本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
IAM 角色設定
先決條件
開始前,請確保您具備以下條件:
具有 IAM 管理存取權 AWS 的帳戶
AWS 已安裝並設定 CLI。如需詳細資訊,請參閱安裝 AWS CLI。
設定下列變數以用於後續命令:
ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text) REGION=$(aws configure get region)
步驟 1:建立 IAM 角色
SMUS MCP 伺服器使用您的 IAM 角色來授權 AWS 服務層級的操作。不需要單獨的 MCP 特定許可。
建立 IAM 角色 (AWS CLI)
-
建立信任政策文件,允許您的帳戶擔任該角色:
cat > mcp-trust-policy.json << EOF { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowAccountToAssumeRole", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::${ACCOUNT_ID}:root" }, "Action": "sts:AssumeRole" } ] } EOF -
建立角色:
aws iam create-role \ --role-name SparkTroubleshootingMCPRole \ --assume-role-policy-document file://mcp-trust-policy.json
步驟 2:連接部署模式的許可
連接符合您 Spark 部署平台的許可政策。視您使用的平台而定,您可以連接下列一或多個 。
選項 A:EC2 上的 EMR
-
建立政策文件:
cat > emr-ec2-policy.json << 'EOF' { "Version": "2012-10-17", "Statement": [ { "Sid": "EMREC2ReadAccess", "Effect": "Allow", "Action": [ "elasticmapreduce:DescribeCluster", "elasticmapreduce:DescribeStep", "elasticmapreduce:ListSteps", "elasticmapreduce:ListClusters", "elasticmapreduce:DescribeJobFlows" ], "Resource": ["*"] }, { "Sid": "EMRS3LogAccess", "Effect": "Allow", "Action": ["s3:GetObject", "s3:ListBucket"], "Resource": "*" }, { "Sid": "EMRPersistentApp", "Effect": "Allow", "Action": [ "elasticmapreduce:CreatePersistentAppUI", "elasticmapreduce:DescribePersistentAppUI", "elasticmapreduce:GetPersistentAppUIPresignedURL" ], "Resource": ["*"] } ] } EOF -
建立並連接政策:
aws iam put-role-policy \ --role-name SparkTroubleshootingMCPRole \ --policy-name EMREC2TroubleshootingAccess \ --policy-document file://emr-ec2-policy.json
或者,如果您的角色已使用 AmazonElasticMapReduceFullAccess AWS 受管政策,您可以連接它:
aws iam attach-role-policy \ --role-name SparkTroubleshootingMCPRole \ --policy-arn arn:aws:iam::aws:policy/AmazonElasticMapReduceFullAccess
選項 B: AWS Glue
-
建立政策文件:
cat > glue-policy.json << EOF { "Version": "2012-10-17", "Statement": [ { "Sid": "GlueReadAccess", "Effect": "Allow", "Action": [ "glue:GetJob", "glue:GetJobRun", "glue:GetJobRuns", "glue:GetJobs", "glue:BatchGetJobs" ], "Resource": ["arn:aws:glue:*:${ACCOUNT_ID}:job/*"] }, { "Sid": "GlueCloudWatchLogsAccess", "Effect": "Allow", "Action": ["logs:GetLogEvents", "logs:FilterLogEvents"], "Resource": ["arn:aws:logs:*:${ACCOUNT_ID}:log-group:/aws/glue/*"] }, { "Sid": "GlueSparkWebUI", "Effect": "Allow", "Action": [ "glue:RequestLogParsing", "glue:GetLogParsingStatus", "glue:GetEnvironment", "glue:GetStage", "glue:GetStages", "glue:GetStageFiles", "glue:BatchGetStageFiles", "glue:GetStageAttempt", "glue:GetStageAttemptTaskList", "glue:GetStageAttemptTaskSummary", "glue:GetExecutors", "glue:GetExecutorsThreads", "glue:GetStorage", "glue:GetStorageUnit", "glue:GetQueries", "glue:GetQuery", "glue:GetDashboardUrl" ], "Resource": ["arn:aws:glue:*:${ACCOUNT_ID}:job/*"] }, { "Sid": "GluePassRoleAccess", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "*", "Condition": { "StringLike": { "iam:PassedToService": "glue.amazonaws.com" } } } ] } EOF -
