AWS Data Pipeline 不再向新客户提供。的现有客户 AWS Data Pipeline 可以继续照常使用该服务。了解更多
本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
AWS Data Pipeline 策略示例
以下示例演示如何授予用户对管道的完全或受限访问权限。
示例 1:基于标签授予用户只读访问权限
以下策略允许用户使用只读 AWS Data Pipeline API 操作,但仅限于具有标签“environment = production”的管道。
ListPipelines API 操作不支持基于标签的授权。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "datapipeline:Describe*", "datapipeline:GetPipelineDefinition", "datapipeline:ValidatePipelineDefinition", "datapipeline:QueryObjects" ], "Resource": [ "*" ], "Condition": { "StringEquals": { "datapipeline:Tag/environment": "production" } } } ] }
示例 2:基于标签授予用户完全访问权限
以下策略允许用户使用所有 AWS Data Pipeline API 操作(ListPipelines 例外),但仅限于具有标签“environment = test”的管道。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "datapipeline:*" ], "Resource": [ "*" ], "Condition": { "StringEquals": { "datapipeline:Tag/environment": "test" } } } ] }
示例 3:授予管道所有者完全访问权限
以下策略允许用户使用所有 AWS Data Pipeline API 操作,但仅限其自己的管道。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "datapipeline:*" ], "Resource": [ "*" ], "Condition": { "StringEquals": { "datapipeline:PipelineCreator": "${aws:userid}" } } } ] }
示例 4:授予用户对 AWS Data Pipeline 控制台的访问权限
以下策略允许用户使用 AWS Data Pipeline 控制台创建和管理管道。
此策略包含 PassRole
权限的操作,该权限用于 AWS Data Pipeline 需要的 roleARN
所关联的特定资源。有关基于身份的 (IAM) PassRole
权限的更多信息,请参阅博文授予权限,以启动具有 IAM 角色的 EC2 实例(PassRole 权限)
{ "Version": "2012-10-17", "Statement": [{ "Action": [ "cloudwatch:*", "datapipeline:*", "dynamodb:DescribeTable", "elasticmapreduce:AddJobFlowSteps", "elasticmapreduce:ListInstance*", "iam:AddRoleToInstanceProfile", "iam:CreateInstanceProfile", "iam:GetInstanceProfile", "iam:GetRole", "iam:GetRolePolicy", "iam:ListInstanceProfiles", "iam:ListInstanceProfilesForRole", "iam:ListRoles", "rds:DescribeDBInstances", "rds:DescribeDBSecurityGroups", "redshift:DescribeClusters", "redshift:DescribeClusterSecurityGroups", "s3:List*", "sns:ListTopics" ], "Effect": "Allow", "Resource": [ "*" ] }, { "Action": "iam:PassRole", "Effect": "Allow", "Resource": [ "arn:aws:iam::*:role/DataPipelineDefaultResourceRole", "arn:aws:iam::*:role/DataPipelineDefaultRole" ] } ] }