IAM 的访问角色 Amazon Kendra - Amazon Kendra
IAM 索引的角色IAM 的角色 BatchPutDocument APIIAM 数据源的角色虚拟私有云 (VPC) IAM roleIAM 常见问题解答的角色 (FAQs)IAM 查询建议的角色IAM 用于用户和组的主体映射的角色IAM 的角色 AWS IAM Identity CenterIAM 的角色 Amazon Kendra 经验IAM 自定义文档扩充的角色

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

IAM 的访问角色 Amazon Kendra

创建索引、数据源或时FAQ, Amazon Kendra 需要访问 AWS 创建所需的资源 Amazon Kendra 资源。你必须创建一个 AWS Identity and Access Management (IAM) 在创建策略之前 Amazon Kendra 资源。当您调用操作时,您需要提供附有策略的角色的 Amazon 资源名称 (ARN)。例如,如果您调用是BatchPutDocumentAPI为了添加来自的文档 Amazon S3 bucket,你提供 Amazon Kendra 角色的策略可以访问存储桶。

你可以创建一个新的 IAM 在 Amazon Kendra 控制台或者选择一个 IAM 要使用的现有角色。控制台显示的角色的角色名称中包含字符串“kendra”或“Kendra”。

以下主题提供了所需策略的详细信息。如果你创建 IAM 角色使用 Amazon Kendra 控制台这些策略是为您创建的。

IAM 索引的角色

创建索引时,必须提供 IAM 具有写入权限的角色 Amazon CloudWatch。 您还必须提供允许的信任策略 Amazon Kendra 来扮演这个角色。以下是必须提供的策略。

允许的角色策略 Amazon Kendra 访问 a CloudWatch 日志。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "cloudwatch:PutMetricData",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "cloudwatch:namespace": "AWS/Kendra"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": "logs:DescribeLogGroups",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "logs:CreateLogGroup",
            "Resource": "arn:aws:logs:your-region:your-account-id:log-group:/aws/kendra/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs:DescribeLogStreams",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "arn:aws:logs:your-region:your-account-id:log-group:/aws/kendra/*:log-stream:*"
        }
    ]
}

允许的角色策略 Amazon Kendra 访问权限 AWS Secrets Manager。 如果您使用的是用户上下文 Secrets Manager 作为关键位置,您可以使用以下策略。

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":"cloudwatch:PutMetricData",
         "Resource":"*",
         "Condition":{
            "StringEquals":{
               "cloudwatch:namespace":"AWS/Kendra"
            }
         }
      },
      {
         "Effect":"Allow",
         "Action":"logs:DescribeLogGroups",
         "Resource":"*"
      },
      {
         "Effect":"Allow",
         "Action":"logs:CreateLogGroup",
         "Resource":"arn:aws:logs:your-region:your-account-id:log-group:/aws/kendra/*"
      },
      {
         "Effect":"Allow",
         "Action":[
            "logs:DescribeLogStreams",
            "logs:CreateLogStream",
            "logs:PutLogEvents"
         ],
         "Resource":"arn:aws:logs:your-region:your-account-id:log-group:/aws/kendra/*:log-stream:*"
      },
      {
         "Effect":"Allow",
         "Action":[
            "secretsmanager:GetSecretValue"
         ],
         "Resource":[
            "arn:aws:secretsmanager:your-region:your-account-id:secret:secret-id"
         ]
      },
      {
         "Effect":"Allow",
         "Action":[
            "kms:Decrypt"
         ],
         "Resource":[
            "arn:aws:kms:your-region:your-account-id:key/key-id"
         ],
         "Condition":{
            "StringLike":{
               "kms:ViaService":[
                  "secretsmanager.your-region.amazonaws.com"
               ]
            }
         }
      }
   ]
}

允许的信任政策 Amazon Kendra 扮演一个角色。

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "Service":"kendra.amazonaws.com"
         },
         "Action":"sts:AssumeRole"
      }
   ]
}

IAM 的角色 BatchPutDocument API

警告

Amazon Kendra 不使用向某人授予权限的存储桶策略 Amazon Kendra 委托人与 S3 存储桶进行交互。相反,它使用 IAM 角色。确保 Amazon Kendra 未作为可信成员包含在存储桶策略中,以避免在意外向任意委托人授予权限时出现任何数据安全问题。但是,您可以添加存储桶策略以使用 Amazon S3 跨不同账户存储桶。有关更多信息,请参阅要使用的策略 Amazon S3 跨账户。有关信息 IAM S3 数据源的角色,请参阅 IAM 角色

当你使用索BatchPutDocumentAPI引中的文档时 Amazon S3 存储桶,您必须提供 Amazon Kendra 用一个 IAM 具有存储桶访问权限的角色。您还必须提供允许的信任策略 Amazon Kendra 来扮演这个角色。如果存储桶中的文档已加密,则必须提供使用权限 AWS KMS 用于解密文档的客户主密钥 (CMK)。

必需的角色策略才能允许 Amazon Kendra 访问 Amazon S3 桶。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-name/*"
            ]
        }
    ]
}

允许的信任政策 Amazon Kendra 扮演一个角色。

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "Service":"kendra.amazonaws.com"
         },
         "Action":"sts:AssumeRole"
      }
   ]
}

建议您在信任策略中包含 aws:sourceAccountaws:sourceArn。这会限制权限并安全地检查aws:sourceAccountaws:sourceArn是否与中提供的相同 IAM sts:AssumeRole操作的角色策略。这样可以防止未经授权的实体访问您的 IAM 角色及其权限。有关更多信息,请参阅 AWS Identity and Access Management 关于困惑的副手问题的指南。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "kendra.amazonaws.com"
                ]
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "aws:SourceAccount": "your-account-id"
                },
                "StringLike": {
                    "aws:SourceArn": "arn:aws:kendra:your-region:your-account-id:index/*"
                }
            }
        }
    ]
}

允许的可选角色策略 Amazon Kendra 使用 AWS KMS 用于解密文档的客户主密钥 (CMK) Amazon S3 桶。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt"
            ],
            "Resource": [
                "arn:aws:kms:your-region:your-account-id:key/key-id"
            ]
        }
    ]
}

IAM 数据源的角色

当你使用时 CreateDataSourceAPI,你必须给 Amazon Kendra 一个 IAM 有权访问资源的角色。所需的特定权限取决于数据来源。

当您使用 Adobe Experience Manager 时,需要为角色提供以下策略。

  • 访问您的 AWS Secrets Manager 对您的 Adobe 体验管理器进行身份验证的秘密。

  • 允许呼叫 Adobe Experien APIs ce Manager 连接器所需的公众。

  • 允许调用BatchPutDocumentBatchDeleteDocumentPutPrincipalMappingDeletePrincipalMappingDescribePrincipalMapping、和ListGroupsOlderThanOrderingIdAPIs。

注意

您可以将 Adobe Experience Manager 数据源连接到 Amazon Kendra 通过 Amazon VPC。 如果你使用的是 Amazon VPC,则需要添加其他权限

{
  "Version": "2012-10-17",
  "Statement": [
  {
    "Effect": "Allow",
    "Action": [
      "secretsmanager:GetSecretValue"
    ],
    "Resource": [
      "arn:aws:secretsmanager:{{your-region}}:{{your-account-id}}:secret:[[secret-id]]"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "kms:Decrypt"
    ],
    "Resource": [
      "arn:aws:kms:{{your-region}}:{{your-account-id}}:key/[[key-id]]"
    ],
    "Condition": {
      "StringLike": {
        "kms:ViaService": [
          "secretsmanager.{{your-region}}.amazonaws.com"
        ]
      }
    }
  },
  {
    "Effect": "Allow",
    "Action": [
        "kendra:PutPrincipalMapping",
        "kendra:DeletePrincipalMapping",
        "kendra:ListGroupsOlderThanOrderingId",
        "kendra:DescribePrincipalMapping"
    ],
    "Resource": ["arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}", "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}/data-source/*"]
  },
  {
    "Effect": "Allow",
    "Action": [
      "kendra:BatchPutDocument",
      "kendra:BatchDeleteDocument"
    ],
    "Resource": "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}"
  }]
}

允许的信任政策 Amazon Kendra 扮演一个角色。

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "Service":"kendra.amazonaws.com"
         },
         "Action":"sts:AssumeRole"
      }
   ]
}

当您使用 Alfresco 时,需要为角色提供以下策略。

  • 访问您的 AWS Secrets Manager 对你的 Alfresco 进行身份验证的秘密。

  • 允许致电所需的公众APIs以获取 Alfresco 连接器。

  • 允许调用BatchPutDocumentBatchDeleteDocumentPutPrincipalMappingDeletePrincipalMappingDescribePrincipalMapping、和ListGroupsOlderThanOrderingIdAPIs。

注意

您可以将 Alfresco 数据源连接到 Amazon Kendra 通过 Amazon VPC。 如果你使用的是 Amazon VPC,则需要添加其他权限

{
  "Version": "2012-10-17",
  "Statement": [
  {
    "Effect": "Allow",
    "Action": [
      "secretsmanager:GetSecretValue"
    ],
    "Resource": [
      "arn:aws:secretsmanager:{{your-region}}:{{your-account-id}}:secret:[[secret-id]]"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "kms:Decrypt"
    ],
    "Resource": [
      "arn:aws:kms:{{your-region}}:{{your-account-id}}:key/[[key-id]]"
    ],
    "Condition": {
      "StringLike": {
        "kms:ViaService": [
          "secretsmanager.{{your-region}}.amazonaws.com"
        ]
      }
    }
  },
  {
    "Effect": "Allow",
    "Action": [
        "kendra:PutPrincipalMapping",
        "kendra:DeletePrincipalMapping",
        "kendra:ListGroupsOlderThanOrderingId",
        "kendra:DescribePrincipalMapping"
    ],
    "Resource": ["arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}", "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}/data-source/*"]
  },
  {
    "Effect": "Allow",
    "Action": [
      "kendra:BatchPutDocument",
      "kendra:BatchDeleteDocument"
    ],
    "Resource": "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}"
  }]
}

允许的信任政策 Amazon Kendra 来扮演一个角色。

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "Service":"kendra.amazonaws.com"
         },
         "Action":"sts:AssumeRole"
      }
   ]
}

当你使用时 Aurora (我的SQL),您为角色提供以下策略。

  • 访问您的 AWS Secrets Manager 用于验证您的身份的秘密 Aurora (我的SQL)。

  • 允许致电APIs所需的公众 Aurora (我的SQL)连接器。

  • 允许调用BatchPutDocumentBatchDeleteDocumentPutPrincipalMappingDeletePrincipalMappingDescribePrincipalMapping、和ListGroupsOlderThanOrderingIdAPIs。

注意

你可以连接 Aurora (我的SQL)数据源到 Amazon Kendra 通过 Amazon VPC。 如果你使用的是 Amazon VPC,则需要添加其他权限

