本文為英文版的機器翻譯版本，如內容有任何歧義或不一致之處，概以英文版為準。

# 使用 Studio JupyterLab 筆記本連線 Amazon S3 存取授權
<a name="s3-access-grants-setup"></a>

使用下列資訊授與 Studio JupyterLab 筆記本中的 Amazon S3 存取授權。

在設定 Amazon S3 存取授權之後，請[將下列許可新增至](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html)您的網域或使用者[執行角色](https://docs.aws.amazon.com/sagemaker/latest/dg/sagemaker-roles.html#sagemaker-roles-get-execution-role)。
+ `us-east-1` 是您的 AWS 區域
+ `111122223333` 是您的 AWS 帳戶 ID
+ `S3-ACCESS-GRANT-ROLE` 是您的 Amazon S3 存取授權角色

------
#### [ JSON ]

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "AllowDataAccessAPI",
            "Effect": "Allow",
            "Action": [
                "s3:GetDataAccess"
            ],
            "Resource": [
                "arn:aws:s3:us-east-1:111122223333:access-grants/default"
            ]
        },
        {
            "Sid": "RequiredForTIP",
            "Effect": "Allow",
            "Action": "sts:SetContext",
            "Resource": "arn:aws:iam::111122223333:role/S3-ACCESS-GRANT-ROLE"
        }
    ]
}
```

------

確定您的 Amazon S3 存取授權角色的信任政策允許 `sts:SetContext` 和 `sts:AssumeRole` 動作。以下是當您[更新角色信任政策](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_update-role-trust-policy.html)時的範例政策。

------
#### [ JSON ]

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "access-grants.s3.amazonaws.com"
                ]
            },
            "Action": [
                "sts:AssumeRole",
                "sts:SetContext"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:SourceAccount": "111122223333",
                    "aws:SourceArn": "arn:aws:s3:us-east-1:111122223333:access-grants/default"
                }
            }
        }
    ]
}
```

------

## 使用 Amazon S3 存取授權呼叫 Amazon S3
<a name="s3-access-grants-python-example"></a>

以下是 Python 指令碼範例，展示如何使用 Amazon S3 存取授權來呼叫 Amazon S3。這假設您已成功使用 SageMaker AI 設定受信任身分傳播。

```
import boto3
from botocore.config import Config

def get_access_grant_credentials(account_id: str, target: str, 
                                 permission: str = 'READ'):
    s3control = boto3.client('s3control')
    response = s3control.get_data_access(
        AccountId=account_id,
        Target=target,
        Permission=permission
    )
    return response['Credentials']

def create_s3_client_from_credentials(credentials) -> boto3.client:
    return boto3.client(
        's3',
        aws_access_key_id=credentials['AccessKeyId'],
        aws_secret_access_key=credentials['SecretAccessKey'],
        aws_session_token=credentials['SessionToken']
    )

# Create client
credentials = get_access_grant_credentials('111122223333',
                                        "s3://tip-enabled-bucket/tip-enabled-path/")
s3 = create_s3_client_from_credentials(credentials)

s3.list_objects(Bucket="tip-enabled-bucket", Prefix="tip-enabled-path/")
```

如果您使用未啟用 Amazon S3 存取授權的 Amazon S3 儲存貯體路徑，呼叫將會失敗。

若為其他程式設計語言，請參閱[使用 Amazon S3 存取授權管理存取](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-grants.html)以取得詳細資訊。