使用 AWS CloudFormation 设置 Amazon Neptune 的先决条件
在使用 CloudFormation 模板创建 Amazon Neptune 集群之前,您需要具备:
Amazon EC2 密钥对。
使用 CloudFormation 所需的权限。
使用 CloudFormation 创建用于启动 Neptune 集群的 Amazon EC2 密钥对
为了使用 CloudFormation 模板启动 Neptune 数据库集群,您必须在创建 CloudFormation 堆栈的区域中具有 Amazon EC2 密钥对(及其关联的 PEM 文件)。
如果您需要创建密钥对,请参阅《Amazon EC2 用户指南》中的使用 Amazon EC2 创建密钥对,或《Amazon EC2 用户指南》中的使用 Amazon EC2 创建密钥对,了解相关说明。
添加 IAM policy 以授予使用 CloudFormation 模板所需的权限
首先,您需要设置一个拥有使用 Neptune 所需权限的 IAM 用户,如创建具有 Neptune 权限的 IAM 用户中所述。
然后,您需要向该用户添加 AWS 托管式策略 AWSCloudFormationReadOnlyAccess。
最后,您需要创建以下客户管理型策略并将其添加到该用户:
- JSON
-
-
{ "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::111122223333:role/*", "Condition": { "StringEquals": { "iam:passedToService": "rds.amazonaws.com" } } }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS", "Condition": { "StringLike": { "iam:AWSServiceName": "rds.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "sns:ListTopics", "sns:ListSubscriptions", "sns:Publish" ], "Resource": "arn:aws:sns:*:111122223333:*" }, { "Effect": "Allow", "Action": [ "kms:ListRetirableGrants", "kms:ListKeys", "kms:ListAliases", "kms:ListKeyPolicies" ], "Resource": "arn:aws:kms:*:111122223333:key/*" }, { "Effect": "Allow", "Action": [ "cloudwatch:GetMetricStatistics", "cloudwatch:ListMetrics" ], "Resource": "arn:aws:cloudwatch:*:111122223333:service/*-*", "Condition": { "StringLike": { "cloudwatch:namespace": "AWS/Neptune" } } }, { "Effect": "Allow", "Action": [ "ec2:DescribeSecurityGroups", "ec2:DescribeAvailabilityZones", "ec2:DescribeVpcs", "ec2:DescribeAccountAttributes", "ec2:DescribeSubnets", "ec2:DescribeVpcAttribute" ], "Resource": [ "arn:aws:ec2:*:111122223333:vpc/*", "arn:aws:ec2:*:111122223333:subnet/*", "arn:aws:ec2:*:111122223333:security-group/*" ] }, { "Effect": "Allow", "Action": [ "rds:CreateDBCluster", "rds:CreateDBInstance", "rds:AddTagsToResource", "rds:ListTagsForResource", "rds:RemoveTagsFromResource", "rds:RemoveRoleFromDBCluster", "rds:ResetDBParameterGroup", "rds:CreateDBSubnetGroup", "rds:ModifyDBParameterGroup", "rds:DownloadDBLogFilePortion", "rds:CopyDBParameterGroup", "rds:AddRoleToDBCluster", "rds:ModifyDBInstance", "rds:ModifyDBClusterParameterGroup", "rds:ModifyDBClusterSnapshotAttribute", "rds:DeleteDBInstance", "rds:CopyDBClusterParameterGroup", "rds:CreateDBParameterGroup", "rds:DescribeDBSecurityGroups", "rds:DeleteDBSubnetGroup", "rds:DescribeValidDBInstanceModifications", "rds:ModifyDBCluster", "rds:CreateDBClusterSnapshot", "rds:DeleteDBParameterGroup", "rds:CreateDBClusterParameterGroup", "rds:RemoveTagsFromResource", "rds:PromoteReadReplicaDBCluster", "rds:RestoreDBClusterFromSnapshot", "rds:DescribeDBSubnetGroups", "rds:DescribePendingMaintenanceActions", "rds:DescribeDBParameterGroups", "rds:FailoverDBCluster", "rds:DescribeDBInstances", "rds:DescribeDBParameters", "rds:DeleteDBCluster", "rds:ResetDBClusterParameterGroup", "rds:RestoreDBClusterToPointInTime", "rds:DescribeDBClusterSnapshotAttributes", "rds:AddTagsToResource", "rds:DescribeDBClusterParameters", "rds:CopyDBClusterSnapshot", "rds:DescribeDBLogFiles", "rds:DeleteDBClusterSnapshot", "rds:ListTagsForResource", "rds:RebootDBInstance", "rds:DescribeDBClusterSnapshots", "rds:DeleteDBClusterParameterGroup", "rds:ApplyPendingMaintenanceAction", "rds:DescribeDBClusters", "rds:DescribeDBClusterParameterGroups", "rds:ModifyDBSubnetGroup" ], "Resource": [ "arn:aws:rds:*:111122223333:cluster-snapshot:*", "arn:aws:rds:*:111122223333:cluster:*", "arn:aws:rds:*:111122223333:pg:*", "arn:aws:rds:*:111122223333:cluster-pg:*", "arn:aws:rds:*:111122223333:secgrp:*", "arn:aws:rds:*:111122223333:db:*", "arn:aws:rds:*:111122223333:subgrp:*" ], "Condition": { "StringEquals": { "rds:DatabaseEngine": [ "graphdb", "neptune" ] } } }, { "Effect": "Allow", "Action": [ "logs:GetLogEvents", "logs:DescribeLogStreams" ], "Resource": [ "arn:aws:logs:*:111122223333:log-group:*:log-stream:*", "arn:aws:logs:*:111122223333:log-group:*" ] } ] }
注意
以下权限仅在删除堆栈时需要:iam:DeleteRole、iam:RemoveRoleFromInstanceProfile、iam:DeleteRolePolicy、iam:DeleteInstanceProfile 和 ec2:DeleteVpcEndpoints。
另请注意,ec2:*Vpc 授予 ec2:DeleteVpc 权限。
创建 Neptune 集群
创建集群