{
  "Version": "2012-10-17",
  "Statement": [
  {
    "Effect": "Allow",
    "Action": [
      "secretsmanager:GetSecretValue"
    ],
    "Resource": [
      "arn:aws:secretsmanager:{{region}}:{{account_id}}:secret:[[secret_id]]"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "kms:Decrypt"
    ],
    "Resource": [
      "arn:aws:kms:{{region}}:{{account_id}}:key/[[key_id]]"
    ],
    "Condition": {
      "StringLike": {
        "kms:ViaService": [
          "secretsmanager.*.amazonaws.com"
        ]
      }
    }
  },
  {
    "Effect": "Allow",
    "Action": [
        "kendra:PutPrincipalMapping",
        "kendra:DeletePrincipalMapping",
        "kendra:ListGroupsOlderThanOrderingId",
        "kendra:DescribePrincipalMapping"
    ],
    "Resource": ["arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}", "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}/data-source/*"]
  },
  {
    "Effect": "Allow",
    "Action": [
      "kendra:BatchPutDocument",
      "kendra:BatchDeleteDocument"
    ],
    "Resource": "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}"
  }]
}

允许的信任政策 Amazon Kendra 来扮演一个角色。

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "Service":"kendra.amazonaws.com"
         },
         "Action":"sts:AssumeRole"
      }
   ]
}

当你使用时 Aurora (PostgreSQL),您为角色提供以下策略。

  • 访问您的 AWS Secrets Manager 用于验证您的身份的秘密 Aurora (PostgreSQL)。

  • 允许致电APIs所需的公众 Aurora (PostgreSQL) 连接器。

  • 允许调用BatchPutDocumentBatchDeleteDocumentPutPrincipalMappingDeletePrincipalMappingDescribePrincipalMapping、和ListGroupsOlderThanOrderingIdAPIs。

注意

你可以连接 Aurora (PostgreSQL) 数据源到 Amazon Kendra 通过 Amazon VPC。 如果你使用的是 Amazon VPC,则需要添加其他权限

{
  "Version": "2012-10-17",
  "Statement": [
  {
    "Effect": "Allow",
    "Action": [
      "secretsmanager:GetSecretValue"
    ],
    "Resource": [
      "arn:aws:secretsmanager:{{region}}:{{account_id}}:secret:[[secret_id]]"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "kms:Decrypt"
    ],
    "Resource": [
      "arn:aws:kms:{{region}}:{{account_id}}:key/[[key_id]]"
    ],
    "Condition": {
      "StringLike": {
        "kms:ViaService": [
          "secretsmanager.*.amazonaws.com"
        ]
      }
    }
  },
  {
    "Effect": "Allow",
    "Action": [
        "kendra:PutPrincipalMapping",
        "kendra:DeletePrincipalMapping",
        "kendra:ListGroupsOlderThanOrderingId",
        "kendra:DescribePrincipalMapping"
    ],
    "Resource": ["arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}", "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}/data-source/*"]
  },
  {
    "Effect": "Allow",
    "Action": [
      "kendra:BatchPutDocument",
      "kendra:BatchDeleteDocument"
    ],
    "Resource": "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}"
  }]
}

允许的信任政策 Amazon Kendra 来扮演一个角色。

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "Service":"kendra.amazonaws.com"
         },
         "Action":"sts:AssumeRole"
      }
   ]
}

当你使用时 Amazon FSx,您为角色提供以下策略。

  • 访问您的 AWS Secrets Manager 用于验证您的身份的秘密 Amazon FSx 文件系统。

  • 访问权限 Amazon Virtual Private Cloud (VPC) 你在哪里 Amazon FSx 文件系统驻留。

  • 允许获取您的 Active Directory 域名 Amazon FSx 文件系统。

  • 允许致电APIs所需的公众 Amazon FSx 连接器。

  • 调用BatchPutDocumentBatchDeleteDocumentAPIs更新索引的权限。

{
    "Version": "2012-10-17",
        "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "secretsmanager:GetSecretValue"
          ],
          "Resource": [
            "arn:aws:secretsmanager:{{your-region}}:{{your-account-id}}:secret:{{secret-id}}"
          ]
        },
        {
          "Effect": "Allow",
          "Action": [
            "kms:Decrypt"
          ],
          "Resource": [
            "arn:aws:kms:{{your-region}}:{{your-account-id}}:key/{{key-id}}"
          ],
          "Condition": {
            "StringLike": {
              "kms:ViaService": [
                "secretsmanager.{{your-region}}.amazonaws.com"
              ]
            }
          }
        },
        {
          "Effect": "Allow",
          "Action":[
            "ec2:CreateNetworkInterface",
            "ec2:DeleteNetworkInterface"
          ],
          "Resource": [
                "arn:aws:ec2:{{your-region}}:{{your-account-id}}:network-interface/*",
                "arn:aws:ec2:{{your-region}}:{{your-account-id}}:subnet/[[subnet-ids]]"
          ]   
        },
        {
          "Effect": "Allow",
          "Action": [
            "ec2:DescribeSubnets",
            "ec2:DescribeNetworkInterfaces"
          ],
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Action": [
            "ec2:CreateNetworkInterfacePermission"
          ],
          "Resource": "arn:aws:ec2:{{your-region}}:{{your-account-id}}:network-interface/*",
          "Condition": {
            "StringEquals": {
              "ec2:AuthorizedService": "kendra.*.amazonaws.com"
            },
            "ArnEquals": {
              "ec2:Subnet": [
                "arn:aws:ec2:{{your-region}}:{{your-account-id}}:subnet/[[subnet-ids]]"
              ]
            }
          }
        },
        {
          "Sid": "AllowsKendraToGetDomainNameOfActiveDirectory",
          "Effect": "Allow",
          "Action": "ds:DescribeDirectories",
          "Resource": "*"
        },
        {
          "Sid": "AllowsKendraToCallRequiredFsxAPIs",
          "Effect": "Allow",
          "Action": [
              "fsx:DescribeFileSystems"
          ],
          "Resource": "*"
        },
        {
          "Sid": "iamPassRole",
          "Effect": "Allow",
          "Action": "iam:PassRole",
          "Resource": "*",
          "Condition": {
            "StringEquals": {
              "iam:PassedToService": [
                "kendra.*.amazonaws.com"
              ]
            }
          }
        },
        {
          "Effect": "Allow",
          "Action": [
            "kendra:BatchPutDocument",
            "kendra:BatchDeleteDocument"
          ],
          "Resource": "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}"
        }
        ]
}

允许的信任政策 Amazon Kendra 来扮演一个角色。

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "Service":"kendra.amazonaws.com"
         },
         "Action":"sts:AssumeRole"
      }
   ]
}

当你使用数据库作为数据源时,你提供 Amazon Kendra 其角色具有连接所需的权限。其中包括:

  • 访问权限 AWS Secrets Manager 包含站点用户名和密码的密钥。有关密钥内容的更多信息,请参阅数据来源

  • 使用权限 AWS KMS 用于解密存储的用户名和密码密钥的客户主密钥 (CMK) Secrets Manager.

  • 使用 BatchPutDocumentBatchDeleteDocument 操作更新索引的权限。

  • 访问权限 Amazon S3 存储桶,其中包含用于与站点通信的SSL证书。

注意

您可以将数据库数据源连接到 Amazon Kendra 通过 Amazon VPC。 如果你使用的是 Amazon VPC,则需要添加其他权限

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue"
            ],
            "Resource": [
                "arn:aws:secretsmanager:your-region:your-account-id:secret:secret-id"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt"
            ],
            "Resource": [
                "arn:aws:kms:your-region:your-account-id:key/key-id"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "kendra:BatchPutDocument",
                "kendra:BatchDeleteDocument"
            ],
            "Resource": [
                "arn:aws:kendra:your-region:your-account-id:index/index-id"
            "Condition": {
                "StringLike": {
                    "kms:ViaService": [
                        "kendra.your-region.amazonaws.com"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-name/*"
            ]
        }
    ]
}

您可以对数据来源使用两种可选策略。

如果您已加密 Amazon S3 包含用于与通信的SSL证书的存储桶,提供要提供的策略 Amazon Kendra 访问密钥。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt"
            ],
            "Resource": [
                "arn:aws:kms:your-region:your-account-id:key/key-id"
            ]
        }
    ]
}

如果您使用的是VPC,请提供以下政策: Amazon Kendra 访问所需资源。请参阅 。IAM 角色用于数据源,VPC用于所需的策略。

允许的信任政策 Amazon Kendra 来扮演一个角色。

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "Service":"kendra.amazonaws.com"
         },
         "Action":"sts:AssumeRole"
      }
   ]
}

当你使用 Amazon RDS (Microsoft SQL Server)数据源连接器,你可以为角色提供以下策略。

  • 访问您的 AWS Secrets Manager 用于验证您的身份的秘密 Amazon RDS (微软SQL服务器)数据源实例。

  • 允许致电APIs所需的公众 Amazon RDS (微软SQL服务器)数据源连接器。

  • 允许调用BatchPutDocumentBatchDeleteDocumentPutPrincipalMappingDeletePrincipalMappingDescribePrincipalMapping、和ListGroupsOlderThanOrderingIdAPIs。

注意

你可以连接 Amazon RDS (微软SQL服务器)数据源到 Amazon Kendra 通过 Amazon VPC。 如果你使用的是 Amazon VPC,则需要添加其他权限

{
  "Version": "2012-10-17",
  "Statement": [
  {
    "Effect": "Allow",
    "Action": [
      "secretsmanager:GetSecretValue"
    ],
    "Resource": [
      "arn:aws:secretsmanager:{{region}}:{{account_id}}:secret:[[secret_id]]"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "kms:Decrypt"
    ],
    "Resource": [
      "arn:aws:kms:{{region}}:{{account_id}}:key/[[key_id]]"
    ],
    "Condition": {
      "StringLike": {
        "kms:ViaService": [
          "secretsmanager.*.amazonaws.com"
        ]
      }
    }
  },
  {
    "Effect": "Allow",
    "Action": [
        "kendra:PutPrincipalMapping",
        "kendra:DeletePrincipalMapping",
        "kendra:ListGroupsOlderThanOrderingId",
        "kendra:DescribePrincipalMapping"
    ],
    "Resource": ["arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}", "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}/data-source/*"]
  },
  {
    "Effect": "Allow",
    "Action": [
      "kendra:BatchPutDocument",
      "kendra:BatchDeleteDocument"
    ],
    "Resource": "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}"
  }]
}

允许的信任政策 Amazon Kendra 来扮演一个角色。

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "Service":"kendra.amazonaws.com"
         },
         "Action":"sts:AssumeRole"
      }
   ]
}

当你使用 Amazon RDS (我的SQL)数据源连接器,您可以为角色提供以下策略。

  • 访问您的 AWS Secrets Manager 用于验证您的身份的秘密 Amazon RDS (我的SQL)数据源实例。

  • 允许致电APIs所需的公众 Amazon RDS (我的SQL)数据源连接器。

  • 允许调用BatchPutDocumentBatchDeleteDocumentPutPrincipalMappingDeletePrincipalMappingDescribePrincipalMapping、和ListGroupsOlderThanOrderingIdAPIs。

