AWS kebijakan terkelola: AmazonDataZoneGlueManageAccessRolePolicy

Kebijakan ini memberikan DataZone izin Amazon untuk mempublikasikan data AWS Glue ke katalog. Ini juga memberikan DataZone izin Amazon untuk memberikan akses atau mencabut akses ke aset yang diterbitkan AWS Glue di katalog.



{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "GlueTagDatabasePermissions",
			"Effect": "Allow",
			"Action": [
				"glue:TagResource",
				"glue:UntagResource",
				"glue:GetTags"
			],
			"Resource": "*",
			"Condition": {
				"StringEquals": {
					"aws:ResourceAccount": "${aws:PrincipalAccount}"
				},
				"ForAnyValue:StringLikeIfExists": {
					"aws:TagKeys": "DataZoneDiscoverable_*"
				}
			}
		},
		{
			"Sid": "GlueDataQualityPermissions",
			"Effect": "Allow",
			"Action": [
				"glue:ListDataQualityResults",
				"glue:GetDataQualityResult"
			],
			"Resource": "arn:aws:glue:*:*:dataQualityRuleset/*",
			"Condition": {
				"StringEquals": {
					"aws:ResourceAccount": "${aws:PrincipalAccount}"
				}
			}
		},
		{
			"Sid": "GlueTableDatabasePermissions",
			"Effect": "Allow",
			"Action": [
				"glue:CreateTable",
				"glue:DeleteTable",
				"glue:GetDatabases",
				"glue:GetTables"
			],
			"Resource": [
				"arn:aws:glue:*:*:catalog",
				"arn:aws:glue:*:*:database/*",
				"arn:aws:glue:*:*:table/*"
			],
			"Condition": {
				"StringEquals": {
					"aws:ResourceAccount": "${aws:PrincipalAccount}"
				}
			}
		},
		{
			"Sid": "LakeformationResourceSharingPermissions",
			"Effect": "Allow",
			"Action": [
				"lakeformation:BatchGrantPermissions",
				"lakeformation:BatchRevokePermissions",
				"lakeformation:CreateDataCellsFilter",
				"lakeformation:CreateLakeFormationOptIn",
				"lakeformation:DeleteDataCellsFilter",
				"lakeformation:DeleteLakeFormationOptIn",
				"lakeformation:GrantPermissions",
				"lakeformation:GetDataCellsFilter",
				"lakeformation:GetResourceLFTags",
				"lakeformation:ListDataCellsFilter",
				"lakeformation:ListLakeFormationOptIns",
				"lakeformation:ListPermissions",
				"lakeformation:RegisterResource",
				"lakeformation:RevokePermissions",
				"lakeformation:UpdateDataCellsFilter",
				"glue:GetDatabase",
				"glue:GetTable",
				"organizations:DescribeOrganization",
				"ram:GetResourceShareInvitations",
				"ram:ListResources"
			],
			"Resource": "*"
		},
		{
			"Sid": "CrossAccountRAMResourceSharingPermissions",
			"Effect": "Allow",
			"Action": [
				"glue:DeleteResourcePolicy",
				"glue:PutResourcePolicy"
			],
			"Resource": [
				"arn:aws:glue:*:*:catalog",
				"arn:aws:glue:*:*:database/*",
				"arn:aws:glue:*:*:table/*"
			],
			"Condition": {
				"ForAnyValue:StringEquals": {
					"aws:CalledVia": [
						"ram.amazonaws.com"
					]
				}
			}
		},
		{
			"Sid": "CrossAccountLakeFormationResourceSharingPermissions",
			"Effect": "Allow",
			"Action": [
				"ram:CreateResourceShare"
			],
			"Resource": "*",
			"Condition": {
				"StringEqualsIfExists": {
					"ram:RequestedResourceType": [
						"glue:Table",
						"glue:Database",
						"glue:Catalog"
					]
				},
				"ForAnyValue:StringEquals": {
					"aws:CalledVia": [
						"lakeformation.amazonaws.com"
					]
				}
			}
		},
		{
			"Sid": "CrossAccountRAMResourceShareInvitationPermission",
			"Effect": "Allow",
			"Action": [
				"ram:AcceptResourceShareInvitation"
			],
			"Resource": "arn:aws:ram:*:*:resource-share-invitation/*"
		},
		{
			"Sid": "CrossAccountRAMResourceSharingViaLakeFormationPermissions",
			"Effect": "Allow",
			"Action": [
				"ram:AssociateResourceShare",
				"ram:DeleteResourceShare",
				"ram:DisassociateResourceShare",
				"ram:GetResourceShares",
				"ram:ListResourceSharePermissions",
				"ram:UpdateResourceShare"
			],
			"Resource": "*",
			"Condition": {
				"StringLike": {
					"ram:ResourceShareName": [
						"LakeFormation*"
					]
				},
				"ForAnyValue:StringEquals": {
					"aws:CalledVia": [
						"lakeformation.amazonaws.com"
					]
				}
			}
		},
		{
			"Sid": "CrossAccountRAMResourceSharingViaLakeFormationHybrid",
			"Effect": "Allow",
			"Action": "ram:AssociateResourceSharePermission",
			"Resource": "*",
			"Condition": {
				"StringLike": {
					"ram:PermissionArn": "arn:aws:ram::aws:permission/AWSRAMLFEnabled*"
				},
				"ForAnyValue:StringEquals": {
					"aws:CalledVia": [
						"lakeformation.amazonaws.com"
					]
				}
			}
		},
		{
			"Sid": "KMSDecryptPermission",
			"Effect": "Allow",
			"Action": [
				"kms:Decrypt"
			],
			"Resource": "*",
			"Condition": {
				"StringEquals": {
					"aws:ResourceTag/datazone:projectId": "proj-all"
				}
			}
		},
		{
			"Sid": "GetRoleForDataZone",
			"Effect": "Allow",
			"Action": [
				"iam:GetRole"
			],
			"Resource": [
				"arn:aws:iam::*:role/AmazonDataZone*",
				"arn:aws:iam::*:role/service-role/AmazonDataZone*"
			]
		},
		{
			"Sid": "PassRoleForDataLocationRegistration",
			"Effect": "Allow",
			"Action": [
				"iam:PassRole"
			],
			"Resource": [
				"arn:aws:iam::*:role/AmazonDataZone*",
				"arn:aws:iam::*:role/service-role/AmazonDataZone*"
			],
			"Condition": {
				"StringEquals": {
					"iam:PassedToService": [
						"lakeformation.amazonaws.com"
					]
				}
			}
		}
	]
}

Awas Javascript dinonaktifkan atau tidak tersedia di browser Anda.

Untuk menggunakan Dokumentasi AWS, Javascript harus diaktifkan. Lihat halaman Bantuan browser Anda untuk petunjuk.

Konvensi Dokumen

AmazonDataZoneRedshiftGlueProvisioningPolicy

AmazonDataZoneRedshiftManageAccessRolePolicy