本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
要让用户访问 Amazon Chime SDK 消息传递功能,您必须定义一个 IAM 角色和策略,以便在用户登录时向他们提供凭证。IAM 策略定义了用户可以访问的资源。
本节中的示例提供了您可以根据需要进行调整的基本策略。有关策略工作原理的更多信息,请参阅 如何从后端服务发出 SDK 调用以便进行 Amazon Chime SDK 消息传递。
此示例介绍了针对使用 Amazon Chime SDK 消息构建应用程序的开发人员的策略。
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"chime:CreateAppInstance",
"chime:DescribeAppInstance",
"chime:ListAppInstances",
"chime:UpdateAppInstance",
"chime:DeleteAppInstance",
"chime:CreateAppInstanceUser",
"chime:DeleteAppInstanceUser",
"chime:ListAppInstanceUsers",
"chime:UpdateAppInstanceUser",
"chime:DescribeAppInstanceUser",
"chime:CreateAppInstanceAdmin",
"chime:DescribeAppInstanceAdmin",
"chime:ListAppInstanceAdmins",
"chime:DeleteAppInstanceAdmin",
"chime:PutAppInstanceRetentionSettings",
"chime:GetAppInstanceRetentionSettings",
"chime:PutAppInstanceStreamingConfigurations",
"chime:GetAppInstanceStreamingConfigurations",
"chime:DeleteAppInstanceStreamingConfigurations",
"chime:TagResource",
"chime:UntagResource",
"chime:ListTagsForResource"
"chime:CreateChannelFlow",
"chime:UpdateChannelFlow",
"chime:DescribeChannelFlow",
"chime:DeleteChannelFlow",
"chime:ListChannelFlows",
"chime:ListChannelsAssociatedWithChannelFlow",
"chime:ChannelFlowCallback",
],
"Effect": "Allow",
"Resource": "*"
}
]
}此示例介绍了一项允许用户访问 Amazon Chime SDK 用户操作的策略。
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "chime:GetMessagingSessionEndpoint",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"chime:CreateChannel",
"chime:DescribeChannel",
"chime:DeleteChannel",
"chime:UpdateChannel",
"chime:ListChannels",
"chime:Listsubchannels",
"chime:ListChannelMembershipsForAppInstanceUser",
"chime:DescribeChannelMembershipForAppInstanceUser",
"chime:ListChannelsModeratedByAppInstanceUser",
"chime:DescribeChannelModeratedByAppInstanceUser",
"chime:UpdateChannelReadMarker",
"chime:CreateChannelModerator",
"chime:DescribeChannelModerator",
"chime:ListChannelModerators",
"chime:DeleteChannelModerator",
"chime:SendChannelMessage",
"chime:GetChannelMessage",
"chime:DeleteChannelMessage",
"chime:UpdateChannelMessage",
"chime:RedactChannelMessage",
"chime:ListChannelMessages",
"chime:CreateChannelMembership",
"chime:DescribeChannelMembership",
"chime:DeleteChannelMembership",
"chime:ListChannelMemberships",
"chime:CreateChannelBan",
"chime:DeleteChannelBan",
"chime:ListChannelBans",
"chime:DescribeChannelBan",
"chime:Connect"
"chime:AssociateChannelFlow",
"chime:DisassociateChannelFlow",
"chime:GetChannelMessageStatus"
],
"Effect": "Allow",
"Resource": [
"arn:aws:chime:region:{aws_account_id}:app-instance/{app_instance_id}/user/{app_instance_user_id}",
"arn:aws:chime:region:{aws_account_id}:app-instance/{app_instance_id}/channel/*"
]
}
]
}此示例介绍了一项策略,该策略允许用户尽量减少对 Amazon Chime SDK 用户操作的访问权限。
{ "Version": "2012-10-17", "Statement": [ { "Action": "chime:GetMessagingSessionEndpoint", "Effect": "Allow", "Resource": "*" }, { "Action": [ "chime:ListChannels", "chime:DescribeChannel", "chime:ListChannelMembershipsForAppInstanceUser", "chime:DescribeChannelMembershipForAppInstanceUser", "chime:ListChannelsModeratedByAppInstanceUser", "chime:DescribeChannelModeratedByAppInstanceUser", "chime:SendChannelMessage", "chime:GetChannelMessage", "chime:ListChannelMessages", "chime:Connect" ], "Effect": "Allow", "Resource": [ "arn:aws:chime:region:{aws_account_id}:app-instance/{app_instance_id}/user/{app_instance_user_id}", "arn:aws:chime:region:{aws_account_id}:app-instance/{app_instance_id}/channel/*" ] } ] }
此示例显示了为建立 WebSocket 连接的策略AppInstanceUser。有关 WebSocket 连接的更多信息,请参阅 WebSockets 用于在 Amazon Chime 软件开发工具包消息中接收消息。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"chime:Connect"
],
"Resource": [
"arn:aws:chime:region:{aws_account_id}:app-instance/{app_instance_id}/user/{app_instance_user_id}"
]
}
]
}