注意

你可以连接 Amazon RDS (我的SQL)数据源到 Amazon Kendra 通过 Amazon VPC。 如果你使用的是 Amazon VPC,则需要添加其他权限

{
  "Version": "2012-10-17",
  "Statement": [
  {
    "Effect": "Allow",
    "Action": [
      "secretsmanager:GetSecretValue"
    ],
    "Resource": [
      "arn:aws:secretsmanager:{{region}}:{{account_id}}:secret:[[secret_id]]"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "kms:Decrypt"
    ],
    "Resource": [
      "arn:aws:kms:{{region}}:{{account_id}}:key/[[key_id]]"
    ],
    "Condition": {
      "StringLike": {
        "kms:ViaService": [
          "secretsmanager.*.amazonaws.com"
        ]
      }
    }
  },
  {
    "Effect": "Allow",
    "Action": [
        "kendra:PutPrincipalMapping",
        "kendra:DeletePrincipalMapping",
        "kendra:ListGroupsOlderThanOrderingId",
        "kendra:DescribePrincipalMapping"
    ],
    "Resource": ["arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}", "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}/data-source/*"]
  },
  {
    "Effect": "Allow",
    "Action": [
      "kendra:BatchPutDocument",
      "kendra:BatchDeleteDocument"
    ],
    "Resource": "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}"
  }]
}

允许的信任政策 Amazon Kendra 来扮演一个角色。

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "Service":"kendra.amazonaws.com"
         },
         "Action":"sts:AssumeRole"
      }
   ]
}

当你使用 Amazon RDS Oracle 数据源连接器,您可以为角色提供以下策略。

  • 访问您的 AWS Secrets Manager 用于验证您的身份的秘密 Amazon RDS (Oracle) 数据源实例。

  • 允许致电APIs所需的公众 Amazon RDS (Oracle) 数据源连接器。

  • 允许调用BatchPutDocumentBatchDeleteDocumentPutPrincipalMappingDeletePrincipalMappingDescribePrincipalMapping、和ListGroupsOlderThanOrderingIdAPIs。

注意

你可以连接 Amazon RDS Oracle 数据源到 Amazon Kendra 通过 Amazon VPC。 如果你使用的是 Amazon VPC,则需要添加其他权限

{
  "Version": "2012-10-17",
  "Statement": [
  {
    "Effect": "Allow",
    "Action": [
      "secretsmanager:GetSecretValue"
    ],
    "Resource": [
      "arn:aws:secretsmanager:{{region}}:{{account_id}}:secret:[[secret_id]]"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "kms:Decrypt"
    ],
    "Resource": [
      "arn:aws:kms:{{region}}:{{account_id}}:key/[[key_id]]"
    ],
    "Condition": {
      "StringLike": {
        "kms:ViaService": [
          "secretsmanager.*.amazonaws.com"
        ]
      }
    }
  },
  {
    "Effect": "Allow",
    "Action": [
        "kendra:PutPrincipalMapping",
        "kendra:DeletePrincipalMapping",
        "kendra:ListGroupsOlderThanOrderingId",
        "kendra:DescribePrincipalMapping"
    ],
    "Resource": ["arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}", "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}/data-source/*"]
  },
  {
    "Effect": "Allow",
    "Action": [
      "kendra:BatchPutDocument",
      "kendra:BatchDeleteDocument"
    ],
    "Resource": "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}"
  }]
}

允许的信任政策 Amazon Kendra 来扮演一个角色。

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "Service":"kendra.amazonaws.com"
         },
         "Action":"sts:AssumeRole"
      }
   ]
}

当你使用 Amazon RDS (PostgreSQL) 数据源连接器,您可以为角色提供以下策略。

  • 访问您的 AWS Secrets Manager 用于验证您的身份的秘密 Amazon RDS (PostgreSQL) 数据源实例。

  • 允许致电APIs所需的公众 Amazon RDS (PostgreSQL) 数据源连接器。

  • 允许调用BatchPutDocumentBatchDeleteDocumentPutPrincipalMappingDeletePrincipalMappingDescribePrincipalMapping、和ListGroupsOlderThanOrderingIdAPIs。

注意

你可以连接 Amazon RDS (PostgreSQL) 数据源到 Amazon Kendra 通过 Amazon VPC。 如果你使用的是 Amazon VPC,则需要添加其他权限

{
  "Version": "2012-10-17",
  "Statement": [
  {
    "Effect": "Allow",
    "Action": [
      "secretsmanager:GetSecretValue"
    ],
    "Resource": [
      "arn:aws:secretsmanager:{{region}}:{{account_id}}:secret:[[secret_id]]"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "kms:Decrypt"
    ],
    "Resource": [
      "arn:aws:kms:{{region}}:{{account_id}}:key/[[key_id]]"
    ],
    "Condition": {
      "StringLike": {
        "kms:ViaService": [
          "secretsmanager.*.amazonaws.com"
        ]
      }
    }
  },
  {
    "Effect": "Allow",
    "Action": [
        "kendra:PutPrincipalMapping",
        "kendra:DeletePrincipalMapping",
        "kendra:ListGroupsOlderThanOrderingId",
        "kendra:DescribePrincipalMapping"
    ],
    "Resource": ["arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}", "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}/data-source/*"]
  },
  {
    "Effect": "Allow",
    "Action": [
      "kendra:BatchPutDocument",
      "kendra:BatchDeleteDocument"
    ],
    "Resource": "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}"
  }]
}

允许的信任政策 Amazon Kendra 来扮演一个角色。

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "Service":"kendra.amazonaws.com"
         },
         "Action":"sts:AssumeRole"
      }
   ]
}
警告

Amazon Kendra 不使用向某人授予权限的存储桶策略 Amazon Kendra 委托人与 S3 存储桶进行交互。相反,它使用 IAM 角色。确保 Amazon Kendra 未作为可信成员包含在存储桶策略中,以避免在意外向任意委托人授予权限时出现任何数据安全问题。但是,您可以添加存储桶策略以使用 Amazon S3 跨不同账户存储桶。有关更多信息,请参阅 要使用的政策 Amazon S3 跨账户(向下滚动)。

当你使用 Amazon S3 存储桶作为数据源,您可以提供一个有权访问存储桶以及使用BatchPutDocumentBatchDeleteDocument操作的角色。如果文件在 Amazon S3 存储桶已加密,您必须提供使用权限 AWS KMS 用于解密文档的客户主密钥 (CMK)。

以下角色策略必须允许 Amazon Kendra 来扮演一个角色。继续向下滚动以查看代入角色的信任策略。

必需的角色策略才能允许 Amazon Kendra 使用 Amazon S3 存储桶作为数据源。

{
    "Version": "2012-10-17",
    "Statement": [
         {
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-name/*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-name"
            ],
            "Effect": "Allow"
        },
        {
            "Effect": "Allow",
            "Action": [
                "kendra:BatchPutDocument",
                "kendra:BatchDeleteDocument"
            ],
            "Resource": [
                "arn:aws:kendra:your-region:your-account-id:index/index-id"
            ]
        }
    ]
}

允许的可选角色策略 Amazon Kendra 使用 AWS KMS 用于解密文档的客户主密钥 (CMK) Amazon S3 桶。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt"
            ],
            "Resource": [
                "arn:aws:kms:your-region:your-account-id:key/key-id"
            ]
        }
    ]
}

允许的可选角色策略 Amazon Kendra 访问 Amazon S3 存储桶,同时使用 Amazon VPC,并且没有激活 AWS KMS 或者分享 AWS KMS 权限。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:s3:::{{bucket-name}}/*"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::{{bucket-name}}"
      ],
      "Effect": "Allow"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:CreateNetworkInterface"
      ],
      "Resource": [
        "arn:aws:ec2:{{your-region}}:{{your-account-id}}:subnet/[[subnet-ids]]",
        "arn:aws:ec2:{{your-region}}:{{your-account-id}}:security-group/[[security-group]]"
      ]
    },
    {
        "Effect": "Allow",
        "Action": [
            "ec2:CreateNetworkInterface"
        ],
        "Resource": "arn:aws:ec2:{{your-region}}:{{your-account-id}}:network-interface/*",
        "Condition": {
            "StringLike": {
                "aws:RequestTag/AWS_KENDRA": "kendra_{{your-account-id}}_{{index-id}}_{data-source-id}}_*"
            }
        }
    },
    {
        "Effect": "Allow",
        "Action": [
            "ec2:CreateTags"
        ],
        "Resource": "arn:aws:ec2:{{your-region}}:{{your-account-id}}:network-interface/*",
        "Condition": {
            "StringEquals": {
                "ec2:CreateAction": "CreateNetworkInterface"
            }
        }
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeSubnets"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeNetworkInterfaces"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:CreateNetworkInterfacePermission"
      ],
      "Resource": "arn:aws:ec2:{{your-region}}:{{your-accoount-id}}:network-interface/*",
      "Condition": {
        "StringEquals": {
          "ec2:AuthorizedService": "kendra.amazonaws.com"
        },
        "ArnEquals": {
          "ec2:Subnet": [
            "arn:aws:ec2:{{your-region}}:{{your-account-id}}:subnet/[[subnet-ids]]"
          ]
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "kendra:PutPrincipalMapping",
        "kendra:DeletePrincipalMapping",
        "kendra:ListGroupsOlderThanOrderingId",
        "kendra:DescribePrincipalMapping"
      ],
      "Resource": [
        "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}",
        "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}/data-source/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "kendra:BatchPutDocument",
        "kendra:BatchDeleteDocument"
      ],
      "Resource": "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}"
    }
  ]
}

