# 步骤 4：创建用于笔记本服务器的 IAM policy
<a name="create-notebook-policy"></a>

如果您计划将笔记本与开发终端节点结合使用，则必须在创建笔记本服务器时指定权限。您通过使用 AWS Identity and Access Management（IAM）提供这些权限。

此策略为某些 Amazon S3 操作授予管理您账户中某些资源的权限，这些资源是 AWS Glue 代入使用此策略的角色时需要的资源。此策略中指定的某些资源引用了 AWS Glue 对 Amazon S3 存储桶、Amazon S3 ETL 脚本和 Amazon EC2 资源使用的默认名称。为简便起见，默认情况下，AWS Glue 会将某些 Amazon S3 对象写入到您账户中带有前缀 `aws-glue-*` 的存储桶。

**注意**  
如果您使用了AWS托管式策略 **`AWSGlueServiceNotebookRole`**，则可跳过此步骤。

在此步骤中，您将创建一个类似于 `AWSGlueServiceNotebookRole` 的策略。您可以在 IAM 控制台中找到最新版本的 `AWSGlueServiceNotebookRole`。

**为笔记本创建 IAM policy**

1. 登录 AWS 管理控制台，然后通过以下网址打开 IAM 控制台：[https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/)。

1. 在左侧导航窗格中，选择 **Policies（策略）**。

1. 选择**创建策略**。

1. 在 **Create Policy** (创建策略) 屏幕上，导航到用于编辑 JSON 的选项卡。使用以下 JSON 语句创建策略文档，然后选择 **Review policy** (查看策略)。

------
#### [ JSON ]

****  

   ```
   {
     "Version":"2012-10-17",		 	 	 
     "Statement": [
       {
         "Effect": "Allow",
         "Action": [
           "glue:CreateDatabase",
           "glue:CreatePartition",
           "glue:CreateTable",
           "glue:DeleteDatabase",
           "glue:DeletePartition",
           "glue:DeleteTable",
           "glue:GetDatabase",
           "glue:GetDatabases",
           "glue:GetPartition",
           "glue:GetPartitions",
           "glue:GetTable",
           "glue:GetTableVersions",
           "glue:GetTables",
           "glue:UpdateDatabase",
           "glue:UpdatePartition",
           "glue:UpdateTable",
           "glue:GetJobBookmark",
           "glue:ResetJobBookmark",
           "glue:CreateConnection",
           "glue:CreateJob",
           "glue:DeleteConnection",
           "glue:DeleteJob",
           "glue:GetConnection",
           "glue:GetConnections",
           "glue:GetDevEndpoint",
           "glue:GetDevEndpoints",
           "glue:GetJob",
           "glue:GetJobs",
           "glue:UpdateJob",
           "glue:BatchDeleteConnection",
           "glue:UpdateConnection",
           "glue:GetUserDefinedFunction",
           "glue:UpdateUserDefinedFunction",
           "glue:GetUserDefinedFunctions",
           "glue:DeleteUserDefinedFunction",
           "glue:CreateUserDefinedFunction",
           "glue:BatchGetPartition",
           "glue:BatchDeletePartition",
           "glue:BatchCreatePartition",
           "glue:BatchDeleteTable",
           "glue:UpdateDevEndpoint",
           "s3:GetBucketLocation",
           "s3:ListBucket",
           "s3:ListAllMyBuckets",
           "s3:GetBucketAcl"
         ],
         "Resource": [
           "*"
         ]
       },
       {
         "Effect": "Allow",
         "Action": [
           "s3:GetObject"
         ],
         "Resource": [
           "arn:aws:s3:::crawler-public*",
           "arn:aws:s3:::aws-glue*"
         ]
       },
       {
         "Effect": "Allow",
         "Action": [
           "s3:PutObject",
           "s3:DeleteObject"
         ],
         "Resource": [
           "arn:aws:s3:::aws-glue*"
         ]
       },
       {
         "Effect": "Allow",
         "Action": [
           "ec2:CreateTags",
           "ec2:DeleteTags"
         ],
         "Condition": {
           "ForAllValues:StringEquals": {
             "aws:TagKeys": [
               "aws-glue-service-resource"
             ]
           }
         },
         "Resource": [
           "arn:aws:ec2:*:*:network-interface/*",
           "arn:aws:ec2:*:*:security-group/*",
           "arn:aws:ec2:*:*:instance/*"
         ]
       }
     ]
   }
   ```

------

   下表描述了此策略授予的权限。    
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_cn/glue/latest/dg/create-notebook-policy.html)

1. 在 **Review Policy (查看策略)** 屏幕上，输入您的 **Policy Name (策略名称)**，例如 **GlueServiceNotebookPolicyDefault**。输入可选描述，然后在您对该策略满意时选择 **Create policy (创建策略)**。