本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# IAM 角色設定
設定指示中的 CloudFormation 堆疊會為您自動設定 IAM 角色。如果您想要手動執行,請遵循下列指示:
## MCP 伺服器的 IAM 角色設定
**即將發生的變更將於 2026 年 5 月 29 日生效**
2026 年 5 月 29 日之後,不再需要以下顯示的`sagemaker-unified-studio-mcp`許可。授權將改為使用您現有的 IAM 政策在 AWS 服務層級進行。如果您使用這些許可來拒絕存取,請參閱 [即將變更的許可 (2026 年 5 月 29 日)](#spark-troubleshooting-agent-mcp-permissions-change)在該日期之前更新您的政策。
若要存取 SMUS Managed MCP 伺服器,需要具有下列內嵌政策的 IAM 角色:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUseSagemakerUnifiedStudioMcpServer",
"Effect": "Allow",
"Action": [
"sagemaker-unified-studio-mcp:InvokeMcp",
"sagemaker-unified-studio-mcp:CallReadOnlyTool",
"sagemaker-unified-studio-mcp:CallPrivilegedTool"
],
"Resource": [
"*"
]
}
]
}
```
在後續步驟中,我們將為此角色建立設定檔。無論哪個帳戶擔任此角色以取得登入資料,都應新增至擔任角色政策。
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAccountToAssumeRole",
"Effect": "Allow",
"Principal": { "AWS": "arn:aws:iam:::root" },
"Action": "sts:AssumeRole"
}
]
}
```
## 依部署模式的其他許可 (EMR-EC2/EMR-S/Glue)
### EMR-EC2 應用程式
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EMREC2ReadAccess",
"Effect": "Allow",
"Action": [
"elasticmapreduce:DescribeCluster",
"elasticmapreduce:DescribeStep",
"elasticmapreduce:ListSteps",
"elasticmapreduce:ListClusters",
"elasticmapreduce:DescribeJobFlows"
],
"Resource": [
"*"
]
},
{
"Sid": "EMRS3LogAccess",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": "*"
},
{
"Sid": "EMRPersistentApp",
"Effect": "Allow",
"Action": [
"elasticmapreduce:CreatePersistentAppUI",
"elasticmapreduce:DescribePersistentAppUI",
"elasticmapreduce:GetPersistentAppUIPresignedURL"
],
"Resource": [
"*"
]
}
]
}
```
### Glue 任務
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GlueReadAccess",
"Effect": "Allow",
"Action": [
"glue:GetJob",
"glue:GetJobRun",
"glue:GetJobRuns",
"glue:GetJobs",
"glue:BatchGetJobs"
],
"Resource": [
"arn:aws:glue:*::job/*"
]
},
{
"Sid": "GlueCloudWatchLogsAccess",
"Effect": "Allow",
"Action": [
"logs:GetLogEvents",
"logs:FilterLogEvents"
],
"Resource": [
"arn:aws:logs:*::log-group:/aws/glue/*"
]
},
{
"Sid": "GlueSparkWebUI",
"Effect": "Allow",
"Action": [
"glue:RequestLogParsing",
"glue:GetLogParsingStatus",
"glue:GetEnvironment",
"glue:GetStage",
"glue:GetStages",
"glue:GetStageFiles",
"glue:BatchGetStageFiles",
"glue:GetStageAttempt",
"glue:GetStageAttemptTaskList",
"glue:GetStageAttemptTaskSummary",
"glue:GetExecutors",
"glue:GetExecutorsThreads",
"glue:GetStorage",
"glue:GetStorageUnit",
"glue:GetQueries",
"glue:GetQuery",
"glue:GetDashboardUrl"
],
"Resource": [
"arn:aws:glue:*::job/*"
]
},
{
"Sid": "GluePassRoleAccess",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*",
"Condition": {
"StringLike": {
"iam:PassedToService": "glue.amazonaws.com"
}
}
}
]
}
```
### EMR Serverless 應用程式
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EMRServerlessReadAccess",
"Effect": "Allow",
"Action": [
"emr-serverless:GetJobRun",
"emr-serverless:GetApplication",
"emr-serverless:ListApplications",
"emr-serverless:ListJobRuns",
"emr-serverless:ListJobRunAttempts",
"emr-serverless:GetDashboardForJobRun",
"emr-serverless:ListTagsForResource"
],
"Resource": [
"*"
]
},
{
"Sid": "EMRServerlessCloudWatchLogsAccess",
"Effect": "Allow",
"Action": [
"logs:GetLogEvents",
"logs:FilterLogEvents"
],
"Resource": [
"arn:aws:logs:*::log-group:/aws/emr-serverless/*"
]
},
{
"Sid": "EMRServerlessS3LogsAccess",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": "*"
}
]
}
```
### KMS 許可 - CloudWatch Logs
如果 CloudWatch Logs 使用 CMK 加密,請新增下列政策,讓服務可以讀取 EMR-Serverless 應用程式日誌。
```
{
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:DescribeKey"
],
"Resource": "arn:aws:kms:::key/"
}
```
## 即將變更的許可 (2026 年 5 月 29 日)
從 2026 年 AWS 5 月 29 日開始,SMUS MCP 伺服器將不再需要單獨的 IAM 許可來授權 MCP 伺服器操作。反之,授權將使用您現有的 IAM 角色和政策在 AWS 服務層級進行。
兩個條件索引鍵會自動新增至透過 SMUS MCP 伺服器提出的所有請求:
+ `aws:ViaAWSMCPService` – `true` 針對透過 AWS 受管 MCP 伺服器提出的任何請求,將 設定為 。
+ `aws:CalledViaAWSMCP` – 設定為 MCP 伺服器服務主體 (例如 `sagemaker-unified-studio-mcp.amazonaws.com`)。
如果您目前使用 `sagemaker-unified-studio-mcp` 許可來拒絕存取 SMUS MCP 伺服器,或者您不想允許帳戶上任何 AWS 受管 MCP 伺服器起始的動作,您必須在 2026 年 5 月 29 日之前更新您的政策。請改用新的條件索引鍵。
**透過任何 AWS 受管 MCP 伺服器拒絕所有操作:**
```
{
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"Bool": {
"aws:ViaAWSMCPService": "true"
}
}
}
```
**透過特定 AWS 受管 MCP 伺服器拒絕特定操作:**
```
{
"Effect": "Deny",
"Action": ["glue:GetJobRun", "glue:StartJobRun"],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:CalledViaAWSMCP": "sagemaker-unified-studio-mcp.amazonaws.com"
}
}
}
```
如需條件索引鍵的詳細資訊,請參閱《*IAM 使用者指南*》中的[AWS 全域條件內容索引鍵](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html)。