允许的可选角色策略 Amazon Kendra 访问 Amazon S3 使用时存储桶 Amazon VPC,还有 AWS KMS 权限已激活。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:s3:::{{bucket-name}}/*"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::{{bucket-name}}"
      ],
      "Effect": "Allow"
    },
    {
      "Effect": "Allow",
      "Action": [
        "kms:Decrypt"
      ],
      "Resource": [
        "arn:aws:kms:{{your-region}}:{{your-account-id}}:key/{{key-id}}"
      ],
      "Condition": {
        "StringLike": {
          "kms:ViaService": [
            "s3.{{your-region}}.amazonaws.com"
          ]
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:CreateNetworkInterface"
      ],
      "Resource": [
        "arn:aws:ec2:{{your-region}}:{{your-account-id}}:subnet/[[subnet-ids]]",
        "arn:aws:ec2:{{your-region}}:{{your-account-id}}:security-group/[[security-group]]"
      ]
    },
    {
        "Effect": "Allow",
        "Action": [
            "ec2:CreateNetworkInterface"
        ],
        "Resource": "arn:aws:ec2:{{your-region}}:{{your-account-id}}:network-interface/*",
        "Condition": {
            "StringLike": {
                "aws:RequestTag/AWS_KENDRA": "kendra_{{your-account-id}}_{{index-id}}_{data-source-id}}_*"
            }
        }
    },
    {
        "Effect": "Allow",
        "Action": [
            "ec2:CreateTags"
        ],
        "Resource": "arn:aws:ec2:{{your-region}}:{{your-account-id}}:network-interface/*",
        "Condition": {
            "StringEquals": {
                "ec2:CreateAction": "CreateNetworkInterface"
            }
        }
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeSubnets"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeNetworkInterfaces"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:CreateNetworkInterfacePermission"
      ],
      "Resource": "arn:aws:ec2:{{your-region}}:{{your-account-id}}:network-interface/*",
      "Condition": {
        "StringEquals": {
          "ec2:AuthorizedService": "kendra.amazonaws.com"
        },
        "ArnEquals": {
          "ec2:Subnet": [
            "arn:aws:ec2:{{your-region}}:{{your-account-id}}:subnet/[[subnet-ids]]"
          ]
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "kendra:PutPrincipalMapping",
        "kendra:DeletePrincipalMapping",
        "kendra:ListGroupsOlderThanOrderingId",
        "kendra:DescribePrincipalMapping"
      ],
      "Resource": [
        "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}",
        "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}/data-source/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "kendra:BatchPutDocument",
        "kendra:BatchDeleteDocument"
      ],
      "Resource": "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}"
    }
  ]
}

允许的信任政策 Amazon Kendra 来扮演一个角色。

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "Service":"kendra.amazonaws.com"
         },
         "Action":"sts:AssumeRole"
      }
   ]
}

要使用的政策 Amazon S3 跨账户

如果您的 Amazon S3 bucket 与您用于自己的账户的账户位于不同的账户中 Amazon Kendra index,您可以创建用于跨账户的策略。

使用你的角色策略 Amazon S3 当存储桶与您的账户不同时,存储桶作为您的数据源 Amazon Kendra 索引。请注意,s3:PutObjects3:PutObjectAcl 是可选的,如果要为访问控制列表包含配置文件,则可以使用此选项。

{
    "Version": "2012-10-17",
    "Statement": [
         {
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::$bucket-in-other-account/*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::$bucket-in-other-account/*"
            ],
            "Effect": "Allow"
        },
        {
            "Effect": "Allow",
            "Action": [
                "kendra:BatchPutDocument",
                "kendra:BatchDeleteDocument"
            ],
            "Resource": [
                "arn:aws:kendra:$your-region:$your-account-id:index/$index-id"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": "arn:aws:s3:::$bucket-in-other-account/*"
        }
    ]
}

一项存储桶策略,允许 Amazon S3 用于访问的数据源角色 Amazon S3 跨账户存储桶。请注意,s3:PutObjects3:PutObjectAcl 是可选的,如果要为访问控制列表包含配置文件,则可以使用此选项。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "$kendra-s3-connector-role-arn"
            },
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::$bucket-in-other-account/*"
            ]
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "$kendra-s3-connector-role-arn"
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::$bucket-in-other-account"
        }
    ]
}

允许的信任政策 Amazon Kendra 来扮演一个角色。

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "Service":"kendra.amazonaws.com"
         },
         "Action":"sts:AssumeRole"
      }
   ]
}

当你使用时 Amazon Kendra Web Crawler,您可以为角色提供以下策略:

  • 访问权限 AWS Secrets Manager 包含连接到网站的凭据或由基本身份验证支持的 Web 代理服务器的密码。有关机密报告内容的更多信息,请参阅使用 Web 爬网程序数据来源

  • 使用权限 AWS KMS 用于解密存储的用户名和密码密钥的客户主密钥 (CMK) Secrets Manager.

  • 使用 BatchPutDocumentBatchDeleteDocument 操作更新索引的权限。

  • 如果你使用 Amazon S3 存储桶,用于存储您的种子列表URLs或站点地图,包括访问权限 Amazon S3 桶。

注意

你可以连接 Amazon Kendra Web Crawler 数据源到 Amazon Kendra 通过 Amazon VPC。 如果你使用的是 Amazon VPC,则需要添加其他权限

{
  "Version": "2012-10-17",
  "Statement": [
  {
    "Effect": "Allow",
    "Action": [
      "secretsmanager:GetSecretValue"
    ],
    "Resource": [
      "arn:aws:secretsmanager:your-region:your-account-id:secret:secret-id"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "kms:Decrypt"
    ],
    "Resource": [
      "arn:aws:kms:your-region:your-account:key/key-id"
    ],
    "Condition": {
      "StringLike": {
        "kms:ViaService": [
          "secretsmanager.your-region.amazonaws.com"
        ]
      }
    }
  },
  {
    "Effect": "Allow",
    "Action": [
      "kendra:BatchPutDocument",
      "kendra:BatchDeleteDocument"
    ],
    "Resource": "arn:aws:kendra:your-region:your-account-id:index/index-id"
  }]
}

如果您将种子URLs或站点地图存储在 Amazon S3 存储桶,您必须向角色添加此权限。

,
{"Effect": "Allow",
     "Action": [
         "s3:GetObject"
      ],
      "Resource": [
         "arn:aws:s3:::bucket-name/*"
      ]
}

允许的信任政策 Amazon Kendra 来扮演一个角色。

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "Service":"kendra.amazonaws.com"
         },
         "Action":"sts:AssumeRole"
      }
   ]
}

当你使用时 Amazon WorkDocs,您为角色提供以下策略

  • 验证与您对应的目录 ID(组织 ID)的权限 Amazon WorkDocs 站点存储库。

  • 获取包含您的 Active Directory 域名的权限 Amazon WorkDocs 网站目录。

  • 允许致电APIs所需的公众 Amazon WorkDocs 连接器。

  • 调用BatchPutDocumentBatchDeleteDocumentAPIs更新索引的权限。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowsKendraToGetDomainNameOfActiveDirectory",
      "Effect": "Allow",
      "Action": "ds:DescribeDirectories",
      "Resource": "*"
    },
    {
      "Sid": "AllowsKendraToCallRequiredWorkDocsAPIs",
      "Effect": "Allow",
      "Action": [
        "workdocs:GetDocumentPath",
        "workdocs:GetGroup",
        "workdocs:GetDocument",
        "workdocs:DownloadDocumentVersions",
        "workdocs:DescribeUsers",
        "workdocs:DescribeFolderContents",
        "workdocs:DescribeActivities",
        "workdocs:DescribeComments",
        "workdocs:GetFolder",
        "workdocs:DescribeResourcePermissions",
        "workdocs:GetFolderPath",
        "workdocs:DescribeInstances"
      ],
      "Resource": "*"
    },
    {
      "Sid": "iamPassRole",
      "Effect": "Allow",
      "Action": "iam:PassRole",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "iam:PassedToService": [
            "kendra.amazonaws.com"
          ]
        }
      }
    },
    {
      "Sid": "AllowsKendraToCallBatchPutDeleteAPIs",
      "Effect": "Allow",
      "Action": [
        "kendra:BatchPutDocument",
        "kendra:BatchDeleteDocument"
      ],
      "Resource": [
        "arn:aws:kendra:your-region:account-id:index/$index-id"
      ]
    }
  ]
}

允许的信任政策 Amazon Kendra 来扮演一个角色。

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "Service":"kendra.amazonaws.com"
         },
         "Action":"sts:AssumeRole"
      }
   ]
}

当您使用 Box 时,为角色提供以下策略。

  • 访问您的 AWS Secrets Manager 对你的 Slack 进行身份验证的秘密。

  • 允许呼叫 Box 连接器APIs所需的公众。

  • 允许调用BatchPutDocumentBatchDeleteDocumentPutPrincipalMappingDeletePrincipalMappingDescribePrincipalMapping、和ListGroupsOlderThanOrderingIdAPIs。

注意

您可以将 Box 数据源连接到 Amazon Kendra 通过 Amazon VPC。 如果你使用的是 Amazon VPC,则需要添加其他权限

{
  "Version": "2012-10-17",
  "Statement": [
  {
    "Effect": "Allow",
    "Action": [
      "secretsmanager:GetSecretValue"
    ],
    "Resource": [
      "arn:aws:secretsmanager:{{your-region}}:{{your-account-id}}:secret:[[secret-id]]"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "kms:Decrypt"
    ],
    "Resource": [
      "arn:aws:kms:{{your-region}}:{{your-account-id}}:key/[[key-id]]"
    ],
    "Condition": {
      "StringLike": {
        "kms:ViaService": [
          "secretsmanager.{{your-region}}.amazonaws.com"
        ]
      }
    }
  },
  {
    "Effect": "Allow",
    "Action": [
        "kendra:PutPrincipalMapping",
        "kendra:DeletePrincipalMapping",
        "kendra:ListGroupsOlderThanOrderingId",
        "kendra:DescribePrincipalMapping"
    ],
    "Resource": ["arn:aws:kendra:{{your-region}}:{{your-account-d}}:index/{{index-id}}", "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}/data-source/*"]
  },
  {
    "Effect": "Allow",
    "Action": [
      "kendra:BatchPutDocument",
      "kendra:BatchDeleteDocument"
    ],
    "Resource": "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}"
  }]
}

允许的信任政策 Amazon Kendra 来扮演一个角色。

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "Service":"kendra.amazonaws.com"
         },
         "Action":"sts:AssumeRole"
      }
   ]
}

当您使用 Confluence Server 作为数据来源时,您需要为角色提供以下策略:

  • 访问权限 AWS Secrets Manager 包含连接到 Confluence 所需的凭据的密钥。有关密钥内容的更多信息,请参阅 Confluence 数据来源

  • 使用权限 AWS KMS 用于解密存储的用户名和密码密钥的客户主密钥 (CMK) Secrets Manager.

  • 使用 BatchPutDocumentBatchDeleteDocument 操作更新索引的权限。

注意

您可以将 Confluence 数据源连接到 Amazon Kendra 通过 Amazon VPC。 如果你使用的是 Amazon VPC,则需要添加其他权限

{
  "Version": "2012-10-17",
  "Statement": [
  {
    "Effect": "Allow",
    "Action": [
      "secretsmanager:GetSecretValue"
    ],
    "Resource": [
      "arn:aws:secretsmanager:your-region:your-account-id:secret:secret-id"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "kms:Decrypt"
    ],
    "Resource": [
      "arn:aws:kms:your-region:your-account-id:key/key-id"
    ],
    "Condition": {
      "StringLike": {
        "kms:ViaService": [
          "secretsmanager.your-region.amazonaws.com"
        ]
      }
    }
  },
  {
    "Effect": "Allow",
    "Action": [
      "kendra:BatchPutDocument",
      "kendra:BatchDeleteDocument"
    ],
    "Resource": "arn:aws:kendra:your-region:your-account-id:index/index-id"
  }]
}

如果您使用的是VPC,请提供以下政策: Amazon Kendra 访问所需资源。请参阅 。IAM 角色用于数据源,VPC用于所需的策略。

允许的信任政策 Amazon Kendra 来扮演一个角色。

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "Service":"kendra.amazonaws.com"
         },
         "Action":"sts:AssumeRole"
      }
   ]
}

对于 Confluence 连接器 v2.0 数据来源,您需要为角色提供以下策略。

  • 访问权限 AWS Secrets Manager 包含 Confluence 身份验证凭据的密钥。有关密钥内容的更多信息,请参阅 Confluence 数据来源

  • 使用权限 AWS KMS 用于解密存储的用户名和密码密钥的客户主密钥 (CMK) AWS Secrets Manager.

