本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# Cross-account 配送示例
在此示例中,涉及两个账户。拥有日志生成资源的账户是账户 A,ID:{{123456789012}},拥有日志消耗资源的账户是账户 B,ID:。{{111122223333}}
账户 A 想使用 ARN arn: aws: bedrock:: knowledge-base/ 在其账户中提供 Amazon Bedrock 知识库中的日志。{{us-east-1}} {{123456789012}} {{kb-12345678}}
对于此示例,账户 A 需要以下权限:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowVendedLogDeliveryForKnowledgeBase",
"Effect": "Allow",
"Action": [
"bedrock:AllowVendedLogDeliveryForResource"
],
"Resource": "arn:aws:bedrock:{{us-east-1}}:{{123456789012}}:knowledge-base/{{XXXXXXXXXX}}"
},
{
"Sid": "CreateLogDeliveryPermissions",
"Effect": "Allow",
"Action": [
"logs:PutDeliverySource",
"logs:CreateDelivery"
],
"Resource": [
"arn:aws:logs:{{us-east-1}}:{{123456789012}}:delivery-source:*",
"arn:aws:logs:{{us-east-1}}:{{123456789012}}:delivery:*",
"arn:aws:logs:{{us-east-1}}:{{444455556666}}:delivery-destination:*"
]
}
]
}
```
------
## 创建传输源
首先,账户 A 使用其 bedrock 知识库创建传输源:
```
aws logs put-delivery-source --name my-delivery-source --log-type APPLICATION_LOGS --resource-arn arn:aws:bedrock:{{region}}:{{AAAAAAAAAAAA}}:knowledge-base/{{XXXXXXXXXX}}
```
接下来,账户 B 必须使用以下流之一创建传输目标:
+ [配置传输到 Amazon S3 存储桶](#crossaccount-example-delivery-S3)
+ [配置向 Firehose 流的传输](#crossaccount-example-delivery-Firehose)
## 配置传输到 Amazon S3 存储桶
用户 B 希望使用 ARN arn:aws:s3:::amzn-s3-demo-bucket 将日志接收到其 S3 存储桶中。对于此示例,账户 B 将需要以下权限:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "PutLogDestinationPermissions",
"Effect": "Allow",
"Action": [
"logs:PutDeliveryDestination",
"logs:PutDeliveryDestinationPolicy"
],
"Resource": "arn:aws:logs:{{us-east-1}}:{{111122223333}}:delivery-destination:*"
}
]
}
```
------
存储桶在其存储桶策略中需要具有以下权限:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AWSLogsDeliveryWrite",
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": [
"s3:PutObject"
],
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket/AWSLogs/{{123456789012}}/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control",
"aws:SourceAccount": [
"{{123456789012}}"
]
},
"ArnLike": {
"aws:SourceArn": [
"arn:aws:logs:{{us-east-1}}:{{123456789012}}:delivery-source:my-delivery-source"
]
}
}
}
]
}
```
------
如果存储桶使用加密 SSE-KMS,请确保 AWS KMS 密钥策略具有相应的权限。例如,如果 KMS 密钥是 `arn:aws:kms:{{us-east-1}}:{{111122223333}}:key/{{1234abcd-12ab-34cd-56ef-1234567890ab}}`,请使用以下内容:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowLogsGenerateDataKey",
"Effect": "Allow",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": [
"kms:GenerateDataKey"
],
"Resource": "arn:aws:kms:{{us-east-1}}:{{111122223333}}:key/{{1234abcd-12ab-34cd-56ef-1234567890ab}}",
"Condition": {
"StringEquals": {
"aws:SourceAccount": [
"{{123456789012}}"
]
},
"ArnLike": {
"aws:SourceArn": [
"arn:aws:logs:{{us-east-1}}:{{123456789012}}:delivery-source:my-delivery-source"
]
}
}
}
]
}
```
------
然后,账户 B 可以创建一个以 S3 存储桶为目标资源的传输目标:
```
