amazon-web-services - AWS Data Pipeline:IAM 角色的权限 S3 访问问题
问题描述
我正在使用Load S3 data into RDS MySql tableAWS Data Pipeline 中的模板将 csv 从 S3 存储桶导入我们的 RDS MySql。但是我(作为具有完全管理员权限的 IAM 用户)遇到了我无法解决的警告:
对象:Ec2Instance - 警告:无法验证角色的 S3 访问权限。请确保角色 ('DataPipelineDefaultRole') 具有 DataPipeline 的 s3:Get*、s3:List*、s3:Put* 和 sts:AssumeRole 权限。
谷歌告诉我不要对DataPipelineDefaultRoleand使用默认策略DataPipelineDefaultResourceRole。根据AWS Data Pipeline 的 IAM 角色文档和此 AWS 支持论坛上的主题,我使用了内联策略并编辑了这两个角色的信任关系。
政策DataPipelineDefaultRole:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:*",
"datapipeline:DescribeObjects",
"datapipeline:EvaluateExpression",
"dynamodb:BatchGetItem",
"dynamodb:DescribeTable",
"dynamodb:GetItem",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:UpdateTable",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CancelSpotInstanceRequests",
"ec2:CreateSecurityGroup",
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:Describe*",
"ec2:ModifyImageAttribute",
"ec2:ModifyInstanceAttribute",
"ec2:RequestSpotInstances",
"ec2:RunInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:DeleteSecurityGroup",
"ec2:RevokeSecurityGroupEgress",
"ec2:DescribeNetworkInterfaces",
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface",
"ec2:DetachNetworkInterface",
"elasticmapreduce:*",
"iam:GetInstanceProfile",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:ListInstanceProfiles",
"iam:PassRole",
"rds:DescribeDBInstances",
"rds:DescribeDBSecurityGroups",
"redshift:DescribeClusters",
"redshift:DescribeClusterSecurityGroups",
"s3:CreateBucket",
"s3:DeleteObject",
"s3:Get*",
"s3:List*",
"s3:Put*",
"sdb:BatchPutAttributes",
"sdb:Select*",
"sns:GetTopicAttributes",
"sns:ListTopics",
"sns:Publish",
"sns:Subscribe",
"sns:Unsubscribe",
"sqs:CreateQueue",
"sqs:Delete*",
"sqs:GetQueue*",
"sqs:PurgeQueue",
"sqs:ReceiveMessage"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringLike": {
"iam:AWSServiceName": [
"elasticmapreduce.amazonaws.com",
"spot.amazonaws.com"
]
}
}
}
]
}
信任关系DataPipelineDefaultRole:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com",
"elasticmapreduce.amazonaws.com",
"datapipeline.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
政策DataPipelineDefaultResourceRole:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:*",
"datapipeline:*",
"dynamodb:*",
"ec2:Describe*",
"elasticmapreduce:AddJobFlowSteps",
"elasticmapreduce:Describe*",
"elasticmapreduce:ListInstance*",
"rds:Describe*",
"redshift:DescribeClusters",
"redshift:DescribeClusterSecurityGroups",
"s3:*",
"sdb:*",
"sns:*",
"sqs:*"
],
"Resource": [
"*"
]
}
]
}
信任关系DataPipelineDefaultResourceRole:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
我尝试了几个选项/组合,但警告仍然存在。有谁知道如何解决这个权限问题?
解决方案
我回答这个问题可能有点晚了,但我刚刚发现您看到的警告信息可能具有误导性。如果您将管道配置为将日志放入 S3 存储桶,如果您仅指定存储桶的根目录而不是路径,则会出现警告。例如,如果我将配置字段“管道日志 Uri”(我在默认配置中找到)设置为,s3://bucket-name/那么我会看到警告。另一方面,如果我指定一个路径,例如s3://bucket-name/logs,警告就会消失。
AWS 论坛中的以下主题非常有助于解决这个问题:https ://forums.aws.amazon.com/thread.jspa?threadID=164635 。
推荐阅读
- sql - T-SQL :: 使用 GROUP BY CUBE 生成所有可能的组合
- twig - 如何使用路由中的参数通过元数据访问保存的实体
- python - 将文件字符串数据转换为json python
- java - 创建类“a”时的java类“a”运行方法
- java - Java 错误变量未找到符号未找到
- javascript - 我能够在我的 js 文件中获取数据,但不能在我的 .vue 文件中获取数据
- javascript - 使用 JQuery 或 CSS 根据 div 宽度自动限制文本
- reactjs - Material UI 选择模糊占位符和值
- javascript - Orchestrator 身份验证不适用于 Javascript XHR 请求
- java - 在相册或图库中创建一个文件夹,如 WhatsApp 图像、WhatsApp 视频