  • 使用 BatchPutDocumentBatchDeleteDocument 操作更新索引的权限。

您还必须附上允许的信任策略 Amazon Kendra 来扮演这个角色。

注意

您可以将 Confluence 数据源连接到 Amazon Kendra 通过 Amazon VPC。 如果你使用的是 Amazon VPC,则需要添加其他权限

允许的角色策略 Amazon Kendra 连接到 Confluence。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "secretsmanager:GetSecretValue"
      ],
      "Resource": [
        "arn:aws:secretsmanager:your-region:your-account-id:secret:secret-id"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "kms:Decrypt"
      ],
      "Resource": [
        "arn:aws:kms:your-region:your-account-id:key/key-id"
      ],
      "Condition": {
        "StringLike": {
          "kms:ViaService": [
            "secretsmanager.your-region.amazonaws.com"
          ]
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "kendra:PutPrincipalMapping",
        "kendra:DeletePrincipalMapping",
        "kendra:ListGroupsOlderThanOrderingId",
        "kendra:DescribePrincipalMapping"
      ],
      "Resource": [
        "arn:aws:kendra:your-region:your-account-id:index/index-id",
        "arn:aws:kendra:your-region:your-account-id:index/index-id/data-source/*"
      ]
    }
    {
      "Effect": "Allow",
      "Action": [
        "kendra:BatchPutDocument",
        "kendra:BatchDeleteDocument"
      ],
      "Resource": "arn:aws:kendra:your-region:your-account-id:index/index-id"
    }
  ]
}

允许的信任政策 Amazon Kendra 来扮演一个角色。

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "Service":"kendra.amazonaws.com"
         },
         "Action":"sts:AssumeRole"
      }
   ]
}

当您使用 Dropbox 时,为角色提供以下策略。

  • 访问您的 AWS Secrets Manager 验证您的 Dropbox 的秘密。

  • 允许向 Dropbox 连接器致电APIs所需的公众。

  • 允许调用BatchPutDocumentBatchDeleteDocumentPutPrincipalMappingDeletePrincipalMappingDescribePrincipalMapping、和ListGroupsOlderThanOrderingIdAPIs。

注意

您可以将 Dropbox 数据源关联到 Amazon Kendra 通过 Amazon VPC。 如果你使用的是 Amazon VPC,则需要添加其他权限

{
"Version": "2012-10-17",
  "Statement": [
  {"Effect": "Allow",
    "Action": [
      "secretsmanager:GetSecretValue"
    ],
    "Resource": [
      "arn:aws:secretsmanager:{{your-region}}:{{your-account-id}}:secret:[[secret-id]]"
    ]
  },
  {"Effect": "Allow",
    "Action": [
      "kms:Decrypt"
    ],
    "Resource": [
      "arn:aws:kms:{{your-region}}:{{your-account-id}}:key/[[key-id]]"
    ],
    "Condition": {"StringLike": {"kms:ViaService": [
          "secretsmanager.{{your-region}}.amazonaws.com"
        ]
      }
    }
  },
  {"Effect": "Allow",
    "Action": [
        "kendra:PutPrincipalMapping",
        "kendra:DeletePrincipalMapping",
        "kendra:ListGroupsOlderThanOrderingId",
        "kendra:DescribePrincipalMapping"
    ],
    "Resource": ["arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}", "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}/data-source/*"]
  },
  {"Effect": "Allow",
    "Action": [
      "kendra:BatchPutDocument",
      "kendra:BatchDeleteDocument"
    ],
    "Resource": "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}"
  }]
}

允许的信任政策 Amazon Kendra 来扮演一个角色。

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "Service":"kendra.amazonaws.com"
         },
         "Action":"sts:AssumeRole"
      }
   ]
}

当您使用 Drupal 时,为角色提供以下策略。

  • 访问您的 AWS Secrets Manager 对你的 Drupal 进行身份验证的秘密。

  • 允许呼叫 Drupal 连接器APIs所需的公众。

  • 允许调用BatchPutDocumentBatchDeleteDocumentPutPrincipalMappingDeletePrincipalMappingDescribePrincipalMapping、和ListGroupsOlderThanOrderingIdAPIs。

注意

你可以将 Drupal 数据源连接到 Amazon Kendra 通过 Amazon VPC。 如果你使用的是 Amazon VPC,则需要添加其他权限

{
  "Version": "2012-10-17",
  "Statement": [
  {
    "Effect": "Allow",
    "Action": [
      "secretsmanager:GetSecretValue"
    ],
    "Resource": [
      "arn:aws:secretsmanager:{{region}}:{{account_id}}:secret:[[secret_id]]"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "kms:Decrypt"
    ],
    "Resource": [
      "arn:aws:kms:{{region}}:{{account_id}}:key/[[key_id]]"
    ],
    "Condition": {
      "StringLike": {
        "kms:ViaService": [
          "secretsmanager.*.amazonaws.com"
        ]
      }
    }
  },
  {
    "Effect": "Allow",
    "Action": [
        "kendra:PutPrincipalMapping",
        "kendra:DeletePrincipalMapping",
        "kendra:ListGroupsOlderThanOrderingId",
        "kendra:DescribePrincipalMapping"
    ],
    "Resource": ["arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}", "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}/data-source/*"]
  },
  {
    "Effect": "Allow",
    "Action": [
      "kendra:BatchPutDocument",
      "kendra:BatchDeleteDocument"
    ],
    "Resource": "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}"
  }]
}

允许的信任政策 Amazon Kendra 来扮演一个角色。

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "Service":"kendra.amazonaws.com"
         },
         "Action":"sts:AssumeRole"
      }
   ]
}

使用时 GitHub,您可以为角色提供以下策略。

  • 访问您的 AWS Secrets Manager 用于验证您的身份的秘密 GitHub。

  • 允许拨打 GitHub 连接器APIs所需公众的电话。

  • 允许调用BatchPutDocumentBatchDeleteDocumentPutPrincipalMappingDeletePrincipalMappingDescribePrincipalMapping、和ListGroupsOlderThanOrderingIdAPIs。

注意

您可以将 GitHub 数据源连接到 Amazon Kendra 通过 Amazon VPC。 如果你使用的是 Amazon VPC,则需要添加其他权限

{
  "Version": "2012-10-17",
  "Statement": [
  {
    "Effect": "Allow",
    "Action": [
      "secretsmanager:GetSecretValue"
    ],
    "Resource": [
      "arn:aws:secretsmanager:{{your-region}}:{{your-account-id}}:secret:[[secret-id]]"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "kms:Decrypt"
    ],
    "Resource": [
      "arn:aws:kms:{{your-region}}:{{your-account-id}}:key/[[key-id]]"
    ],
    "Condition": {
      "StringLike": {
        "kms:ViaService": [
          "secretsmanager.{{your-region}}.amazonaws.com"
        ]
      }
    }
  },
  {
    "Effect": "Allow",
    "Action": [
        "kendra:PutPrincipalMapping",
        "kendra:DeletePrincipalMapping",
        "kendra:ListGroupsOlderThanOrderingId",
        "kendra:DescribePrincipalMapping"
    ],
    "Resource": ["arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}", "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}/data-source/*"]
  },
  {
    "Effect": "Allow",
    "Action": [
      "kendra:BatchPutDocument",
      "kendra:BatchDeleteDocument"
    ],
    "Resource": "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}"
  }]
}

允许的信任政策 Amazon Kendra 来扮演一个角色。

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "Service":"kendra.amazonaws.com"
         },
         "Action":"sts:AssumeRole"
      }
   ]
}

当您使用 Gmail 时,为角色提供以下策略。

  • 访问您的 AWS Secrets Manager 验证您的 Gmail 的秘密。

  • 允许呼叫 Gmailconnecnector APIs 所需的公众。

  • 允许调用BatchPutDocumentBatchDeleteDocumentPutPrincipalMappingDeletePrincipalMappingDescribePrincipalMapping、和ListGroupsOlderThanOrderingIdAPIs。

注意

您可以将 Gmail 数据源连接到 Amazon Kendra 通过 Amazon VPC。 如果你使用的是 Amazon VPC,则需要添加其他权限

{
"Version": "2012-10-17",
  "Statement": [
  {"Effect": "Allow",
    "Action": [
      "secretsmanager:GetSecretValue"
    ],
    "Resource": [
      "arn:aws:secretsmanager:{{your-region}}:{{your-account-id}}:secret:[[secret-id]]"
    ]
  },
  {"Effect": "Allow",
    "Action": [
      "kms:Decrypt"
    ],
    "Resource": [
      "arn:aws:kms:{{your-region}}:{{your-account-id}}:key/[[key-id]]"
    ],
    "Condition": {"StringLike": {"kms:ViaService": [
          "secretsmanager.{{your-region}}.amazonaws.com"
        ]
      }
    }
  },
  {"Effect": "Allow",
    "Action": [
        "kendra:PutPrincipalMapping",
        "kendra:DeletePrincipalMapping",
        "kendra:ListGroupsOlderThanOrderingId",
        "kendra:DescribePrincipalMapping"
    ],
    "Resource": ["arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}", "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}/data-source/*"]
  },
  {"Effect": "Allow",
    "Action": [
      "kendra:BatchPutDocument",
      "kendra:BatchDeleteDocument"
    ],
    "Resource": "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}"
  }]
}

允许的信任政策 Amazon Kendra 来扮演一个角色。

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "Service":"kendra.amazonaws.com"
         },
         "Action":"sts:AssumeRole"
      }
   ]
}

当您使用 Google 工作空间云端硬盘数据源时,您需要提供 Amazon Kendra 其角色具有连接到站点所需的权限。其中包括:

  • 获取和解密的权限 AWS Secrets Manager 包含客户帐号电子邮件地址、管理员帐号电子邮件地址和连接 Google 云端硬盘网站所需的私钥。有关密钥内容的更多信息,请参阅 Google Drive 数据来源

  • 使用BatchPutDocument和的权限BatchDeleteDocumentAPIs。

注意

您可以将 Google 云端硬盘数据源连接到 Amazon Kendra 通过 Amazon VPC。 如果你使用的是 Amazon VPC,则需要添加其他权限

以下 IAM 策略提供了必要的权限:

