本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# 为 Managed Service for Apache Flink 的 Studio 笔记本创建自定义 IAM 策略
您通常使用托管 IAM 策略来允许您的应用程序访问依赖资源。如果您需要更好地控制应用程序的权限,则可以使用自定义 IAM policy。本节包含自定义 IAM 策略的示例。
**注意**
在以下策略示例中,将占位符文本替换为应用程序的值。
**Topics**
+ [AWS Glue](#how-zeppelin-iam-glue)
+ [CloudWatch 日志](#how-zeppelin-iam-cw)
+ [Kinesis Streams](#how-zeppelin-iam-streams)
+ [Amazon MSK 集群](#how-zeppelin-iam-msk)
## AWS Glue
以下示例策略授予访问 AWS Glue 数据库的权限。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "GlueTable",
"Effect": "Allow",
"Action": [
"glue:GetConnection",
"glue:GetTable",
"glue:GetTables",
"glue:GetDatabase",
"glue:CreateTable",
"glue:UpdateTable"
],
"Resource": [
"arn:aws:glue:us-east-1:123456789012:connection/*",
"arn:aws:glue:us-east-1:123456789012:table//*",
"arn:aws:glue:us-east-1:123456789012:database/",
"arn:aws:glue:us-east-1:123456789012:database/hive",
"arn:aws:glue:us-east-1:123456789012:catalog"
]
},
{
"Sid": "GlueDatabase",
"Effect": "Allow",
"Action": "glue:GetDatabases",
"Resource": "*"
}
]
}
```
------
## CloudWatch 日志
以下策略授予访问 CloudWatch 日志的权限:
```
{
"Sid": "ListCloudwatchLogGroups",
"Effect": "Allow",
"Action": [
"logs:DescribeLogGroups"
],
"Resource": [
"arn:aws:logs:::log-group:*"
]
},
{
"Sid": "ListCloudwatchLogStreams",
"Effect": "Allow",
"Action": [
"logs:DescribeLogStreams"
],
"Resource": [
":log-stream:*"
]
},
{
"Sid": "PutCloudwatchLogs",
"Effect": "Allow",
"Action": [
"logs:PutLogEvents"
],
"Resource": [
""
]
}
```
**注意**
如果您使用控制台创建应用程序,则控制台会向您的应用程序角色添加访问 CloudWatch 日志所需的策略。
## Kinesis Streams
您的应用程序可以使用 Kinesis Stream 作为源或目标。您的应用程序需要读取权限才能从源流中读取数据,需要写入权限才能写入目标流。
以下策略授予从用作来源的 Kinesis Stream 中进行读取的权限:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "KinesisShardDiscovery",
"Effect": "Allow",
"Action": "kinesis:ListShards",
"Resource": "*"
},
{
"Sid": "KinesisShardConsumption",
"Effect": "Allow",
"Action": [
"kinesis:GetShardIterator",
"kinesis:GetRecords",
"kinesis:DescribeStream",
"kinesis:DescribeStreamSummary",
"kinesis:RegisterStreamConsumer",
"kinesis:DeregisterStreamConsumer"
],
"Resource": "arn:aws:kinesis:us-east-1:123456789012:stream/"
},
{
"Sid": "KinesisEfoConsumer",
"Effect": "Allow",
"Action": [
"kinesis:DescribeStreamConsumer",
"kinesis:SubscribeToShard"
],
"Resource": "arn:aws:kinesis:us-east-1:123456789012:stream//consumer/*"
}
]
}
```
------
以下策略授予写入用作目标的 Kinesis Stream 的权限:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "KinesisStreamSink",
"Effect": "Allow",
"Action": [
"kinesis:PutRecord",
"kinesis:PutRecords",
"kinesis:DescribeStreamSummary",
"kinesis:DescribeStream"
],
"Resource": "arn:aws:kinesis:us-east-1:123456789012:stream/"
}
]
}
```
------
如果您的应用程序访问加密的 Kinesis 流,则必须授予访问该流的额外权限和该流的加密密钥。
以下策略授予访问加密源流的权限和直播的加密密钥:
```
{
"Sid": "ReadEncryptedKinesisStreamSource",
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
""
]
}
,
```
以下策略授予访问加密目标流的权限和直播的加密密钥:
```
{
"Sid": "WriteEncryptedKinesisStreamSink",
"Effect": "Allow",
"Action": [
"kms:GenerateDataKey"
],
"Resource": [
""
]
}
```
## Amazon MSK 集群
要授予对 Amazon MSK 集群的访问权限,您需要向该集群的 VPC 授予访问权限。有关访问 Amazon VPC 的策略示例,请参阅 [VPC 应用程序权限](https://docs.aws.amazon.com/managed-flink/latest/java/vpc-permissions.html)。