本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
使用 S3 批次作業啟用 S3 物件鎖定
您可以搭配 S3 物件鎖定使用 Amazon S3 Batch Operations 來管理保留,或一次為多個 Amazon S3 物件啟用法務保存。您可以在資訊清單中指定目標物件的清單,並提交至批次操作以便完成。如需詳細資訊,請參閱S3 物件鎖定保留及S3 物件鎖定法務保存。
下列範例示範如何建立具有 S3 批次操作許可的 AWS Identity and Access Management (IAM) 角色,並更新角色許可以建立啟用物件鎖定的任務。您也必須具有識別 S3 Batch Operations 作業物件的 CSV 資訊清單。如需詳細資訊,請參閱指定資訊清單。
若要使用下列範例,請以您自己的資訊取代 user input
placeholders
-
建立 IAM 角色並指派要執行的 S3 批次操作許可。
所有 S3 批次操作任務都需要此步驟。
export AWS_PROFILE='aws-user' read -d ''batch_operations_trust_policy<<EOF { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "batchoperations.s3.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] } EOF aws iam create-role --role-namebatch_operations-objectlock\ --assume-role-policy-document "${batch_operations_trust_policy}" -
設定具有 S3 物件鎖定的 S3 批次操作以便執行。
在此步驟中,您允許角色執行下列動作:
-
對包含要執行批次操作的目標物件的 S3 儲存貯體執行物件鎖定。
-
讀取資訊清單 CSV 檔案和物件所在的 S3 儲存貯體。
-
將 S3 批次操作任務的結果寫入報告儲存貯體。
read -d ''batch_operations_permissions<<EOF { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:GetBucketObjectLockConfiguration", "Resource": [ "arn:aws:s3:::{{amzn-s3-demo-manifest-bucket}}" ] }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::{{amzn-s3-demo-manifest-bucket}}/*" ] }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::{{amzn-s3-demo-completion-report-bucket}}/*" ] } ] } EOF aws iam put-role-policy --role-namebatch_operations-objectlock\ --policy-nameobject-lock-permissions\ --policy-document "${batch_operations_permissions}" -
下列範例示範如何使用 適用於 Java 的 AWS SDK建立具有 S3 Batch Operations 許可的 IAM 角色,並更新角色許可以建立啟用物件鎖定的作業。您也必須擁有能識別用於 S3 批次操作任務之物件的 CSV 資訊清單。如需詳細資訊,請參閱指定資訊清單。
執行以下步驟:
-
建立 IAM 角色並指派要執行的 S3 批次操作許可。所有 S3 批次操作任務都需要此步驟。
-
設定具有 S3 物件鎖定的 S3 批次操作以便執行。
您允許角色執行下列動作:
-
對包含要執行批次操作的目標物件的 S3 儲存貯體執行物件鎖定。
-
讀取資訊清單 CSV 檔案和物件所在的 S3 儲存貯體。
-
將 S3 批次操作任務的結果寫入報告儲存貯體。
-
public void createObjectLockRole() { final String roleName = "batch_operations-object-lock"; final String trustPolicy = "{" + " \"Version\": \"2012-10-17\", " + " \"Statement\": [ " + " { " + " \"Effect\": \"Allow\", " + " \"Principal\": { " + " \"Service\": [" + " \"batchoperations.s3.amazonaws.com\"" + " ]" + " }, " + " \"Action\": \"sts:AssumeRole\" " + " } " + " ]" + "}"; final String bopsPermissions = "{" + " \"Version\": \"2012-10-17\"," + " \"Statement\": [" + " {" + " \"Effect\": \"Allow\"," + " \"Action\": \"s3:GetBucketObjectLockConfiguration\"," + " \"Resource\": [" + " \"arn:aws:s3:::amzn-s3-demo-manifest-bucket\"" + " ]" + " }," + " {" + " \"Effect\": \"Allow\"," + " \"Action\": [" + " \"s3:GetObject\"," + " \"s3:GetObjectVersion\"," + " \"s3:GetBucketLocation\"" + " ]," + " \"Resource\": [" + " \"arn:aws:s3:::amzn-s3-demo-manifest-bucket/*\"" + " ]" + " }," + " {" + " \"Effect\": \"Allow\"," + " \"Action\": [" + " \"s3:PutObject\"," + " \"s3:GetBucketLocation\"" + " ]," + " \"Resource\": [" + " \"arn:aws:s3:::amzn-s3-demo-completion-report-bucket/*\"" + " ]" + " }" + " ]" + "}"; final AmazonIdentityManagement iam = AmazonIdentityManagementClientBuilder.defaultClient(); final CreateRoleRequest createRoleRequest = new CreateRoleRequest() .withAssumeRolePolicyDocument(bopsPermissions) .withRoleName(roleName); final CreateRoleResult createRoleResult = iam.createRole(createRoleRequest); final PutRolePolicyRequest putRolePolicyRequest = new PutRolePolicyRequest() .withPolicyDocument(bopsPermissions) .withPolicyName("batch_operations-permissions") .withRoleName(roleName); final PutRolePolicyResult putRolePolicyResult = iam.putRolePolicy(putRolePolicyRequest); }