連接政策:
aws iam put-role-policy \ --role-name SparkTroubleshootingMCPRole \ --policy-name GlueTroubleshootingAccess \ --policy-document file://glue-policy.json
選項 C:EMR Serverless
-
建立政策文件:
cat > emr-serverless-policy.json << EOF { "Version": "2012-10-17", "Statement": [ { "Sid": "EMRServerlessReadAccess", "Effect": "Allow", "Action": [ "emr-serverless:GetJobRun", "emr-serverless:GetApplication", "emr-serverless:ListApplications", "emr-serverless:ListJobRuns", "emr-serverless:ListJobRunAttempts", "emr-serverless:GetDashboardForJobRun", "emr-serverless:ListTagsForResource" ], "Resource": ["*"] }, { "Sid": "EMRServerlessCloudWatchLogsAccess", "Effect": "Allow", "Action": ["logs:GetLogEvents", "logs:FilterLogEvents"], "Resource": ["arn:aws:logs:*:${ACCOUNT_ID}:log-group:/aws/emr-serverless/*"] }, { "Sid": "EMRServerlessS3LogsAccess", "Effect": "Allow", "Action": ["s3:GetObject", "s3:ListBucket"], "Resource": "*" } ] } EOF -
連接政策:
aws iam put-role-policy \ --role-name SparkTroubleshootingMCPRole \ --policy-name EMRServerlessTroubleshootingAccess \ --policy-document file://emr-serverless-policy.json
選用:加密 CloudWatch Logs 的 KMS 許可
如果您的 CloudWatch Logs 使用客戶管理的 KMS 金鑰加密,請新增下列項目 (<KEY_ID>以您的 KMS 金鑰 ID 取代):
aws iam put-role-policy \ --role-name SparkTroubleshootingMCPRole \ --policy-name KMSCloudWatchLogsDecrypt \ --policy-document "{ \"Version\": \"2012-10-17\", \"Statement\": [{ \"Effect\": \"Allow\", \"Action\": [\"kms:Decrypt\", \"kms:DescribeKey\"], \"Resource\": \"arn:aws:kms:${REGION}:${ACCOUNT_ID}:key/<KEY_ID>\" }] }"
步驟 3:設定您的 MCP 用戶端
將 MCP 用戶端 (例如,Claude Desktop 或 Amazon Q Developer) 設定為使用您建立的角色 ARN:
echo "arn:aws:iam::${ACCOUNT_ID}:role/SparkTroubleshootingMCPRole"
請參閱 MCP 用戶端的文件,了解如何設定 AWS 登入資料 (通常是透過擔任此角色的 AWS 設定檔)。
MCP 伺服器請求的條件索引鍵
兩個條件索引鍵會自動新增至透過 SMUS MCP 伺服器提出的所有請求:
aws:ViaAWSMCPService–true針對透過 AWS 受管 MCP 伺服器提出的任何請求,將 設定為 。aws:CalledViaAWSMCP– 設定為 MCP 伺服器服務主體 (例如sagemaker-unified-studio-mcp.amazonaws.com)。
當請求來自 AWS 受管 MCP 伺服器時,您可以使用這些條件金鑰來控制對 資源的存取。
範例:僅允許透過 SMUS MCP 伺服器存取 Glue 讀取操作:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowGlueReadViaSMUSMCP", "Effect": "Allow", "Action": ["glue:GetJob", "glue:GetJobRun", "glue:GetJobRuns"], "Resource": "*", "Condition": { "StringEquals": { "aws:CalledViaAWSMCP": "sagemaker-unified-studio-mcp.amazonaws.com" } } } ] }
範例:透過任何 AWS 受管 MCP 伺服器存取時拒絕刪除操作:
{ "Effect": "Deny", "Action": ["s3:DeleteObject", "s3:DeleteBucket"], "Resource": "*", "Condition": { "Bool": { "aws:ViaAWSMCPService": "true" } } }
如需條件索引鍵的詳細資訊,請參閱《IAM 使用者指南》中的AWS 全域條件內容索引鍵。
