本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# 客戶受管政策範例
在本節中,您可以找到授予各種 AWS Snowball 邊緣 任務管理動作許可的使用者政策範例。當您使用 AWS SDKs 或 時,這些政策會運作 AWS CLI。當您使用主控台時,需要授予主控台特定的額外許可,這會在「[使用 AWS Snowball 邊緣 主控台所需的許可](access-control-managing-permissions.md#additional-console-required-permissions)」中予以討論。
**注意**
所有範例都使用 us-west-2 區域,且其中的帳戶 ID 皆為虛構。
**Topics**
+ [範例 1:允許使用者建立任務以使用 API 訂購 Snowball Edge 裝置的角色政策](#access-policy-example-create-api)
+ [範例 2:建立匯入任務的角色政策](#role-policy-example-import)
+ [範例 3:建立匯出任務的角色政策](#role-policy-example-export)
+ [範例 4:預期的角色許可和信任政策](#expected-role-permissions-and-trust-policy)
+ [AWS Snowball 邊緣 API 許可:動作、資源和條件參考](#snowball-api-permissions-ref)
## 範例 1:允許使用者建立任務以使用 API 訂購 Snowball Edge 裝置的角色政策
以下許可政策是用於使用任務管理 API 授予任務或叢集建立許可之任何政策的必要元件。陳述式需要做為 Snowball IAM 角色的信任關係政策陳述式。
------
#### [ JSON ]
****
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "importexport.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
```
------
## 範例 2:建立匯入任務的角色政策
您可以使用下列角色信任政策,為使用 AWS Lambda 函數的 Snowball Edge 建立匯入任務 AWS IoT Greengrass 。
------
#### [ JSON ]
****
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListBucketMultipartUploads"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetBucketPolicy",
"s3:GetBucketLocation",
"s3:ListBucketMultipartUploads",
"s3:ListBucket",
"s3:PutObject",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts",
"s3:PutObjectAcl",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"snowball:*"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"iot:AttachPrincipalPolicy",
"iot:AttachThingPrincipal",
"iot:CreateKeysAndCertificate",
"iot:CreatePolicy",
"iot:CreateThing",
"iot:DescribeEndpoint",
"iot:GetPolicy"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"lambda:GetFunction"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"greengrass:CreateCoreDefinition",
"greengrass:CreateDeployment",
"greengrass:CreateDeviceDefinition",
"greengrass:CreateFunctionDefinition",
"greengrass:CreateGroup",
"greengrass:CreateGroupVersion",
"greengrass:CreateLoggerDefinition",
"greengrass:CreateSubscriptionDefinition",
"greengrass:GetDeploymentStatus",
"greengrass:UpdateGroupCertificateConfiguration",
"greengrass:CreateGroupCertificateAuthority",
"greengrass:GetGroupCertificateAuthority",
"greengrass:ListGroupCertificateAuthorities",
"greengrass:ListDeployments",
"greengrass:GetGroup",
"greengrass:GetGroupVersion",
"greengrass:GetCoreDefinitionVersion"
],
"Resource": [
"*"
]
}
]
}
```
------
## 範例 3:建立匯出任務的角色政策
您可以使用下列角色信任政策,為使用 AWS Lambda AWS IoT Greengrass 函數的 Snowball Edge 建立匯出任務。
------
#### [ JSON ]
****
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"snowball:*"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"iot:AttachPrincipalPolicy",
"iot:AttachThingPrincipal",
"iot:CreateKeysAndCertificate",
"iot:CreatePolicy",
"iot:CreateThing",
"iot:DescribeEndpoint",
"iot:GetPolicy"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"lambda:GetFunction"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"greengrass:CreateCoreDefinition",
"greengrass:CreateDeployment",
"greengrass:CreateDeviceDefinition",
"greengrass:CreateFunctionDefinition",
"greengrass:CreateGroup",
"greengrass:CreateGroupVersion",
"greengrass:CreateLoggerDefinition",
"greengrass:CreateSubscriptionDefinition",
"greengrass:GetDeploymentStatus",
"greengrass:UpdateGroupCertificateConfiguration",
"greengrass:CreateGroupCertificateAuthority",
"greengrass:GetGroupCertificateAuthority",
"greengrass:ListGroupCertificateAuthorities",
"greengrass:ListDeployments",
"greengrass:GetGroup",
"greengrass:GetGroupVersion",
"greengrass:GetCoreDefinitionVersion"
],
"Resource": [
"*"
