amazon-redshift - 为频谱 S3 访问创建 IAM 角色的模板
问题描述
为了通过频谱访问 S3 数据,我需要创建一个 IAM 角色,如此处所述...
https://docs.aws.amazon.com/redshift/latest/mgmt/authorizing-redshift-service.html
新创建的 IAM 角色需要附加到 redshift 实例。
我已成功完成所有步骤。但我想知道是否可以编写一个快速完成所需的 cloudformation 模板。这是我提取的相关代码。我不确定如何使用正确的语法。
第1步
{
"Tags": [],
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "redshift.amazonaws.com"
}
}
]
},
"RoleId": "AROAJWJGDMYIHSSTPZ6I6CM",
"CreateDate": "2017-05-15T05:34:46Z",
"InstanceProfileList": [],
"RoleName": "RedshiftCopyUnload",
"Path": "/",
"AttachedManagedPolicies": [
{
"PolicyName": "AmazonAthenaFullAccess",
"PolicyArn": "arn:aws:iam::aws:policy/AmazonAthenaFullAccess"
},
{
"PolicyName": "AmazonS3ReadOnlyAccess",
"PolicyArn": "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
},
{
"PolicyName": "AWSGlueConsoleFullAccess",
"PolicyArn": "arn:aws:iam::aws:policy/AWSGlueConsoleFullAccess"
}
],
"RolePolicyList": [],
"Arn": "arn:aws:iam::123456789012:role/RedshiftCopyUnload"
}
第2步
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "redshift:DescribeClusters",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"redshift:ModifyClusterIamRoles",
"redshift:CreateCluster"
],
"Resource": [
"arn:aws:redshift:us-east-1:123456789012:cluster:my-redshift-cluster",
"arn:aws:redshift:us-east-1:123456789012:cluster:cluster:my-second-redshift-cluster"
]
},
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": [
"arn:aws:iam::123456789012:role/MyRedshiftRole",
"arn:aws:iam::123456789012:role/SecondRedshiftRole",
"arn:aws:iam::123456789012:role/ThirdRedshiftRole"
]
}
]
}
更新:以下 cloudformation 模板能否正确创建步骤 1 中提到的角色?
{
"Resources": {
"NewRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"redshift.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"RoleName": "RedshiftCopyUnload",
"Path": "/",
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/AmazonAthenaFullAccess",
"arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess",
"arn:aws:iam::aws:policy/AWSGlueConsoleFullAccess"
]
}
}
}
}
解决方案
是的。AWS CloudFormation 模板可用于定义 IAM 角色。
这是来自AWS::IAM::Role - AWS CloudFormation的示例:
AWSTemplateFormatVersion: 2010-09-09
Resources:
RootRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- ec2.&api-domain;
Action:
- 'sts:AssumeRole'
Path: /
Policies:
- PolicyName: root
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: '*'
Resource: '*'
推荐阅读
- database - 计算每天尝试的新项目,而不包括前几天尝试的新项目 - 使用 PostgreSQL
- python - 执行七段显示图像的 OCR
- android - 从 Flutter App 按下 Lock(电源)按钮
- python - 从运行训练中保存模型 - Pytorch
- reactjs - 将收藏产品的 id 添加到 localstrorage (array)
- c++ - 将 boost::json 静态库与 cmake 一起使用
- android - getLastLocation() 仅在三到四次尝试后返回位置
- laravel - 谁能帮我从每个模型做 laravel 通知过程。例如:我有两个模型,一个是护照,另一个是 voterid。?
- c# - 如果可以在特定类型上调用扩展方法,则通过反射检查的稳健方法
- aws-lambda - 如何在本地调试和运行多个 lambda