本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
授予批次操作的許可
建立和執行 S3 批次操作任務之前,您必須授予必要的權限。若要建立 Amazon S3 批次操作任務,則必須具備 s3:CreateJob 使用者許可。建立任務的相同實體也必須具有iam:PassRole許可,才能將為任務指定的 AWS Identity and Access Management (IAM) 角色傳遞至批次操作。
有關指定 IAM 資源的一般資訊,請參閱《IAM 使用者指南》中的 IAM JSON 政策、資源元素。以下各節提供有關建立 IAM 角色和連接政策的資訊。
建立 S3 批次操作 IAM 角色
Amazon S3 必須擁有代表您執行 S3 批次操作的許可。您可以透過 AWS Identity and Access Management (IAM) 角色授予這些許可。此區段提供您在建立 IAM 角色時使用的信任和許可政策的範例。如需詳細資訊,請參閱《IAM 使用者指南》中的 IAM 角色。如需範例,請參閱 使用作業標籤控制 Batch Operations 的許可 和 使用 S3 批次操作複製物件。
在您的 IAM 政策中,您也可以使用條件金鑰來篩選 S3 批次操作任務的存取許可。如需詳細資訊以及 Amazon S3 特定條件索引鍵的完整清單,請參閱服務授權參考中的 Amazon S3 的動作、資源和條件索引鍵。
如需依 S3 資源類型列出 S3 API 操作許可的詳細資訊,請參閱Amazon S3 API 操作所需的許可。
下列影片包括如何使用 AWS Management Console,為批次操作任務設定 IAM 許可。
信任政策
若要允許 S3 批次操作服務主體擔任 IAM 角色,請將下列信任政策連接到該角色。
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Principal":{ "Service":"batchoperations.s3.amazonaws.com" }, "Action":"sts:AssumeRole" } ] }
連接許可政策
根據操作類型,您可以附加下列其中一種政策。
在設定許可之前,請注意下列事項:
-
無論是哪一種操作,Amazon S3 都需要許可才能從 S3 儲存貯體中讀取資訊清單物件,並選擇性地將報告寫入儲存貯體。因此,所有下列政策都包含這些許可。
-
針對 Amazon S3 庫存報告資訊清單,S3 批次操作需要讀取 manifest.json 物件與所有相關聯 CSV 資料檔案的許可。
-
只有在指定物件的版本 ID 時才需要版本特定的許可 (如
s3:GetObjectVersion)。 -
如果您在加密的物件上執行 S3 批次操作,IAM 角色也必須能夠存取用來加密物件的 AWS KMS 金鑰。
-
如果您提交使用 加密的庫存報告資訊清單 AWS KMS,IAM 政策必須包含 manifest.json 物件
"kms:Decrypt"和所有相關 CSV 資料檔案"kms:GenerateDataKey"的許可和 。 如果批次操作任務在已啟用存取控制清單 (ACLs) 且位於不同 的儲存貯體中產生資訊清單 AWS 帳戶,您必須在為批次任務設定的 IAM 角色的 IAM 政策中授予
s3:PutObjectAcl許可。如果您未包含此許可,批次作業會失敗並顯示錯誤Error occurred when preparing manifest: Failed to write manifest。
複製物件:PutObject
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:PutObject", "s3:PutObjectAcl", "s3:PutObjectTagging" ], "Effect": "Allow", "Resource": "arn:aws:s3:::amzn-s3-demo-destination-bucket/*" }, { "Action": [ "s3:GetObject", "s3:GetObjectAcl", "s3:GetObjectTagging", "s3:ListBucket" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::amzn-s3-demo-source-bucket", "arn:aws:s3:::amzn-s3-demo-source-bucket/*" ] }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-manifest-bucket/*" ] }, { "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-completion-report-bucket/*" ] } ] }
取代物件標記:PutObjectTagging
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "s3:PutObjectTagging", "s3:PutObjectVersionTagging" ], "Resource": "arn:aws:s3:::amzn-s3-demo-destination-bucket/*" }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-manifest-bucket/*" ] }, { "Effect":"Allow", "Action":[ "s3:PutObject" ], "Resource":[ "arn:aws:s3:::amzn-s3-demo-completion-report-bucket/*" ] } ] }
刪除物件標記:DeleteObjectTagging
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:DeleteObjectTagging", "s3:DeleteObjectVersionTagging" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-destination-bucket/*" ] }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-manifest-bucket/*" ] }, { "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-completion-report-bucket/*" ] } ] }
取代存取控制清單:PutObjectAcl
