本文属于机器翻译版本。若本译文内容与英语原文存在差异，则一律以英文原文为准。 # IAM 角色设置 ## 先决条件在开始之前，请确保您满足以下条件： + 具有 IAM 管理权限的 AWS 账户 + AWS 已安装并配置 CLI。有关更多信息，请参阅[安装 AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html)。设置以下变量以便在后续命令中使用： ``` ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text) REGION=$(aws configure get region) ``` ## 步骤 1：创建 IAM 角色 SMUS MCP 服务器使用您的 IAM 角色对 AWS 服务级别的操作进行授权。不需要单独的 MCP-specific 权限。 **创建 IAM 角色 (AWS CLI)** 1. 创建一份允许您的账户担任该角色的信任策略文档： ``` cat > mcp-trust-policy.json << EOF { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowAccountToAssumeRole", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::${ACCOUNT_ID}:root" }, "Action": "sts:AssumeRole" } ] } EOF ``` 1. 创建该角色： ``` aws iam create-role \ --role-name SparkTroubleshootingMCPRole \ --assume-role-policy-document file://mcp-trust-policy.json ``` ## 步骤 2：为您的部署模式附加权限附加与您的 Spark 部署平台相匹配的权限策略。根据您使用的平台，您可以附加以下一项或多项。 ### 选项 A：EC2 上的 EMR 1. 创建策略文档： ``` cat > emr-ec2-policy.json << 'EOF' { "Version": "2012-10-17", "Statement": [ { "Sid": "EMREC2ReadAccess", "Effect": "Allow", "Action": [ "elasticmapreduce:DescribeCluster", "elasticmapreduce:DescribeStep", "elasticmapreduce:ListSteps", "elasticmapreduce:ListClusters", "elasticmapreduce:DescribeJobFlows" ], "Resource": ["*"] }, { "Sid": "EMRS3LogAccess", "Effect": "Allow", "Action": ["s3:GetObject", "s3:ListBucket"], "Resource": "*" }, { "Sid": "EMRPersistentApp", "Effect": "Allow", "Action": [ "elasticmapreduce:CreatePersistentAppUI", "elasticmapreduce:DescribePersistentAppUI", "elasticmapreduce:GetPersistentAppUIPresignedURL" ], "Resource": ["*"] } ] } EOF ``` 1. 创建并附加策略： ``` aws iam put-role-policy \ --role-name SparkTroubleshootingMCPRole \ --policy-name EMREC2TroubleshootingAccess \ --policy-document file://emr-ec2-policy.json ``` 或者，如果您的角色已经在使用[AmazonElasticMapReduceFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonElasticMapReduceFullAccess.html) AWS 托管策略，则可以附加该策略： ``` aws iam attach-role-policy \ --role-name SparkTroubleshootingMCPRole \ --policy-arn arn:aws:iam::aws:policy/AmazonElasticMapReduceFullAccess ``` ### 选项 B： AWS 连接词 1. 创建策略文档： ``` cat > glue-policy.json << EOF { "Version": "2012-10-17", "Statement": [ { "Sid": "GlueReadAccess", "Effect": "Allow", "Action": [ "glue:GetJob", "glue:GetJobRun", "glue:GetJobRuns", "glue:GetJobs", "glue:BatchGetJobs" ], "Resource": ["arn:aws:glue:*:${ACCOUNT_ID}:job/*"] }, { "Sid": "GlueCloudWatchLogsAccess", "Effect": "Allow", "Action": ["logs:GetLogEvents", "logs:FilterLogEvents"], "Resource": ["arn:aws:logs:*:${ACCOUNT_ID}:log-group:/aws/glue/*"] }, { "Sid": "GlueSparkWebUI", "Effect": "Allow", "Action": [ "glue:RequestLogParsing", "glue:GetLogParsingStatus", "glue:GetEnvironment", "glue:GetStage", "glue:GetStages", "glue:GetStageFiles", "glue:BatchGetStageFiles", "glue:GetStageAttempt", "glue:GetStageAttemptTaskList", "glue:GetStageAttemptTaskSummary", "glue:GetExecutors", "glue:GetExecutorsThreads", "glue:GetStorage", "glue:GetStorageUnit", "glue:GetQueries", "glue:GetQuery", "glue:GetDashboardUrl" ], "Resource": ["arn:aws:glue:*:${ACCOUNT_ID}:job/*"] }, { "Sid": "GluePassRoleAccess", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "*", "Condition": { "StringLike": { "iam:PassedToService": "glue.amazonaws.com" } } } ] } EOF ``` 1. 