]
}
]
}
```
------
## 範例 4:預期的角色許可和信任政策
下列預期的角色許可政策是現有服務角色使用的必要項目。這是一次性設定。
------
#### [ JSON ]
****
```
{
"Version": "2012-10-17",
"Statement":
[
{
"Effect": "Allow",
"Action": "sns:Publish",
"Resource": ["[[snsArn]]"]
},
{
"Effect": "Allow",
"Action":
[
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricData",
"cloudwatch:PutMetricData"
],
"Resource":
[
"*"
],
"Condition": {
"StringEquals": {
"cloudwatch:namespace": "AWS/SnowFamily"
}
}
}
]
}
```
------
下列預期的角色信任政策是現有服務角色使用的必要項目。這是一次性設定。
------
#### [ JSON ]
****
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "importexport.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
```
------
## AWS Snowball 邊緣 API 許可:動作、資源和條件參考
當您設定[中的存取控制 AWS 雲端](access-control.md)並撰寫可連接至 IAM 身分 (身分類型政策) 的許可政策時,可以參考下列資料表。下表每個 AWS Snowball 邊緣 任務管理 API 操作,以及您可以授予執行動作許可的對應動作。它還包含您可以授予許可之 AWS 資源的每個 API 操作。您在政策的 `Action` 欄位中指定動作,然後在政策的 `Resource` 欄位中指定資源值。
您可以在 AWS Snowball 邊緣 政策中使用 AWS整體條件索引鍵來表達條件。如需 AWS全系列金鑰的完整清單,請參閱《*IAM 使用者指南*》中的[可用金鑰](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#AvailableKeys)。
**注意**
若要指定動作,請使用後接 API 操作名稱的 `snowball:` 字首 (例如,`snowball:CreateJob`)。
使用捲軸查看資料表的其餘部分。
**AWS Snowball 邊緣 任務管理 API 和動作的必要許可**
| 任務管理 API 動作 | 所需的許可 |
| --- | --- |
| [CancelCluster](https://docs.aws.amazon.com/snowball/latest/api-reference/API_CancelCluster.html) | snowball:CancelCluster |
| [CancelJob](https://docs.aws.amazon.com/snowball/latest/api-reference/API_CancelJob.html) | `snowball:CancelJob` |
| [CreateAddress](https://docs.aws.amazon.com/snowball/latest/api-reference/API_CreateAddress.html) | snowball:CreateAddress |
| [CreateCluster](https://docs.aws.amazon.com/snowball/latest/api-reference/API_CreateCluster.html) | 這個動作需要以下許可:[See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/snowball/latest/developer-guide/access-policy-examples-for-sdk-cli.html) |
| [CreateJob](https://docs.aws.amazon.com/snowball/latest/api-reference/API_CreateJob.html) | [See the AWS documentation website for more details](http://docs.aws.amazon.com/zh_tw/snowball/latest/developer-guide/access-policy-examples-for-sdk-cli.html) |
| [DescribeAddress](https://docs.aws.amazon.com/snowball/latest/api-reference/API_DescribeAddress.html) | snowball:DescribeAddress |
| [DescribeAddresses](https://docs.aws.amazon.com/snowball/latest/api-reference/API_DescribeAddresses.html) | snowball:DescribeAddresses |
| [DescribeCluster](https://docs.aws.amazon.com/snowball/latest/api-reference/API_DescribeCluster.html) | snowball:DescribeCluster |
| [DescribeJob](https://docs.aws.amazon.com/snowball/latest/api-reference/API_DescribeJob.html) | snowball:DescribeJob |
| [GetJobManifest](https://docs.aws.amazon.com/snowball/latest/api-reference/API_GetJobManifest.html) | snowball:GetJobManifest |
| [GetJobUnlockCode](https://docs.aws.amazon.com/snowball/latest/api-reference/API_GetJobUnlockCode.html) | snowball:GetJobUnlockCode |
| [GetSnowballUsage](https://docs.aws.amazon.com/snowball/latest/api-reference/API_GetSnowballUsage.html) | snowball:GetSnowballUsage |
| [ListClusterJobs](https://docs.aws.amazon.com/snowball/latest/api-reference/API_ListClusterJobs.html) | snowball:ListClusterJobs |
| [ListClusters](https://docs.aws.amazon.com/snowball/latest/api-reference/API_ListClusters.html) | snowball:ListClusters |
| [ListJobs](https://docs.aws.amazon.com/snowball/latest/api-reference/API_ListJobs.html) | snowball:ListJobs |
| [UpdateCluster](https://docs.aws.amazon.com/snowball/latest/api-reference/API_UpdateCluster.html) | snowball:UpdateCluster |
| [UpdateJob](https://docs.aws.amazon.com/snowball/latest/api-reference/API_UpdateJob.html) | snowball:UpdateJob |