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "s3:PutObjectAcl", "s3:PutObjectVersionAcl" ], "Resource": "arn:aws:s3:::amzn-s3-demo-destination-bucket/*" }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-manifest-bucket/*" ] }, { "Effect":"Allow", "Action":[ "s3:PutObject" ], "Resource":[ "arn:aws:s3:::amzn-s3-demo-completion-report-bucket/*" ] } ] }
還原物件:RestoreObject
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "s3:RestoreObject" ], "Resource": "arn:aws:s3:::amzn-s3-demo-destination-bucket/*" }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-manifest-bucket/*" ] }, { "Effect":"Allow", "Action":[ "s3:PutObject" ], "Resource":[ "arn:aws:s3:::amzn-s3-demo-completion-report-bucket/*" ] } ] }
套用物件鎖定保留:PutObjectRetention
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:GetBucketObjectLockConfiguration", "Resource": [ "arn:aws:s3:::amzn-s3-demo-destination-bucket" ] }, { "Effect": "Allow", "Action": [ "s3:PutObjectRetention", "s3:BypassGovernanceRetention" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-destination-bucket/*" ] }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-manifest-bucket/*" ] }, { "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-completion-report-bucket/*" ] } ] }
套用物件鎖定法務保存:PutObjectLegalHold
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:GetBucketObjectLockConfiguration", "Resource": [ "arn:aws:s3:::amzn-s3-demo-destination-bucket" ] }, { "Effect": "Allow", "Action": "s3:PutObjectLegalHold", "Resource": [ "arn:aws:s3:::amzn-s3-demo-destination-bucket/*" ] }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-manifest-bucket/*" ] }, { "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-completion-report-bucket/*" ] } ] }
使用 S3 產生的資訊清單複寫現有物件:InitiateReplication
如果您使用並儲存 S3 產生的資訊清單,請使用此政策。如需使用 Batch Operations 來複寫現有物件的詳細資訊,請參閱使用批次複寫來複寫現有物件。
{ "Version":"2012-10-17", "Statement":[ { "Action":[ "s3:InitiateReplication" ], "Effect":"Allow", "Resource":[ "arn:aws:s3:::amzn-s3-demo-source-bucket/*" ] }, { "Action":[ "s3:GetReplicationConfiguration", "s3:PutInventoryConfiguration" ], "Effect":"Allow", "Resource":[ "arn:aws:s3:::amzn-s3-demo-source-bucket" ] }, { "Action":[ "s3:GetObject", "s3:GetObjectVersion" ], "Effect":"Allow", "Resource":[ "arn:aws:s3:::amzn-s3-demo-manifest-bucket/*" ] }, { "Effect":"Allow", "Action":[ "s3:PutObject" ], "Resource":[ "arn:aws:s3:::amzn-s3-demo-completion-report-bucket/*", "arn:aws:s3:::amzn-s3-demo-manifest-bucket/*" ] } ] }
使用使用者資訊清單複寫現有物件:InitiateReplication
如果您使用使用者提供的資訊清單,請使用此政策。如需使用 Batch Operations 來複寫現有物件的詳細資訊,請參閱使用批次複寫來複寫現有物件。
{ "Version":"2012-10-17", "Statement":[ { "Action":[ "s3:InitiateReplication" ], "Effect":"Allow", "Resource":[ "arn:aws:s3:::amzn-s3-demo-source-bucket/*" ] }, { "Action":[ "s3:GetObject", "s3:GetObjectVersion" ], "Effect":"Allow", "Resource":[ "arn:aws:s3:::amzn-s3-demo-manifest-bucket/*" ] }, { "Effect":"Allow", "Action":[ "s3:PutObject" ], "Resource":[ "arn:aws:s3:::amzn-s3-demo-completion-report-bucket/*" ] } ] }