{
  "Version": "2012-10-17",
  "Statement": [
  {
    "Effect": "Allow",
    "Action": [
      "secretsmanager:GetSecretValue"
    ],
    "Resource": [
      "arn:aws:secretsmanager:your-region:your-account-id:secret:secret-id"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "kms:Decrypt"
    ],
    "Resource": [
      "arn:aws:kms:your-region:your-account-id:key/key-id"
    ],
    "Condition": {
      "StringLike": {
        "kms:ViaService": [
          "secretsmanager.your-region.amazonaws.com"
        ]
      }
    }
  },
  {
    "Effect": "Allow",
    "Action": [
      "kendra:BatchPutDocument",
      "kendra:BatchDeleteDocument"
    ],
    "Resource": "arn:aws:kendra:your-region:your-account-id:index/index-id"
  }]
}

允许的信任政策 Amazon Kendra 来扮演一个角色。

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "Service":"kendra.amazonaws.com"
         },
         "Action":"sts:AssumeRole"
      }
   ]
}

使用IBMDB2数据源连接器时,您需要为角色提供以下策略。

  • 访问您的 AWS Secrets Manager 用于对您的IBMDB2数据源实例进行身份验证的秘密。

  • 允许呼叫IBMDB2数据源连接器APIs所需的公众。

  • 允许调用BatchPutDocumentBatchDeleteDocumentPutPrincipalMappingDeletePrincipalMappingDescribePrincipalMapping、和ListGroupsOlderThanOrderingIdAPIs。

注意

您可以将IBMDB2数据源连接到 Amazon Kendra 通过 Amazon VPC。 如果你使用的是 Amazon VPC,则需要添加其他权限

{
  "Version": "2012-10-17",
  "Statement": [
  {
    "Effect": "Allow",
    "Action": [
      "secretsmanager:GetSecretValue"
    ],
    "Resource": [
      "arn:aws:secretsmanager:{{region}}:{{account_id}}:secret:[[secret_id]]"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "kms:Decrypt"
    ],
    "Resource": [
      "arn:aws:kms:{{region}}:{{account_id}}:key/[[key_id]]"
    ],
    "Condition": {
      "StringLike": {
        "kms:ViaService": [
          "secretsmanager.*.amazonaws.com"
        ]
      }
    }
  },
  {
    "Effect": "Allow",
    "Action": [
        "kendra:PutPrincipalMapping",
        "kendra:DeletePrincipalMapping",
        "kendra:ListGroupsOlderThanOrderingId",
        "kendra:DescribePrincipalMapping"
    ],
    "Resource": ["arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}", "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}/data-source/*"]
  },
  {
    "Effect": "Allow",
    "Action": [
      "kendra:BatchPutDocument",
      "kendra:BatchDeleteDocument"
    ],
    "Resource": "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}"
  }]
}

允许的信任政策 Amazon Kendra 来扮演一个角色。

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "Service":"kendra.amazonaws.com"
         },
         "Action":"sts:AssumeRole"
      }
   ]
}

当您使用 Jira 时,为角色提供以下策略。

  • 访问您的 AWS Secrets Manager 对你的 Jira 进行身份验证的秘密。

  • 允许呼叫 Jira 连接器APIs所需的公众。

  • 允许调用BatchPutDocumentBatchDeleteDocumentPutPrincipalMappingDeletePrincipalMappingDescribePrincipalMapping、和ListGroupsOlderThanOrderingIdAPIs。

注意

您可以将 Jira 数据源连接到 Amazon Kendra 通过 Amazon VPC。 如果你使用的是 Amazon VPC,则需要添加其他权限

{
  "Version": "2012-10-17",
  "Statement": [
  {
    "Effect": "Allow",
    "Action": [
      "secretsmanager:GetSecretValue"
    ],
    "Resource": [
      "arn:aws:secretsmanager:{{your-region}}:{{your-account-id}}:secret:[[secret-id]]"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "kms:Decrypt"
    ],
    "Resource": [
      "arn:aws:kms:{{your-region}}:{{your-account-id}}:key/[[key-id]]"
    ],
    "Condition": {
      "StringLike": {
        "kms:ViaService": [
          "secretsmanager.{{your-region}}.amazonaws.com"
        ]
      }
    }
  },
  {
    "Effect": "Allow",
    "Action": [
        "kendra:PutPrincipalMapping",
        "kendra:DeletePrincipalMapping",
        "kendra:ListGroupsOlderThanOrderingId",
        "kendra:DescribePrincipalMapping"
    ],
    "Resource": ["arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}", "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}/data-source/*"]
  },
  {
    "Effect": "Allow",
    "Action": [
      "kendra:BatchPutDocument",
      "kendra:BatchDeleteDocument"
    ],
    "Resource": "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}"
  }]
}

允许的信任政策 Amazon Kendra 来扮演一个角色。

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "Service":"kendra.amazonaws.com"
         },
         "Action":"sts:AssumeRole"
      }
   ]
}

当你使用微软 Exchange 数据源时,你提供 Amazon Kendra 其角色具有连接到站点所需的权限。其中包括:

注意

你可以将微软 Exchange 数据源连接到 Amazon Kendra 通过 Amazon VPC。 如果你使用的是 Amazon VPC,则需要添加其他权限

以下 IAM 策略提供了必要的权限:

{
  "Version": "2012-10-17",
  "Statement": [
  {
    "Effect": "Allow",
    "Action": [
      "secretsmanager:GetSecretValue"
    ],
    "Resource": [
      "arn:aws:secretsmanager:your-region:your-account-id:secret:secret-id"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "kms:Decrypt"
    ],
    "Resource": [
      "arn:aws:kms:your-region:your-account-id:key/key-id"
    ],
    "Condition": {
      "StringLike": {
        "kms:ViaService": [
          "secretsmanager.your-region.amazonaws.com"
        ]
      }
    }
  },
  {
    "Effect": "Allow",
    "Action": [
      "kendra:BatchPutDocument",
      "kendra:BatchDeleteDocument"
    ],
    "Resource": "arn:aws:kendra:your-region:your-account-id:index/index-id"
  }]
}

如果您要将要索引的用户列表存储在 Amazon S3 存储桶,您还必须提供使用 S3 GetObject 操作的权限。以下 IAM 策略提供了必要的权限:

{
  "Version": "2012-10-17",
  "Statement": [
  {
    "Effect": "Allow",
    "Action": [
      "secretsmanager:GetSecretValue"
    ],
    "Resource": [
      "arn:aws:secretsmanager:your-region:your-account-id:secret:secret-id"
    ]
  },
  {
    "Action": [
      "s3:GetObject"
    ],
    "Resource": [
      "arn:aws:s3:::bucket-name/*"
    ],
    "Effect": "Allow"
  },
  {
    "Effect": "Allow",
    "Action": [
      "kms:Decrypt"
    ],
    "Resource": [
      "arn:aws:kms:your-region:your-account-id:key/[[key-ids]]"
    ],
    "Condition": {
      "StringLike": {
        "kms:ViaService": [
          "secretsmanager.your-region.amazonaws.com",
          "s3.your-region.amazonaws.com"
        ]
      }
    }
  },
  {
    "Effect": "Allow",
    "Action": [
      "kendra:BatchPutDocument",
      "kendra:BatchDeleteDocument"
    ],
    "Resource": "arn:aws:kendra:your-region:your-account-id:index/index-id"
  }]
}

允许的信任政策 Amazon Kendra 来扮演一个角色。

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "Service":"kendra.amazonaws.com"
         },
         "Action":"sts:AssumeRole"
      }
   ]
}

当你使用微软 OneDrive 数据源时,你提供 Amazon Kendra 其角色具有连接到站点所需的权限。其中包括:

注意

你可以将 Microsoft OneDrive 数据源连接到 Amazon Kendra 通过 Amazon VPC。 如果你使用的是 Amazon VPC,则需要添加其他权限

以下 IAM 策略提供了必要的权限:

{
  "Version": "2012-10-17",
  "Statement": [
  {
    "Effect": "Allow",
    "Action": [
      "secretsmanager:GetSecretValue"
    ],
    "Resource": [
      "arn:aws:secretsmanager:your-region:your-account-id:secret:secret-id"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "kms:Decrypt"
    ],
    "Resource": [
      "arn:aws:kms:your-region:your-account-id:key/key-id"
    ],
    "Condition": {
      "StringLike": {
        "kms:ViaService": [
          "secretsmanager.your-region.amazonaws.com"
        ]
      }
    }
  },
  {
    "Effect": "Allow",
    "Action": [
      "kendra:BatchPutDocument",
      "kendra:BatchDeleteDocument"
    ],
    "Resource": "arn:aws:kendra:your-region:your-account-id:index/index-id"
  }]
}

如果您要将要索引的用户列表存储在 Amazon S3 存储桶,您还必须提供使用 S3 GetObject 操作的权限。以下 IAM 策略提供了必要的权限:

{
  "Version": "2012-10-17",
  "Statement": [
  {
    "Effect": "Allow",
    "Action": [
      "secretsmanager:GetSecretValue"
    ],
    "Resource": [
      "arn:aws:secretsmanager:your-region:your-account-id:secret:secret-id"
    ]
  },
  {
    "Action": [
      "s3:GetObject"
    ],
    "Resource": [
      "arn:aws:s3:::bucket-name/*"
    ],
    "Effect": "Allow"
  },
  {
    "Effect": "Allow",
    "Action": [
      "kms:Decrypt"
    ],
    "Resource": [
      "arn:aws:kms:your-region:your-account-id:key/[[key-ids]]"
    ],
    "Condition": {
      "StringLike": {
        "kms:ViaService": [
          "secretsmanager.your-region.amazonaws.com",
          "s3.your-region.amazonaws.com"
        ]
      }
    }
  },
  {
    "Effect": "Allow",
    "Action": [
      "kendra:BatchPutDocument",
      "kendra:BatchDeleteDocument"
    ],
    "Resource": "arn:aws:kendra:your-region:your-account-id:index/index-id"
  }]
}

允许的信任政策 Amazon Kendra 来扮演一个角色。

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "Service":"kendra.amazonaws.com"
         },
         "Action":"sts:AssumeRole"
      }
   ]
}

对于 Microsoft SharePoint 连接器 v1.0 数据源,您需要为角色提供以下策略。

  • 访问权限 AWS Secrets Manager 包含 SharePoint 站点用户名和密码的密钥。有关密钥内容的更多信息,请参阅 Microsoft SharePoint 数据源

  • 使用权限 AWS KMS 用于解密存储的用户名和密码密钥的客户主密钥 (CMK) AWS Secrets Manager.

