IAM 角色设置 - Amazon EMR
MCP 服务器的 IAM 角色设置按部署模式划分的其他权限 (EMR-/EMR-EC2 S)

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

IAM 角色设置

设置说明中的 CloudFormation 堆栈可自动为您设置 IAM 角色。如果您想手动执行它,请按照以下说明进行操作:

MCP 服务器的 IAM 角色设置

要访问 SMUS 托管 MCP 服务器,需要使用以下内联策略的 IAM 角色:

{  
    "Version": "2012-10-17",		 	 	 
    "Statement": [  
        {  
            "Sid": "AllowUseSagemakerUnifiedStudioMcpServer",  
            "Effect": "Allow",  
            "Action": [  
                "sagemaker-unified-studio-mcp:InvokeMcp",  
                "sagemaker-unified-studio-mcp:CallReadOnlyTool",  
                "sagemaker-unified-studio-mcp:CallPrivilegedTool"  
            ],  
            "Resource": [  
                "*"  
            ]  
        }  
    ]  
}

在接下来的步骤中,我们将为此角色创建个人资料。无论哪个账户担任此角色以获取证书,都应添加到代入角色策略中。

{  
  "Version": "2012-10-17",		 	 	 
  "Statement": [  
    {  
      "Sid": "AllowAccountToAssumeRole",  
      "Effect": "Allow",  
      "Principal": { "AWS": "arn:aws:iam::<accountId>:root" },  
      "Action": "sts:AssumeRole"  
    }  
  ]  
}

按部署模式划分的其他权限 (EMR-/EMR-EC2 S)

EMR-应用程序 EC2

将策略中的 Amazon S3 暂存存储桶替换为您想要存储已升级项目的 Amazon S3 存储桶

{  
  "Version": "2012-10-17",		 	 	 
  "Statement": [  
    {  
      "Effect": "Allow",  
      "Action": [  
        "elasticmapreduce:DescribeCluster",  
        "elasticmapreduce:DescribeStep",  
        "elasticmapreduce:ListSteps",  
        "elasticmapreduce:ListClusters",  
        "elasticmapreduce:DescribeJobFlows",  
        "elasticmapreduce:AddJobFlowSteps",  
        "elasticmapreduce:CreatePersistentAppUI",  
        "elasticmapreduce:DescribePersistentAppUI",  
        "elasticmapreduce:GetPersistentAppUIPresignedURL"  
      ],  
      "Resource": "*"  
    },  
    {  
      "Effect": "Allow",  
      "Action": [  
        "s3:GetBucket*",  
        "s3:GetObject*",  
        "s3:List*",  
        "s3:Put*"  
      ],  
      "Resource": [  
        "arn:aws:s3:::<s3-staging-bucket>",  
        "arn:aws:s3:::<s3-staging-bucket>/*"  
      ]  
    }  
  ]  
}

KMS 权限-暂存存储桶

如果暂存存储桶使用 CMK 加密,请添加以下策略。上传数据时,该服务将自动使用存储桶上配置的 CMK。

{  
  "Effect": "Allow",  
  "Action": [  
    "kms:GenerateDataKey",  
    "kms:Encrypt"  
  ],  
  "Resource": "arn:aws:kms:<region>:<account-id>:key/<cmk-key-id>"  
}

EMR 无服务器应用程序

将策略中的 Amazon S3 暂存存储桶替换为您想要存储已升级项目的 Amazon S3 存储桶

{  
  "Version": "2012-10-17",		 	 	 
  "Statement": [  
    {  
      "Effect": "Allow",  
      "Action": [  
        "emr-serverless:StartJobRun",  
        "emr-serverless:GetJobRun",  
        "emr-serverless:GetApplication",  
        "emr-serverless:ListApplications",  
        "emr-serverless:GetDashboardForJobRun"  
      ],  
      "Resource": "*"  
    },  
    {  
      "Effect": "Allow",  
      "Action": "iam:PassRole",  
      "Resource": "*",  
      "Condition": {  
        "StringLike": {  
          "iam:PassedToService": "emr-serverless.amazonaws.com"  
        }  
      }  
    },  
    {  
      "Effect": "Allow",  
      "Action": [  
        "logs:GetLogEvents",  
        "logs:DescribeLogStreams"  
      ],  
      "Resource": "arn:aws:logs:*:*:log-group:*"  
    },  
    {  
      "Effect": "Allow",  
      "Action": [  
        "s3:GetBucket*",  
        "s3:GetObject*",  
        "s3:List*",  
        "s3:Put*"  
      ],  
      "Resource": [  
        "arn:aws:s3:::<s3-staging-bucket>",  
        "arn:aws:s3:::<s3-staging-bucket>/*"  
      ]  
    }  
  ]  
}

KMS 权限-暂存存储桶

如果暂存存储桶使用 CMK 加密,请添加以下策略。上传数据时,该服务将自动使用存储桶上配置的 CMK

{  
  "Effect": "Allow",  
  "Action": [  
    "kms:GenerateDataKey",  
    "kms:Encrypt"  
  ],  
  "Resource": "arn:aws:kms:<region>:<account-id>:key/<cmk-key-id>"  
}

KMS 权限- CloudWatch 日志

如果 CloudWatch 日志是使用 CMK 加密的,请添加以下策略,以便服务可以读取 EMR-Serverless 应用程序日志。

{  
"Effect": "Allow",  
"Action": [  
    "kms:Decrypt",  
    "kms:DescribeKey"  
],  
"Resource": "arn:aws:kms:<region>:<account-id>:key/<cw-logs-cmk-id>"  
}