Amazon Managed Service for Apache Flink (Amazon MSF) 先前稱為 Amazon Kinesis Data Analytics for Apache Flink。
本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
為 Managed Service for Apache Flink Studio 筆記本建立自訂 IAM 政策
您通常會使用受管 IAM 政策來允許應用程式存取相依資源。如果需要更好地控制應用程式的許可,可以使用自訂 IAM 政策。本節包含自訂 IAM 政策的範例。
在下列政策範例中,使用應用程式的值取代預留位置文字。
AWS Glue
下列範例政策會授予存取 AWS Glue 資料庫的許可。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GlueTable",
"Effect": "Allow",
"Action": [
"glue:GetConnection",
"glue:GetTable",
"glue:GetTables",
"glue:GetDatabase",
"glue:CreateTable",
"glue:UpdateTable"
],
"Resource": [
"arn:aws:glue:us-east-1:123456789012:connection/*",
"arn:aws:glue:us-east-1:123456789012:table/<database-name>/*",
"arn:aws:glue:us-east-1:123456789012:database/<database-name>",
"arn:aws:glue:us-east-1:123456789012:database/hive",
"arn:aws:glue:us-east-1:123456789012:catalog"
]
},
{
"Sid": "GlueDatabase",
"Effect": "Allow",
"Action": "glue:GetDatabases",
"Resource": "*"
}
]
}
CloudWatch Logs
下列範例授與存取 CloudWatch 的許可。
{
"Sid": "ListCloudwatchLogGroups",
"Effect": "Allow",
"Action": [
"logs:DescribeLogGroups"
],
"Resource": [
"arn:aws:logs:<region>:<accountId>:log-group:*"
]
},
{
"Sid": "ListCloudwatchLogStreams",
"Effect": "Allow",
"Action": [
"logs:DescribeLogStreams"
],
"Resource": [
"<logGroupArn>:log-stream:*"
]
},
{
"Sid": "PutCloudwatchLogs",
"Effect": "Allow",
"Action": [
"logs:PutLogEvents"
],
"Resource": [
"<logStreamArn>"
]
}
如果使用主控台建立應用程式,則主控台會為應用程式角色新增必要的政策,以存取 CloudWatch Logs。
Kinesis 串流
應用程式可以將 Kinesis 串流用於來源或目的地。應用程式需要讀取許可才能從來源串流讀取,需要寫入許可才能寫入目的地串流。
下列政策授與從用作來源的 Kinesis 串流讀取的許可:
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "KinesisShardDiscovery",
"Effect": "Allow",
"Action": "kinesis:ListShards",
"Resource": "*"
},
{
"Sid": "KinesisShardConsumption",
"Effect": "Allow",
"Action": [
"kinesis:GetShardIterator",
"kinesis:GetRecords",
"kinesis:DescribeStream",
"kinesis:DescribeStreamSummary",
"kinesis:RegisterStreamConsumer",
"kinesis:DeregisterStreamConsumer"
],
"Resource": "arn:aws:kinesis:us-east-1:123456789012:stream/<stream-name>"
},
{
"Sid": "KinesisEfoConsumer",
"Effect": "Allow",
"Action": [
"kinesis:DescribeStreamConsumer",
"kinesis:SubscribeToShard"
],
"Resource": "arn:aws:kinesis:us-east-1:123456789012:stream/<stream-name>/consumer/*"
}
]
}
下列政策授與向用作目的地的 Kinesis 串流寫入的許可:
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "KinesisStreamSink",
"Effect": "Allow",
"Action": [
"kinesis:PutRecord",
"kinesis:PutRecords",
"kinesis:DescribeStreamSummary",
"kinesis:DescribeStream"
],
"Resource": "arn:aws:kinesis:us-east-1:123456789012:stream/<stream-name>"
}
]
}
如果應用程式存取加密的 Kinesis 串流,則必須授與額外的許可,以存取該串流及其加密金鑰。
下列政策授與存取加密來源的串流和及其加密金鑰的許可:
{
"Sid": "ReadEncryptedKinesisStreamSource",
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"<inputStreamKeyArn>"
]
}
,
下列政策授與存取加密目的地的串流和及其加密金鑰的許可:
{
"Sid": "WriteEncryptedKinesisStreamSink",
"Effect": "Allow",
"Action": [
"kms:GenerateDataKey"
],
"Resource": [
"<outputStreamKeyArn>"
]
}
Amazon MSK 叢集
若要授與 Amazon MSK 叢集的存取權,可以授與叢集 VPC 的存取權。如需存取 Amazon VPC 的政策範例,請參閱 VPC 應用程式許可。