  • 使用 BatchPutDocumentBatchDeleteDocument 操作更新索引的权限。

  • 访问权限 Amazon S3 存储桶,其中包含用于与 SharePoint 站点通信的SSL证书。

您还必须附上允许的信任策略 Amazon Kendra 来扮演这个角色。

注意

你可以将 Microsoft SharePoint 数据源连接到 Amazon Kendra 通过 Amazon VPC。 如果你使用的是 Amazon VPC,则需要添加其他权限

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue"
            ],
            "Resource": [
                "arn:aws:secretsmanager:your-region:your-account-id:secret:secret-id"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt"
            ],
            "Resource": [
                "arn:aws:kms:your-region:your-account-id:key/key-id"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "kendra:BatchPutDocument",
                "kendra:BatchDeleteDocument"
            ],
            "Resource": [
                "arn:aws:kendra:your-region:your-account-id:index/index-id"
            ],
            "Condition": {
                "StringLike": {
                    "kms:ViaService": [
                        "kendra.your-region.amazonaws.com"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-name/*"
            ]
        }
    ]
}

如果您已加密 Amazon S3 包含用于与 SharePoint 站点通信的SSL证书的存储桶,提供要提供的策略 Amazon Kendra 访问密钥。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt"
            ],
            "Resource": [
                "arn:aws:kms:your-region:your-account-id:key/key-id"
            ]
        }
    ]
}

允许的信任政策 Amazon Kendra 来扮演一个角色。

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "Service":"kendra.amazonaws.com"
         },
         "Action":"sts:AssumeRole"
      }
   ]
}

对于 Microsoft conn SharePoint ector v2.0 数据源,您需要为角色提供以下策略。

  • 访问权限 AWS Secrets Manager 包含 SharePoint 站点身份验证凭据的密钥。有关密钥内容的更多信息,请参阅 Microsoft SharePoint 数据源

  • 使用权限 AWS KMS 用于解密存储的用户名和密码密钥的客户主密钥 (CMK) AWS Secrets Manager.

  • 使用 BatchPutDocumentBatchDeleteDocument 操作更新索引的权限。

  • 访问权限 Amazon S3 存储桶,其中包含用于与 SharePoint 站点通信的SSL证书。

您还必须附上允许的信任策略 Amazon Kendra 来扮演这个角色。

注意

你可以将 Microsoft SharePoint 数据源连接到 Amazon Kendra 通过 Amazon VPC。 如果你使用的是 Amazon VPC,则需要添加其他权限

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "secretsmanager:GetSecretValue"
      ],
      "Resource": [
        "arn:aws:secretsmanager:your-region:your-account-id:secret:secret-id"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "kms:Decrypt"
      ],
      "Resource": [
        "arn:aws:kms:your-region:your-account-id:key/key-id"
      ],
      "Condition": {
        "StringLike": {
          "kms:ViaService": [
            "secretsmanager.your-region.amazonaws.com"
          ]
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "kendra:PutPrincipalMapping",
        "kendra:DeletePrincipalMapping",
        "kendra:ListGroupsOlderThanOrderingId",
        "kendra:DescribePrincipalMapping"
      ],
      "Resource": [
        "arn:aws:kendra:your-region:your-account-id:index/index-id",
        "arn:aws:kendra:your-region:your-account-id:index/index-id/data-source/*"
      ]
    },
    {
      "Action": [
        "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:s3:::bucket-name/key-name"
      ],
      "Effect": "Allow"
    },
    {
      "Effect": "Allow",
      "Action": [
        "kendra:BatchPutDocument",
        "kendra:BatchDeleteDocument"
      ],
      "Resource": "arn:aws:kendra:your-region:your-account-id:index/index-id"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:CreateNetworkInterface"
      ],
      "Resource": [
        "arn:aws:ec2:your-region:your-account-id:subnet/subnet-ids",
        "arn:aws:ec2:your-region:your-account-id:security-group/security-group"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:CreateNetworkInterface"
      ],
      "Resource": "arn:aws:ec2:region:account_id:network-interface/*",
      "Condition": {
        "StringLike": {
          "aws:RequestTag/AWS_KENDRA": "kendra_your-account-id_index-id_*"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:CreateTags"
      ],
      "Resource": "arn:aws:ec2:your-region:your-account-id:network-interface/*",
      "Condition": {
        "StringEquals": {
          "ec2:CreateAction": "CreateNetworkInterface"
        }
      }
    },
    
{
      "Effect": "Allow",
      "Action": [
        "ec2:CreateNetworkInterfacePermission"
      ],
      "Resource": "arn:aws:ec2:your-region:your-account-id:network-interface/*",
      "Condition": {
        "StringLike": {
          "aws:ResourceTag/AWS_KENDRA": "kendra_your-account-id_index-id_*"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeNetworkInterfaces",
        "ec2:DescribeAvailabilityZones",
        "ec2:DescribeNetworkInterfaceAttribute",
        "ec2:DescribeVpcs",
        "ec2:DescribeRegions",
        "ec2:DescribeNetworkInterfacePermissions",
        "ec2:DescribeSubnets"
      ],
      "Resource": "*"
    }
  ]
}

如果您已加密 Amazon S3 包含用于与 SharePoint 站点通信的SSL证书的存储桶,提供要提供的策略 Amazon Kendra 访问密钥。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt"
            ],
            "Resource": [
                "arn:aws:kms:your-region:youraccount-id:key/key-id"
            ]
        }
    ]
}

允许的信任政策 Amazon Kendra 来扮演一个角色。

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "Service":"kendra.amazonaws.com"
         },
         "Action":"sts:AssumeRole"
      }
   ]
}

当你使用 Microsoft SQL 服务器时,你为角色提供以下策略。

  • 访问您的 AWS Secrets Manager 用于验证你的 Microsoft SQL 服务器实例的秘密。

  • 允许呼叫 Microsoft SQL 服务器连接器APIs所需的公众。

  • 允许调用BatchPutDocumentBatchDeleteDocumentPutPrincipalMappingDeletePrincipalMappingDescribePrincipalMapping、和ListGroupsOlderThanOrderingIdAPIs。

注意

你可以将 Microsoft SQL 服务器数据源连接到 Amazon Kendra 通过 Amazon VPC。 如果你使用的是 Amazon VPC,则需要添加其他权限

{
  "Version": "2012-10-17",
  "Statement": [
  {
    "Effect": "Allow",
    "Action": [
      "secretsmanager:GetSecretValue"
    ],
    "Resource": [
      "arn:aws:secretsmanager:{{region}}:{{account_id}}:secret:[[secret_id]]"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "kms:Decrypt"
    ],
    "Resource": [
      "arn:aws:kms:{{region}}:{{account_id}}:key/[[key_id]]"
    ],
    "Condition": {
      "StringLike": {
        "kms:ViaService": [
          "secretsmanager.*.amazonaws.com"
        ]
      }
    }
  },
  {
    "Effect": "Allow",
    "Action": [
        "kendra:PutPrincipalMapping",
        "kendra:DeletePrincipalMapping",
        "kendra:ListGroupsOlderThanOrderingId",
        "kendra:DescribePrincipalMapping"
    ],
    "Resource": ["arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}", "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}/data-source/*"]
  },
  {
    "Effect": "Allow",
    "Action": [
      "kendra:BatchPutDocument",
      "kendra:BatchDeleteDocument"
    ],
    "Resource": "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}"
  }]
}

允许的信任政策 Amazon Kendra 来扮演一个角色。

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "Service":"kendra.amazonaws.com"
         },
         "Action":"sts:AssumeRole"
      }
   ]
}

当你使用 Microsoft Teams 数据源时,你提供 Amazon Kendra 其角色具有连接到站点所需的权限。其中包括:

  • 获取和解密的权限 AWS Secrets Manager 包含连接到 Microsoft Teams 所需的客户端 ID 和客户机密钥的密钥。有关密钥内容的更多信息,请参阅 Microsoft Teams 数据来源

注意

你可以将 Microsoft Teams 数据源连接到 Amazon Kendra 通过 Amazon VPC。 如果你使用的是 Amazon VPC,则需要添加其他权限

以下 IAM 策略提供了必要的权限:

{
  "Version": "2012-10-17",
  "Statement": [
  {
    "Effect": "Allow",
    "Action": [
      "secretsmanager:GetSecretValue"
    ],
    "Resource": [
      "arn:aws:secretsmanager:your-region:client-id:secret:secret-id"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "kms:Decrypt"
    ],
    "Resource": [
      "arn:aws:kms:your-region:your-account-id:key/key-id"
    ],
    "Condition": {
      "StringLike": {
        "kms:ViaService": [
          "secretsmanager.your-region.amazonaws.com"
        ]
      }
    }
  },
  {
    "Effect": "Allow",
    "Action": [
      "kendra:BatchPutDocument",
      "kendra:BatchDeleteDocument"
    ],
    "Resource": "arn:aws:kendra:your-region:your-account-id:index/index-id"
  }]
}

允许的信任政策 Amazon Kendra 来扮演一个角色。

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "Service":"kendra.amazonaws.com"
         },
         "Action":"sts:AssumeRole"
      }
   ]
}

当你使用微软 Yammer 数据源时,你提供 Amazon Kendra 其角色具有连接到站点所需的权限。其中包括:

注意

你可以将 Microsoft Yammer 数据源连接到 Amazon Kendra 通过 Amazon VPC。 如果你使用的是 Amazon VPC,则需要添加其他权限

以下 IAM 策略提供了必要的权限:

{
  "Version": "2012-10-17",
  "Statement": [
  {
    "Effect": "Allow",
    "Action": [
      "secretsmanager:GetSecretValue"
    ],
    "Resource": [
      "arn:aws:secretsmanager:your-region:your-account-id:secret:secret-id"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "kms:Decrypt"
    ],
    "Resource": [
      "arn:aws:kms:your-region:your-account-id:key/key-id"
    ],
    "Condition": {
      "StringLike": {
        "kms:ViaService": [
          "secretsmanager.your-region.amazonaws.com"
        ]
      }
    }
  },
  {
    "Effect": "Allow",
    "Action": [
      "kendra:BatchPutDocument",
      "kendra:BatchDeleteDocument"
    ],
    "Resource": "arn:aws:kendra:your-region:your-account-id:index/index-id"
  }]
}

如果您要将要索引的用户列表存储在 Amazon S3 存储桶,您还必须提供使用 S3 GetObject 操作的权限。以下 IAM 策略提供了必要的权限:

{
  "Version": "2012-10-17",
  "Statement": [
  {
    "Effect": "Allow",
    "Action": [
      "secretsmanager:GetSecretValue"
    ],
    "Resource": [
      "arn:aws:secretsmanager:your-region:your-account-id:secret:secret-id"
    ]
  },
  {
    "Action": [
      "s3:GetObject"
    ],
    "Resource": [
      "arn:aws:s3:::bucket-name/*"
    ],
    "Effect": "Allow"
  },
  {
    "Effect": "Allow",
    "Action": [
      "kms:Decrypt"
    ],
    "Resource": [
      "arn:aws:kms:your-region:your-account-id:key/[[key-ids]]"
    ],
    "Condition": {
      "StringLike": {
        "kms:ViaService": [
          "secretsmanager.your-region.amazonaws.com",
          "s3.your-region.amazonaws.com"
        ]
      }
    }
  },
  {
    "Effect": "Allow",
    "Action": [
      "kendra:BatchPutDocument",
      "kendra:BatchDeleteDocument"
    ],
    "Resource": "arn:aws:kendra:your-region:your-account-id:index/index-id"
  }]
}

