Terjemahan disediakan oleh mesin penerjemah. Jika konten terjemahan yang diberikan bertentangan dengan versi bahasa Inggris aslinya, utamakan versi bahasa Inggris.
Pengaturan Peran IAM
CloudFormation Tumpukan dalam Petunjuk Pengaturan mengotomatiskan pengaturan peran IAM untuk Anda. Jika Anda ingin menjalankannya secara manual, ikuti petunjuk di bawah ini:
Pengaturan Peran IAM untuk MCP Server
Untuk mengakses server MCP Terkelola SMUS, diperlukan peran IAM dengan kebijakan inline berikut:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowUseSagemakerUnifiedStudioMcpServer", "Effect": "Allow", "Action": [ "sagemaker-unified-studio-mcp:InvokeMcp", "sagemaker-unified-studio-mcp:CallReadOnlyTool", "sagemaker-unified-studio-mcp:CallPrivilegedTool" ], "Resource": [ "*" ] } ] }
Pada langkah selanjutnya, kami akan membuat profil untuk peran ini. Akun mana pun yang mengambil peran ini untuk mendapatkan kredensil harus ditambahkan ke kebijakan peran asumsi.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowAccountToAssumeRole", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<accountId>:root" }, "Action": "sts:AssumeRole" } ] }
Izin Tambahan dengan Mode Penerapan (EMR- /EMR-S/Glue) EC2
EMR- Aplikasi EC2
{ "Version": "2012-10-17", "Statement": [ { "Sid": "EMREC2ReadAccess", "Effect": "Allow", "Action": [ "elasticmapreduce:DescribeCluster", "elasticmapreduce:DescribeStep", "elasticmapreduce:ListSteps", "elasticmapreduce:ListClusters", "elasticmapreduce:DescribeJobFlows" ], "Resource": [ "*" ] }, { "Sid": "EMRS3LogAccess", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket" ], "Resource": "*" }, { "Sid": "EMRPersistentApp", "Effect": "Allow", "Action": [ "elasticmapreduce:CreatePersistentAppUI", "elasticmapreduce:DescribePersistentAppUI", "elasticmapreduce:GetPersistentAppUIPresignedURL" ], "Resource": [ "*" ] } ] }
Lowongan Glue
{ "Version": "2012-10-17", "Statement": [ { "Sid": "GlueReadAccess", "Effect": "Allow", "Action": [ "glue:GetJob", "glue:GetJobRun", "glue:GetJobRuns", "glue:GetJobs", "glue:BatchGetJobs" ], "Resource": [ "arn:aws:glue:*:<account id>:job/*" ] }, { "Sid": "GlueCloudWatchLogsAccess", "Effect": "Allow", "Action": [ "logs:GetLogEvents", "logs:FilterLogEvents" ], "Resource": [ "arn:aws:logs:*:<account id>:log-group:/aws/glue/*" ] }, { "Sid": "GlueSparkWebUI", "Effect": "Allow", "Action": [ "glue:RequestLogParsing", "glue:GetLogParsingStatus", "glue:GetEnvironment", "glue:GetStage", "glue:GetStages", "glue:GetStageFiles", "glue:BatchGetStageFiles", "glue:GetStageAttempt", "glue:GetStageAttemptTaskList", "glue:GetStageAttemptTaskSummary", "glue:GetExecutors", "glue:GetExecutorsThreads", "glue:GetStorage", "glue:GetStorageUnit", "glue:GetQueries", "glue:GetQuery", "glue:GetDashboardUrl" ], "Resource": [ "arn:aws:glue:*:<account id>:job/*" ] }, { "Sid": "GluePassRoleAccess", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "*", "Condition": { "StringLike": { "iam:PassedToService": "glue.amazonaws.com" } } } ] }
Aplikasi EMR Tanpa Server
{ "Version": "2012-10-17", "Statement": [ { "Sid": "EMRServerlessReadAccess", "Effect": "Allow", "Action": [ "emr-serverless:GetJobRun", "emr-serverless:GetApplication", "emr-serverless:ListApplications", "emr-serverless:ListJobRuns", "emr-serverless:ListJobRunAttempts", "emr-serverless:GetDashboardForJobRun", "emr-serverless:ListTagsForResource" ], "Resource": [ "*" ] }, { "Sid": "EMRServerlessCloudWatchLogsAccess", "Effect": "Allow", "Action": [ "logs:GetLogEvents", "logs:FilterLogEvents" ], "Resource": [ "arn:aws:logs:*:<account id>:log-group:/aws/emr-serverless/*" ] }, { "Sid": "EMRServerlessS3LogsAccess", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket" ], "Resource": "*" } ] }
Izin KMS - Log CloudWatch
Jika CloudWatch Log dienkripsi dengan CMK, tambahkan kebijakan berikut agar layanan dapat membaca log aplikasi EMR-Serverless.
{ "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:DescribeKey" ], "Resource": "arn:aws:kms:<region>:<account-id>:key/<cw-logs-cmk-id>" }
