授予批次操作的許可
建立和執行 S3 批次操作任務之前,您必須授予必要的權限。若要建立 Amazon S3 批次操作任務,則必須具備 s3:CreateJob 使用者許可。建立作業的同一個實體也必須具備 iam:PassRole 許可,才能將為作業指定的 AWS Identity and Access Management (IAM) 角色傳遞至 Batch Operations。
有關指定 IAM 資源的一般資訊,請參閱《IAM 使用者指南》中的 IAM JSON 政策、資源元素。以下各區段提供有關建立 IAM 角色和連接政策的資訊。
建立 S3 批次操作 IAM 角色
Amazon S3 必須擁有代表您執行 S3 批次操作的許可。您可以透過 AWS Identity and Access Management (IAM) 角色來授予這些許可。此區段提供您在建立 IAM 角色時使用的信任和許可政策的範例。如需詳細資訊,請參閱《IAM 使用者指南》中的 IAM 角色。如需範例,請參閱 使用作業標籤控制 Batch Operations 的許可 和 使用 S3 批次操作複製物件。
在您的 IAM 政策中,您也可以使用條件金鑰來篩選 S3 批次操作任務的存取許可。如需詳細資訊以及 Amazon S3 特定條件索引鍵的完整清單,請參閱服務授權參考中的 Amazon S3 的動作、資源和條件索引鍵。
如需依 S3 資源類型列出 S3 API 操作許可的詳細資訊,請參閱Amazon S3 API 操作所需的許可。
下列影片包括如何使用 AWS 管理主控台,為批次操作任務設定 IAM 許可。
信任政策
若要允許 S3 批次操作服務主體擔任 IAM 角色,請將下列信任政策連接到該角色。
- JSON
-
-
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"batchoperations.s3.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}
連接許可政策
根據操作類型,您可以附加下列其中一種政策。
在設定許可之前,請注意下列事項:
-
無論是哪一種操作,Amazon S3 都需要許可才能從 S3 儲存貯體中讀取資訊清單物件,並選擇性地將報告寫入儲存貯體。因此,所有下列政策都包含這些許可。
-
針對 Amazon S3 庫存報告資訊清單,S3 批次操作需要讀取 manifest.json 物件與所有相關聯 CSV 資料檔案的許可。
-
只有在指定物件的版本 ID 時才需要版本特定的許可 (如 s3:GetObjectVersion)。
-
如果您在加密物件上執行 S3 批次操作,則 IAM 角色也需要存取對物件進行加密所用的 AWS KMS 金鑰。
-
如果您提交使用 AWS KMS 加密的庫存報告資訊清單,您的 IAM 政策必須包含 manifest.json 物件與所有相關聯 CSV 資料檔案的 "kms:Decrypt" 和 "kms:GenerateDataKey" 許可。
如果 Batch Operations 作業在已啟用存取控制清單 (ACL) 且位於不同 AWS 帳戶的儲存貯體中產生資訊清單,您必須在為批次作業設定之 IAM 角色的 IAM 政策中授予 s3:PutObjectAcl 許可。如果您未包含此許可,批次作業會失敗並顯示錯誤 Error occurred when preparing manifest: Failed to write
manifest。
複製物件:PutObject
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:PutObjectTagging"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::amzn-s3-demo-destination-bucket/*"
},
{
"Action": [
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectTagging",
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::amzn-s3-demo-source-bucket",
"arn:aws:s3:::amzn-s3-demo-source-bucket/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-manifest-bucket/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-completion-report-bucket/*"
]
}
]
}
取代物件標記:PutObjectTagging
- JSON
-
-
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"s3:PutObjectTagging",
"s3:PutObjectVersionTagging"
],
"Resource": "arn:aws:s3:::amzn-s3-demo-destination-bucket/*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-manifest-bucket/*"
]
},
{
"Effect":"Allow",
"Action":[
"s3:PutObject"
],
"Resource":[
"arn:aws:s3:::amzn-s3-demo-completion-report-bucket/*"
]
}
]
}
刪除物件標記:DeleteObjectTagging
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:DeleteObjectTagging",
"s3:DeleteObjectVersionTagging"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-destination-bucket/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-manifest-bucket/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-completion-report-bucket/*"
]
}
]
}
取代存取控制清單:PutObjectAcl
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObjectAcl",
"s3:PutObjectVersionAcl"
],
"Resource": "arn:aws:s3:::amzn-s3-demo-destination-bucket/*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-manifest-bucket/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-completion-report-bucket/*"