附上政策： ``` aws iam put-role-policy \ --role-name SparkTroubleshootingMCPRole \ --policy-name GlueTroubleshootingAccess \ --policy-document file://glue-policy.json ``` ### 选项 C：EMR 无服务器 1. 创建策略文档： ``` cat > emr-serverless-policy.json << EOF { "Version": "2012-10-17", "Statement": [ { "Sid": "EMRServerlessReadAccess", "Effect": "Allow", "Action": [ "emr-serverless:GetJobRun", "emr-serverless:GetApplication", "emr-serverless:ListApplications", "emr-serverless:ListJobRuns", "emr-serverless:ListJobRunAttempts", "emr-serverless:GetDashboardForJobRun", "emr-serverless:ListTagsForResource" ], "Resource": ["*"] }, { "Sid": "EMRServerlessCloudWatchLogsAccess", "Effect": "Allow", "Action": ["logs:GetLogEvents", "logs:FilterLogEvents"], "Resource": ["arn:aws:logs:*:${ACCOUNT_ID}:log-group:/aws/emr-serverless/*"] }, { "Sid": "EMRServerlessS3LogsAccess", "Effect": "Allow", "Action": ["s3:GetObject", "s3:ListBucket"], "Resource": "*" } ] } EOF ``` 1. 附上政策： ``` aws iam put-role-policy \ --role-name SparkTroubleshootingMCPRole \ --policy-name EMRServerlessTroubleshootingAccess \ --policy-document file://emr-serverless-policy.json ``` ### 可选：加密 CloudWatch 日志的 KMS 权限如果您的 CloudWatch 日志使用客户管理的 KMS 密钥加密，请添加以下内容（``替换为您的 KMS 密钥 ID）： ``` aws iam put-role-policy \ --role-name SparkTroubleshootingMCPRole \ --policy-name KMSCloudWatchLogsDecrypt \ --policy-document "{ \"Version\": \"2012-10-17\", \"Statement\": [{ \"Effect\": \"Allow\", \"Action\": [\"kms:Decrypt\", \"kms:DescribeKey\"], \"Resource\": \"arn:aws:kms:${REGION}:${ACCOUNT_ID}:key/\" }] }" ``` ## 步骤 3：配置您的 MCP 客户端将你的 MCP 客户端（例如 Claude Desktop 或 Amazon Q Developer）配置为使用你创建的角色 ARN： ``` echo "arn:aws:iam::${ACCOUNT_ID}:role/SparkTroubleshootingMCPRole" ``` 有关如何配置 AWS 凭证（通常通过担任此角色的配置文件），请参阅 MCP 客户端的文档。 AWS ## MCP 服务器请求的条件密钥两个条件键会自动添加到通过 SMUS MCP 服务器发出的所有请求中： + `aws:ViaAWSMCPService`— `true` 对于通过 AWS 托管 MCP 服务器发出的任何请求，设置为。 + `aws:CalledViaAWSMCP`— 设置为 MCP 服务器服务主体（例如，`sagemaker-unified-studio-mcp.amazonaws.com`）。当请求来自 AWS 托管 MCP 服务器时，您可以使用这些条件键来控制对资源的访问。 **示例：仅当通过 SMUS MCP 服务器访问时，才允许 Glue 读取操作：** ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowGlueReadViaSMUSMCP", "Effect": "Allow", "Action": ["glue:GetJob", "glue:GetJobRun", "glue:GetJobRuns"], "Resource": "*", "Condition": { "StringEquals": { "aws:CalledViaAWSMCP": "sagemaker-unified-studio-mcp.amazonaws.com" } } } ] } ``` **示例：通过任何 AWS 托管 MCP 服务器访问时拒绝删除操作：** ``` { "Effect": "Deny", "Action": ["s3:DeleteObject", "s3:DeleteBucket"], "Resource": "*", "Condition": { "Bool": { "aws:ViaAWSMCPService": "true" } } } ``` 有关条件键的更多信息，请参阅 *IAM 用户指南*中的[AWS 全局条件上下文密钥](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html)。