本主题中的权限策略示例演示了需要允许的操作以及允许执行这些操作的资源。在将类似的权限策略附加到 IAM 身份之前,请仔细检查这些策略并根据您的需求修改它们。
例 – 允许 IAM 委托人运行并返回包含 Athena UDF 语句的查询
以下基于身份的权限策略允许用户或其他 IAM 委托人执行使用 Athena UDF 语句运行查询所需的操作。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"athena:StartQueryExecution",
"lambda:InvokeFunction",
"athena:GetQueryResults",
"s3:ListMultipartUploadParts",
"athena:GetWorkGroup",
"s3:PutObject",
"s3:GetObject",
"s3:AbortMultipartUpload",
"athena:StopQueryExecution",
"athena:GetQueryExecution",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:athena:*:MyAWSAcctId
:workgroup/MyAthenaWorkGroup
",
"arn:aws:s3:::MyQueryResultsBucket
/*",
"arn:aws:lambda:*:MyAWSAcctId
:function:OneAthenaLambdaFunction
",
"arn:aws:lambda:*:MyAWSAcctId
:function:AnotherAthenaLambdaFunction
"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "athena:ListWorkGroups",
"Resource": "*"
}
]
}
允许的操作 | 说明 |
---|---|
|
在 |
|
|
|
允许查询调用 Resource 块中指定的 AWS Lambda 函数。例如 arn:aws:lambda:*: ,其中 MyAthenaLambdaFunction 指定要调用的 Lambda 函数的名称。如示例中所示,可以指定多个函数。 |
例 – 允许 IAM 委托人创建 Athena UDF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"lambda:CreateFunction",
"lambda:ListVersionsByFunction",
"iam:CreateRole",
"lambda:GetFunctionConfiguration",
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
"lambda:PutFunctionConcurrency",
"iam:PassRole",
"iam:DetachRolePolicy",
"lambda:ListTags",
"iam:ListAttachedRolePolicies",
"iam:DeleteRolePolicy",
"lambda:DeleteFunction",
"lambda:GetAlias",
"iam:ListRolePolicies",
"iam:GetRole",
"iam:GetPolicy",
"lambda:InvokeFunction",
"lambda:GetFunction",
"lambda:ListAliases",
"lambda:UpdateFunctionConfiguration",
"iam:DeleteRole",
"lambda:UpdateFunctionCode",
"s3:GetObject",
"lambda:AddPermission",
"iam:UpdateRole",
"lambda:DeleteFunctionConcurrency",
"lambda:RemovePermission",
"iam:GetRolePolicy",
"lambda:GetPolicy"
],
"Resource": [
"arn:aws:lambda:*:111122223333
:function:MyAthenaLambdaFunctionsPrefix
*",
"arn:aws:s3:::awsserverlessrepo-changesets-1iiv3xa62ln3m
/*",
"arn:aws:iam::*:role/RoleName
",
"arn:aws:iam::111122223333
:policy/*"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"cloudformation:CreateUploadBucket",
"cloudformation:DescribeStackDriftDetectionStatus",
"cloudformation:ListExports",
"cloudformation:ListStacks",
"cloudformation:ListImports",
"lambda:ListFunctions",
"iam:ListRoles",
"lambda:GetAccountSettings",
"ec2:DescribeSecurityGroups",
"cloudformation:EstimateTemplateCost",
"ec2:DescribeVpcs",
"lambda:ListEventSourceMappings",
"cloudformation:DescribeAccountLimits",
"ec2:DescribeSubnets",
"cloudformation:CreateStackSet",
"cloudformation:ValidateTemplate"
],
"Resource": "*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "cloudformation:*",
"Resource": [
"arn:aws:cloudformation:*:111122223333
:stack/aws-serverless-repository-MyCFStackPrefix
*/*",
"arn:aws:cloudformation:*:111122223333
:stack/serverlessrepo-MyCFStackPrefix
*/*",
"arn:aws:cloudformation:*:*:transform/Serverless-*",
"arn:aws:cloudformation:*:111122223333
:stackset/aws-serverless-repository-MyCFStackPrefix
*:*",
"arn:aws:cloudformation:*:111122223333
:stackset/serverlessrepo-MyCFStackPrefix
*:*"
]
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": "serverlessrepo:*",
"Resource": "arn:aws:serverlessrepo:*:*:applications/*"
},
{
"Sid": "ECR",
"Effect": "Allow",
"Action": [
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer"
],
"Resource": "arn:aws:ecr:*:*:repository/*"
}
]
}
允许的操作 | 说明 |
---|---|
|
允许创建和管理列为资源的 Lambda 函数。在此示例中,资源标识符 |
|
允许读取 AWS Serverless Application Repository 所需的存储桶,如资源标识符 arn:aws:s3:::awsserverlessrepo-changesets- 所指定。 |
|
允许由资源 |
|
允许在由资源标识符 arn:aws:serverlessrepo:*:*:applications/* 指定的 AWS Serverless Application Repository 中搜索、查看、发布和更新应用程序。 |