]
}
]
}
還原物件:RestoreObject
- JSON
-
-
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"s3:RestoreObject"
],
"Resource": "arn:aws:s3:::amzn-s3-demo-destination-bucket/*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-manifest-bucket/*"
]
},
{
"Effect":"Allow",
"Action":[
"s3:PutObject"
],
"Resource":[
"arn:aws:s3:::amzn-s3-demo-completion-report-bucket/*"
]
}
]
}
套用物件鎖定保留:PutObjectRetention
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetBucketObjectLockConfiguration",
"Resource": [
"arn:aws:s3:::amzn-s3-demo-destination-bucket"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObjectRetention",
"s3:BypassGovernanceRetention"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-destination-bucket/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-manifest-bucket/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-completion-report-bucket/*"
]
}
]
}
套用物件鎖定法務保存:PutObjectLegalHold
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetBucketObjectLockConfiguration",
"Resource": [
"arn:aws:s3:::amzn-s3-demo-destination-bucket"
]
},
{
"Effect": "Allow",
"Action": "s3:PutObjectLegalHold",
"Resource": [
"arn:aws:s3:::amzn-s3-demo-destination-bucket/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-manifest-bucket/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-completion-report-bucket/*"
]
}
]
}
使用 S3 產生的資訊清單複寫現有物件:InitiateReplication
如果您使用並儲存 S3 產生的資訊清單,請使用此政策。如需使用 Batch Operations 來複寫現有物件的詳細資訊,請參閱使用批次複寫來複寫現有物件。
- JSON
-
-
{
"Version":"2012-10-17",
"Statement":[
{
"Action":[
"s3:InitiateReplication"
],
"Effect":"Allow",
"Resource":[
"arn:aws:s3:::amzn-s3-demo-source-bucket/*"
]
},
{
"Action":[
"s3:GetReplicationConfiguration",
"s3:PutInventoryConfiguration"
],
"Effect":"Allow",
"Resource":[
"arn:aws:s3:::amzn-s3-demo-source-bucket"
]
},
{
"Action":[
"s3:GetObject",
"s3:GetObjectVersion"
],
"Effect":"Allow",
"Resource":[
"arn:aws:s3:::amzn-s3-demo-manifest-bucket/*"
]
},
{
"Effect":"Allow",
"Action":[
"s3:PutObject"
],
"Resource":[
"arn:aws:s3:::amzn-s3-demo-completion-report-bucket/*",
"arn:aws:s3:::amzn-s3-demo-manifest-bucket/*"
]
}
]
}
使用使用者資訊清單複寫現有物件:InitiateReplication
如果您使用使用者提供的資訊清單,請使用此政策。如需使用 Batch Operations 來複寫現有物件的詳細資訊,請參閱使用批次複寫來複寫現有物件。
- JSON
-
-
{
"Version":"2012-10-17",
"Statement":[
{
"Action":[
"s3:InitiateReplication"
],
"Effect":"Allow",
"Resource":[
"arn:aws:s3:::amzn-s3-demo-source-bucket/*"
]
},
{
"Action":[
"s3:GetObject",
"s3:GetObjectVersion"
],
"Effect":"Allow",
"Resource":[
"arn:aws:s3:::amzn-s3-demo-manifest-bucket/*"
]
},
{
"Effect":"Allow",
"Action":[
"s3:PutObject"
],
"Resource":[
"arn:aws:s3:::amzn-s3-demo-completion-report-bucket/*"
]
}
]
}
運算檢查總和:允許 GetObject、GetObjectVersion、RestoreObject 和 PutObject
如果您嘗試搭配 S3 Batch Operations 使用運算檢查總和操作,請使用此政策。需要 GetObject、GetObjectVersion 和 RestoreObject 的許可權,才能取得和讀取已儲存資料的位元組。以您自己的資訊取代使用者輸入預留位置。如需運算檢查總和的詳細資訊,請參閱 檢查 Amazon S3 中靜態資料的物件完整性。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectVersion",
"s3:RestoreObject"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket1amzn-s3-demo-bucket2amzn-s3-demo-bucket3
