本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。 # 安裝程式佈建資源的最低 IAM 政策 安裝 AWS IoT Greengrass Core 軟體時,您可以佈建必要的 AWS 資源,例如裝置的 AWS IoT 物件和 IAM 角色。您也可以將本機開發工具部署至裝置。安裝程式需要 AWS 登入資料,才能在您的 中執行這些動作 AWS 帳戶。如需詳細資訊,請參閱[安裝 AWS IoT Greengrass Core 軟體](install-greengrass-core-v2.md)。 下列範例政策包含安裝程式佈建這些資源所需的最低動作集。如果您指定安裝程式的 `--provision` 引數,則需要這些許可。將 {{account-id}} 取代為您的 AWS 帳戶 ID,並將 {{GreengrassV2TokenExchangeRole}} 取代為您使用`--tes-role-name`[安裝程式引數](configure-installer.md)指定的字符交換角色名稱。 **注意** 只有在您指定安裝程式的 `--deploy-dev-tools` 引數時,才需要`DeployDevTools`政策陳述式。 ------ #### [ Greengrass nucleus v2.5.0 and later ] ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "CreateTokenExchangeRole", "Effect": "Allow", "Action": [ "iam:AttachRolePolicy", "iam:CreatePolicy", "iam:CreateRole", "iam:GetPolicy", "iam:GetRole", "iam:PassRole" ], "Resource": [ "arn:aws:iam::{{123456789012}}:role/{{GreengrassV2TokenExchangeRole}}", "arn:aws:iam::{{123456789012}}:policy/{{GreengrassV2TokenExchangeRole}}Access", "arn:aws:iam::aws:policy/{{GreengrassV2TokenExchangeRole}}Access" ] }, { "Sid": "CreateIoTResources", "Effect": "Allow", "Action": [ "iot:AddThingToThingGroup", "iot:AttachPolicy", "iot:AttachThingPrincipal", "iot:CreateKeysAndCertificate", "iot:CreatePolicy", "iot:CreateRoleAlias", "iot:CreateThing", "iot:CreateThingGroup", "iot:DescribeEndpoint", "iot:DescribeRoleAlias", "iot:DescribeThingGroup", "iot:GetPolicy" ], "Resource": "*" }, { "Sid": "DeployDevTools", "Effect": "Allow", "Action": [ "greengrass:CreateDeployment", "iot:CancelJob", "iot:CreateJob", "iot:DeleteThingShadow", "iot:DescribeJob", "iot:DescribeThing", "iot:DescribeThingGroup", "iot:GetThingShadow", "iot:UpdateJob", "iot:UpdateThingShadow" ], "Resource": "*" } ] } ``` ------ ------ #### [ Earlier than v2.5.0 ] ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "CreateTokenExchangeRole", "Effect": "Allow", "Action": [ "iam:AttachRolePolicy", "iam:CreatePolicy", "iam:CreateRole", "iam:GetPolicy", "iam:GetRole", "iam:PassRole" ], "Resource": [ "arn:aws:iam::{{123456789012}}:role/{{GreengrassV2TokenExchangeRole}}", "arn:aws:iam::{{123456789012}}:policy/{{GreengrassV2TokenExchangeRole}}Access", "arn:aws:iam::aws:policy/{{GreengrassV2TokenExchangeRole}}Access" ] }, { "Sid": "CreateIoTResources", "Effect": "Allow", "Action": [ "iot:AddThingToThingGroup", "iot:AttachPolicy", "iot:AttachThingPrincipal", "iot:CreateKeysAndCertificate", "iot:CreatePolicy", "iot:CreateRoleAlias", "iot:CreateThing", "iot:CreateThingGroup", "iot:DescribeEndpoint", "iot:DescribeRoleAlias", "iot:DescribeThingGroup", "iot:GetPolicy" ], "Resource": "*" }, { "Sid": "DeployDevTools", "Effect": "Allow", "Action": [ "greengrass:CreateDeployment", "iot:CancelJob", "iot:CreateJob", "iot:DeleteThingShadow", "iot:DescribeJob", "iot:DescribeThing", "iot:DescribeThingGroup", "iot:GetThingShadow", "iot:UpdateJob", "iot:UpdateThingShadow" ], "Resource": "*" } ] } ``` ------ ------