aws logs put-delivery-destination --name my-s3-delivery-destination --delivery-destination-configuration "destinationResourceArn=arn:aws:s3:::amzn-s3-demo-bucket"
```
接下来,账户 B 在其新创建的传输目标上创建传输目标策略,该策略将授予账户 A 创建日志传输的权限。将添加到新创建的传输目标的策略如下:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowCreateDelivery",
"Effect": "Allow",
"Principal": {
"AWS": "{{123456789012}}"
},
"Action": [
"logs:CreateDelivery"
],
"Resource": "arn:aws:logs:{{us-east-1}}:{{111122223333}}:delivery-destination:{{amzn-s3-demo-bucket}}"
}
]
}
```
------
此策略将以 `destination-policy-s3.json` 形式保存在账户 B 的计算机中。要附加此资源,账户 B 将运行以下命令:
```
aws logs put-delivery-destination-policy --delivery-destination-name my-s3-delivery-destination --delivery-destination-policy file://destination-policy-s3.json
```
最后,账户 A 创建传输,将账户 A 中的传输源链接到账户 B 中的传输目标。
```
aws logs create-delivery --delivery-source-name my-delivery-source --delivery-destination-arn arn:aws:logs:{{region}}:{{BBBBBBBBBBBB}}:delivery-destination:my-s3-delivery-destination
```
## 配置向 Firehose 流的传输
在此示例中,账户 B 希望将日志接收到其 Firehose 流中。Firehose 直播具有以下 ARN,并且已配置为使用传输流类型: DirectPut
`arn:aws:firehose:{{us-east-1}}:{{111122223333}}:deliverystream/{{log-delivery-stream}}`
对于此示例,账户 B 需要以下权限:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowFirehoseCreateSLR",
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "arn:aws:iam::{{111122223333}}:role/aws-service-role/delivery.logs.amazonaws.com/AWSServiceRoleForLogDelivery"
},
{
"Sid": "AllowFirehoseTagging",
"Effect": "Allow",
"Action": [
"firehose:TagDeliveryStream"
],
"Resource": "arn:aws:firehose:{{us-east-1}}:{{111122223333}}:deliverystream/{{X}}"
},
{
"Sid": "AllowFirehoseDeliveryDestination",
"Effect": "Allow",
"Action": [
"logs:PutDeliveryDestination",
"logs:PutDeliveryDestinationPolicy"
],
"Resource": "arn:aws:logs:{{us-east-1}}:{{111122223333}}:delivery-destination:*"
}
]
}
```
------
Firehose 流必须将标签 `LogDeliveryEnabled` 设置为 `true`。
然后,账户 B 将创建一个以 Firehose 流为目标资源的传输目标:
```
aws logs put-delivery-destination --name my-fh-delivery-destination --delivery-destination-configuration "destinationResourceArn=arn:aws:firehose:{{region}}:{{BBBBBBBBBBBB}}:deliverystream/{{X}}"
```
接下来,账户 B 在其新创建的传输目标上创建传输目标策略,该策略将授予账户 A 创建日志传输的权限。要添加到新创建的传输目标的策略如下:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowCreateDelivery",
"Effect": "Allow",
"Principal": {
"AWS": "{{123456789012}}"
},
"Action": [
"logs:CreateDelivery"
],
"Resource": "arn:aws:logs:{{us-east-1}}:{{111122223333}}:delivery-destination:{{amzn-s3-demo-bucket}}"
}
]
}
```
------
此策略将以 `destination-policy-fh.json` 形式保存在账户 B 的计算机中。要附加此资源,账户 B 运行以下命令:
```
aws logs put-delivery-destination-policy --delivery-destination-name my-fh-delivery-destination --delivery-destination-policy file://destination-policy-fh.json
```
最后,账户 A 创建传输,将账户 A 中的传输源链接到账户 B 中的传输目标。
```
aws logs create-delivery --delivery-source-name my-delivery-source --delivery-destination-arn arn:aws:logs:{{region}}:{{BBBBBBBBBBBB}}:delivery-destination:my-fh-delivery-destination
```