IAM 角色設定 - Amazon EMR
MCP 伺服器的 IAM 角色設定依部署模式的其他許可 (EMR-EC2/EMR-S)

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

IAM 角色設定

設定指示中的 CloudFormation 堆疊會為您自動設定 IAM 角色。如果您想要手動執行,請遵循下列指示:

MCP 伺服器的 IAM 角色設定

若要存取 SMUS Managed MCP 伺服器,需要具有下列內嵌政策的 IAM 角色:

{  
    "Version": "2012-10-17",		 	 	 
    "Statement": [  
        {  
            "Sid": "AllowUseSagemakerUnifiedStudioMcpServer",  
            "Effect": "Allow",  
            "Action": [  
                "sagemaker-unified-studio-mcp:InvokeMcp",  
                "sagemaker-unified-studio-mcp:CallReadOnlyTool",  
                "sagemaker-unified-studio-mcp:CallPrivilegedTool"  
            ],  
            "Resource": [  
                "*"  
            ]  
        }  
    ]  
}

在後續步驟中,我們將為此角色建立設定檔。無論哪個帳戶擔任此角色以取得登入資料,都應新增至擔任角色政策。

{  
  "Version": "2012-10-17",		 	 	 
  "Statement": [  
    {  
      "Sid": "AllowAccountToAssumeRole",  
      "Effect": "Allow",  
      "Principal": { "AWS": "arn:aws:iam::<accountId>:root" },  
      "Action": "sts:AssumeRole"  
    }  
  ]  
}

依部署模式的其他許可 (EMR-EC2/EMR-S)

EMR-EC2 應用程式

將政策中的 Amazon S3 預備儲存貯體取代為您希望存放升級成品的 Amazon S3 儲存貯體

{  
  "Version": "2012-10-17",		 	 	 
  "Statement": [  
    {  
      "Effect": "Allow",  
      "Action": [  
        "elasticmapreduce:DescribeCluster",  
        "elasticmapreduce:DescribeStep",  
        "elasticmapreduce:ListSteps",  
        "elasticmapreduce:ListClusters",  
        "elasticmapreduce:DescribeJobFlows",  
        "elasticmapreduce:AddJobFlowSteps",  
        "elasticmapreduce:CreatePersistentAppUI",  
        "elasticmapreduce:DescribePersistentAppUI",  
        "elasticmapreduce:GetPersistentAppUIPresignedURL"  
      ],  
      "Resource": "*"  
    },  
    {  
      "Effect": "Allow",  
      "Action": [  
        "s3:GetBucket*",  
        "s3:GetObject*",  
        "s3:List*",  
        "s3:Put*"  
      ],  
      "Resource": [  
        "arn:aws:s3:::<s3-staging-bucket>",  
        "arn:aws:s3:::<s3-staging-bucket>/*"  
      ]  
    }  
  ]  
}

KMS 許可 - 預備儲存貯體

如果預備儲存貯體使用 CMK 加密,請新增下列政策。上傳資料時,服務會自動使用在儲存貯體上設定的 CMK。

{  
  "Effect": "Allow",  
  "Action": [  
    "kms:GenerateDataKey",  
    "kms:Encrypt"  
  ],  
  "Resource": "arn:aws:kms:<region>:<account-id>:key/<cmk-key-id>"  
}

EMR Serverless 應用程式

將政策中的 Amazon S3 預備儲存貯體取代為您希望存放升級成品的 Amazon S3 儲存貯體

{  
  "Version": "2012-10-17",		 	 	 
  "Statement": [  
    {  
      "Effect": "Allow",  
      "Action": [  
        "emr-serverless:StartJobRun",  
        "emr-serverless:GetJobRun",  
        "emr-serverless:GetApplication",  
        "emr-serverless:ListApplications",  
        "emr-serverless:GetDashboardForJobRun"  
      ],  
      "Resource": "*"  
    },  
    {  
      "Effect": "Allow",  
      "Action": "iam:PassRole",  
      "Resource": "*",  
      "Condition": {  
        "StringLike": {  
          "iam:PassedToService": "emr-serverless.amazonaws.com"  
        }  
      }  
    },  
    {  
      "Effect": "Allow",  
      "Action": [  
        "logs:GetLogEvents",  
        "logs:DescribeLogStreams"  
      ],  
      "Resource": "arn:aws:logs:*:*:log-group:*"  
    },  
    {  
      "Effect": "Allow",  
      "Action": [  
        "s3:GetBucket*",  
        "s3:GetObject*",  
        "s3:List*",  
        "s3:Put*"  
      ],  
      "Resource": [  
        "arn:aws:s3:::<s3-staging-bucket>",  
        "arn:aws:s3:::<s3-staging-bucket>/*"  
      ]  
    }  
  ]  
}

KMS 許可 - 預備儲存貯體

如果預備儲存貯體使用 CMK 加密,請新增下列政策。上傳資料時,服務會自動使用在儲存貯體上設定的 CMK

{  
  "Effect": "Allow",  
  "Action": [  
    "kms:GenerateDataKey",  
    "kms:Encrypt"  
  ],  
  "Resource": "arn:aws:kms:<region>:<account-id>:key/<cmk-key-id>"  
}

KMS 許可 - CloudWatch Logs

如果 CloudWatch Logs 使用 CMK 加密,請新增下列政策,讓服務可以讀取 EMR-Serverless 應用程式日誌。

{  
"Effect": "Allow",  
"Action": [  
    "kms:Decrypt",  
    "kms:DescribeKey"  
],  
"Resource": "arn:aws:kms:<region>:<account-id>:key/<cw-logs-cmk-id>"  
}