-serverless:CancelJobRun" ], "Resource": [ "arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/[[applicationId]]/jobruns/*" ] }, { "Effect": "Allow", "Action": [ "events:PutTargets", "events:PutRule", "events:DescribeRule" ], "Resource": [ "arn:aws:events:{{region}}:{{accountId}}:rule/StepFunctionsGetEventsForEMRServerlessJobRule" ] } ] }
Request Response
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "emr-serverless:StartJobRun" ], "Resource": [ "arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/[[applicationId]]" ] }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "[[jobExecutionRoleArn]]" ], "Condition": { "StringEquals": { "iam:PassedToService": "emr-serverless.amazonaws.com" } } } ] }
動態資源

以下是使用具有狀態的狀態機器時,動態資源的 IAM 政策範例。 StartJobRun 任務

Run a Job (.sync)
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "emr-serverless:StartJobRun", "emr-serverless:GetJobRun", "emr-serverless:CancelJobRun" ], "Resource": [ "arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/*" ] }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "[[jobExecutionRoleArn]]" ], "Condition": { "StringEquals": { "iam:PassedToService": "emr-serverless.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "events:PutTargets", "events:PutRule", "events:DescribeRule" ], "Resource": [ "arn:aws:events:{{region}}:{{accountId}}:rule/StepFunctionsGetEventsForEMRServerlessJobRule" ] } ] }
Request Response
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "emr-serverless:StartJobRun" ], "Resource": [ "arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/*" ] }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "[[jobExecutionRoleArn]]" ], "Condition": { "StringEquals": { "iam:PassedToService": "emr-serverless.amazonaws.com" } } } ] }

IAM 政策範例 CancelJobRun

靜態資源

以下是使用具有狀態的狀態機器時,靜態資源的 IAM 政策範例。 CancelJobRun 任務

Run a Job (.sync)
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "emr-serverless:CancelJobRun", "emr-serverless:GetJobRun" ], "Resource": [ "arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/[[applicationId]]/jobruns/[[jobRunId]]" ] }, { "Effect": "Allow", "Action": [ "events:PutTargets", "events:PutRule", "events:DescribeRule" ], "Resource": [ "arn:aws:events:{{region}}:{{accountId}}:rule/StepFunctionsGetEventsForEMRServerlessJobRule" ] } ] }
Request Response
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "emr-serverless:CancelJobRun" ], "Resource": [ "arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/[[applicationId]]/jobruns/[[jobRunId]]" ] } ] }
動態資源

以下是使用具有狀態的狀態機器時,動態資源的 IAM 政策範例。 CancelJobRun 任務

Run a Job (.sync)
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "emr-serverless:CancelJobRun", "emr-serverless:GetJobRun" ], "Resource": [ "arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/*" ] }, { "Effect": "Allow", "Action": [ "events:PutTargets", "events:PutRule", "events:DescribeRule" ], "Resource": [ "arn:aws:events:{{region}}:{{accountId}}:rule/StepFunctionsGetEventsForEMRServerlessJobRule" ] } ] }
Request Response
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "emr-serverless:CancelJobRun" ], "Resource": [ "arn:aws:emr-serverless:{{region}}:{{accountId}}:/applications/*" ] } ] }