本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
工作流程的 IAM 政策
將工作流程新增至伺服器時,您必須選取執行角色。伺服器會在執行工作流程時使用此角色。如果角色沒有適當的許可, AWS Transfer Family 則無法執行工作流程。
本節說明一組可用於執行工作流程的 AWS Identity and Access Management (IAM) 許可。本主題稍後將說明其他範例。
如果您的 Amazon S3 檔案有標籤,您需要將一或兩個許可新增至 IAM 政策。
為您的工作流程建立執行角色
-
建立新的 IAM 角色,並將 AWS 受管政策新增至AWSTransferFullAccess角色。如需建立新 IAM 角色的詳細資訊,請參閱 建立 IAM 角色和政策。
-
建立具有下列許可的另一個政策,並將其連接到您的角色。將每個 user input
placeholder
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ConsoleAccess",
"Effect": "Allow",
"Action": "s3:GetBucketLocation",
"Resource": "*"
},
{
"Sid": "ListObjectsInBucket",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket"
]
},
{
"Sid": "AllObjectActions",
"Effect": "Allow",
"Action": "s3:*Object",
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket/*"
]
},
{
"Sid": "GetObjectVersion",
"Effect": "Allow",
"Action": "s3:GetObjectVersion",
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket/*"
]
},
{
"Sid": "Custom",
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction"
],
"Resource": [
"arn:aws:lambda:us-east-1:123456789012:function:function-name"
]
},
{
"Sid": "Tag",
"Effect": "Allow",
"Action": [
"s3:PutObjectTagging",
"s3:PutObjectVersionTagging"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket/*"
]
}
]
}
-
當您將工作流程新增至伺服器時,請儲存此角色並將其指定為執行角色。
當您建構 IAM 角色時, AWS 建議您盡可能限制對資源的存取工作流程。
工作流程信任關係
工作流程執行角色也需要與 建立信任關係transfer.amazonaws.com。若要建立 的信任關係 AWS Transfer Family,請參閱 建立信任關係。
當您建立信任關係時,您也可以採取步驟來避免混淆代理人問題。如需此問題的說明,以及如何避免此問題的範例,請參閱 預防跨服務混淆代理人。
範例執行角色:解密、複製和標記
如果您有包含標記、複製和解密步驟的工作流程,您可以使用下列 IAM 政策。將每個 user input
placeholder
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CopyRead",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectTagging",
"s3:GetObjectVersionTagging"
],
"Resource": "arn:aws:s3:::amzn-s3-demo-source-bucket/*"
},
{
"Sid": "CopyWrite",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectTagging"
],
"Resource": "arn:aws:s3:::amzn-s3-demo-destination-bucket/*"
},
{
"Sid": "CopyList",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": [
"arn:aws:s3:::amzn-s3-demo-source-bucket",
"arn:aws:s3:::amzn-s3-demo-destination-bucket"
]
},
{
"Sid": "Tag",
"Effect": "Allow",
"Action": [
"s3:PutObjectTagging",
"s3:PutObjectVersionTagging"
],
"Resource": "arn:aws:s3:::amzn-s3-demo-destination-bucket/*",
"Condition": {
"StringEquals": {
"s3:RequestObjectTag/Archive": "yes"
}
}
},
{
"Sid": "ListBucket",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": [
"arn:aws:s3:::amzn-s3-demo-destination-bucket"
]
},
{
"Sid": "HomeDirObjectAccess",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObjectVersion",
"s3:DeleteObject",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::amzn-s3-demo-destination-bucket/*"
},
{
"Sid": "Decrypt",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": "arn:aws:secretsmanager:us-east-1:123456789012:secret:aws/transfer/*"
}
]
}
範例執行角色:執行 函數並刪除
在此範例中,您有一個叫用 AWS Lambda 函數的工作流程。如果工作流程刪除上傳的檔案,並具有例外處理常式步驟來處理上一個步驟中失敗的工作流程執行,請使用下列 IAM 政策。將每個 user input placeholder
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Delete",
"Effect": "Allow",
"Action": [
"s3:DeleteObject",
"s3:DeleteObjectVersion"
],
"Resource": "arn:aws:s3:::bucket-name"
},
{
"Sid": "Custom",
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction"
],
"Resource": [
"arn:aws:lambda:us-east-1:123456789012:function:function-name"
]
}
]
}