允许的信任政策 Amazon Kendra 来扮演一个角色。

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "Service":"kendra.amazonaws.com"
         },
         "Action":"sts:AssumeRole"
      }
   ]
}

使用 “我的SQL数据源” 连接器时,您可以为角色提供以下策略。

  • 访问您的 AWS Secrets Manager 用于验证您的 “我的SQL数据源” 实例的秘密。

  • 允许呼叫 “我的SQL数据源” 连接器APIs所需的公众。

  • 允许调用BatchPutDocumentBatchDeleteDocumentPutPrincipalMappingDeletePrincipalMappingDescribePrincipalMapping、和ListGroupsOlderThanOrderingIdAPIs。

注意

您可以将 “我的SQL数据源” 连接到 Amazon Kendra 通过 Amazon VPC。 如果你使用的是 Amazon VPC,则需要添加其他权限

{
  "Version": "2012-10-17",
  "Statement": [
  {
    "Effect": "Allow",
    "Action": [
      "secretsmanager:GetSecretValue"
    ],
    "Resource": [
      "arn:aws:secretsmanager:{{region}}:{{account_id}}:secret:[[secret_id]]"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "kms:Decrypt"
    ],
    "Resource": [
      "arn:aws:kms:{{region}}:{{account_id}}:key/[[key_id]]"
    ],
    "Condition": {
      "StringLike": {
        "kms:ViaService": [
          "secretsmanager.*.amazonaws.com"
        ]
      }
    }
  },
  {
    "Effect": "Allow",
    "Action": [
        "kendra:PutPrincipalMapping",
        "kendra:DeletePrincipalMapping",
        "kendra:ListGroupsOlderThanOrderingId",
        "kendra:DescribePrincipalMapping"
    ],
    "Resource": ["arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}", "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}/data-source/*"]
  },
  {
    "Effect": "Allow",
    "Action": [
      "kendra:BatchPutDocument",
      "kendra:BatchDeleteDocument"
    ],
    "Resource": "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}"
  }]
}

允许的信任政策 Amazon Kendra 来扮演一个角色。

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "Service":"kendra.amazonaws.com"
         },
         "Action":"sts:AssumeRole"
      }
   ]
}

当您使用 Oracle 数据来源连接器时,需要为角色提供以下策略。

  • 访问您的 AWS Secrets Manager 用于对您的 Oracle 数据源实例进行身份验证的密钥。

  • 有权呼叫 Oracle 数据源连接器APIs所需的公众。

  • 允许调用BatchPutDocumentBatchDeleteDocumentPutPrincipalMappingDeletePrincipalMappingDescribePrincipalMapping、和ListGroupsOlderThanOrderingIdAPIs。

注意

您可以将 Oracle 数据源连接到 Amazon Kendra 通过 Amazon VPC。 如果你使用的是 Amazon VPC,则需要添加其他权限

{
  "Version": "2012-10-17",
  "Statement": [
  {
    "Effect": "Allow",
    "Action": [
      "secretsmanager:GetSecretValue"
    ],
    "Resource": [
      "arn:aws:secretsmanager:{{region}}:{{account_id}}:secret:[[secret_id]]"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "kms:Decrypt"
    ],
    "Resource": [
      "arn:aws:kms:{{region}}:{{account_id}}:key/[[key_id]]"
    ],
    "Condition": {
      "StringLike": {
        "kms:ViaService": [
          "secretsmanager.*.amazonaws.com"
        ]
      }
    }
  },
  {
    "Effect": "Allow",
    "Action": [
        "kendra:PutPrincipalMapping",
        "kendra:DeletePrincipalMapping",
        "kendra:ListGroupsOlderThanOrderingId",
        "kendra:DescribePrincipalMapping"
    ],
    "Resource": ["arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}", "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}/data-source/*"]
  },
  {
    "Effect": "Allow",
    "Action": [
      "kendra:BatchPutDocument",
      "kendra:BatchDeleteDocument"
    ],
    "Resource": "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}"
  }]
}

允许的信任政策 Amazon Kendra 来扮演一个角色。

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "Service":"kendra.amazonaws.com"
         },
         "Action":"sts:AssumeRole"
      }
   ]
}

使用 Postgre SQL 数据源连接器时,您需要为角色提供以下策略。

  • 访问您的 AWS Secrets Manager 用于验证您的 Postgre SQL 数据源实例的秘密。

  • 允许呼叫 Postgre SQL 数据源连接器APIs所需的公众。

  • 允许调用BatchPutDocumentBatchDeleteDocumentPutPrincipalMappingDeletePrincipalMappingDescribePrincipalMapping、和ListGroupsOlderThanOrderingIdAPIs。

注意

你可以将 Postgre SQL 数据源连接到 Amazon Kendra 通过 Amazon VPC。 如果你使用的是 Amazon VPC,则需要添加其他权限

{
  "Version": "2012-10-17",
  "Statement": [
  {
    "Effect": "Allow",
    "Action": [
      "secretsmanager:GetSecretValue"
    ],
    "Resource": [
      "arn:aws:secretsmanager:{{region}}:{{account_id}}:secret:[[secret_id]]"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "kms:Decrypt"
    ],
    "Resource": [
      "arn:aws:kms:{{region}}:{{account_id}}:key/[[key_id]]"
    ],
    "Condition": {
      "StringLike": {
        "kms:ViaService": [
          "secretsmanager.*.amazonaws.com"
        ]
      }
    }
  },
  {
    "Effect": "Allow",
    "Action": [
        "kendra:PutPrincipalMapping",
        "kendra:DeletePrincipalMapping",
        "kendra:ListGroupsOlderThanOrderingId",
        "kendra:DescribePrincipalMapping"
    ],
    "Resource": ["arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}", "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}/data-source/*"]
  },
  {
    "Effect": "Allow",
    "Action": [
      "kendra:BatchPutDocument",
      "kendra:BatchDeleteDocument"
    ],
    "Resource": "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}"
  }]
}

允许的信任政策 Amazon Kendra 来扮演一个角色。

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "Service":"kendra.amazonaws.com"
         },
         "Action":"sts:AssumeRole"
      }
   ]
}

当您使用 Quip 时,需要为角色提供以下策略。

  • 访问您的 AWS Secrets Manager 用于验证您的 Quip 的秘密。

  • 允许呼叫 Quip 连接器APIs所需的公众。

  • 允许调用BatchPutDocumentBatchDeleteDocumentPutPrincipalMappingDeletePrincipalMappingDescribePrincipalMapping、和ListGroupsOlderThanOrderingIdAPIs。

注意

您可以将 Quip 数据源连接到 Amazon Kendra 通过 Amazon VPC。 如果你使用的是 Amazon VPC,则需要添加其他权限

{
  "Version": "2012-10-17",
  "Statement": [
  {
    "Effect": "Allow",
    "Action": [
      "secretsmanager:GetSecretValue"
    ],
    "Resource": [
      "arn:aws:secretsmanager:{{your-region}}:{{your-account-id}}:secret:[[secret-id]]"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "kms:Decrypt"
    ],
    "Resource": [
      "arn:aws:kms:{{your-region}}:{{yoour-account-id}}:key/[[key-id]]"
    ],
    "Condition": {
      "StringLike": {
        "kms:ViaService": [
          "secretsmanager.{{your-region}}.amazonaws.com"
        ]
      }
    }
  },
  {
    "Effect": "Allow",
    "Action": [
        "kendra:PutPrincipalMapping",
        "kendra:DeletePrincipalMapping",
        "kendra:ListGroupsOlderThanOrderingId",
        "kendra:DescribePrincipalMapping"
    ],
    "Resource": ["arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{your-index-id}}", "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{your-index-id}}/data-source/*"]
  },
  {
    "Effect": "Allow",
    "Action": [
      "kendra:BatchPutDocument",
      "kendra:BatchDeleteDocument"
    ],
    "Resource": "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}"
  }]
}

允许的信任政策 Amazon Kendra 来扮演一个角色。

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "Service":"kendra.amazonaws.com"
         },
         "Action":"sts:AssumeRole"
      }
   ]
}

当您使用 Salesforce 作为数据来源时,需要为角色提供以下策略:

  • 访问权限 AWS Secrets Manager 包含 Salesforce 网站的用户名和密码的密钥。有关清单报告内容的更多信息,请参阅 Salesforce 数据来源

  • 使用权限 AWS KMS 用于解密存储的用户名和密码密钥的客户主密钥 (CMK) Secrets Manager.

  • 使用 BatchPutDocumentBatchDeleteDocument 操作更新索引的权限。

注意

你可以将 Salesforce 数据源连接到 Amazon Kendra 通过 Amazon VPC。 如果你使用的是 Amazon VPC,则需要添加其他权限

{
  "Version": "2012-10-17",
  "Statement": [
  {
    "Effect": "Allow",
    "Action": [
      "secretsmanager:GetSecretValue"
    ],
    "Resource": [
      "arn:aws:secretsmanager:your-region:your-account-id:secret:secret-id"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "kms:Decrypt"
    ],
    "Resource": [
      "arn:aws:kms:your-region:your-account-id:key/key-id"
    ],
    "Condition": {
      "StringLike": {
        "kms:ViaService": [
          "secretsmanager.your-region.amazonaws.com"
        ]
      }
    }
  },
  {
    "Effect": "Allow",
    "Action": [
      "kendra:BatchPutDocument",
      "kendra:BatchDeleteDocument"
    ],
    "Resource": "arn:aws:kendra:your-region:account-id:index/index-id"
  }]
}

允许的信任政策 Amazon Kendra 来扮演一个角色。

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "Service":"kendra.amazonaws.com"
         },
         "Action":"sts:AssumeRole"
      }
   ]
}

当您使用 ServiceNow 作为数据源时,您需要为角色提供以下策略:

  • 访问权限 Secrets Manager 包含 ServiceNow 站点用户名和密码的密钥。有关密钥内容的更多信息,请参阅ServiceNow 数据源

  • 使用权限 AWS KMS 用于解密存储的用户名和密码密钥的客户主密钥 (CMK) Secrets Manager.

  • 使用 BatchPutDocumentBatchDeleteDocument 操作更新索引的权限。

注意

您可以将 ServiceNow 数据源连接到 Amazon Kendra 通过 Amazon VPC。 如果你使用的是 Amazon VPC,则需要添加其他权限

{
  "Version": "2012-10-17",
  "Statement": [
  {
    "Effect": "Allow",
    "Action": [
      "secretsmanager:GetSecretValue"
    ],
    "Resource": [
      "arn:aws:secretsmanager:your-region:your-account-id:secret:secret-id"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "kms:Decrypt"
    ],
    "Resource": [
      "arn:aws:kms:your-region:your-account-id:key/key-id"
    ],
    "Condition": {
      "StringLike": {
        "kms:ViaService": [
          "secretsmanager.your-region.amazonaws.com"
        ]
      }
    }
  },
  {
    "Effect": "Allow",
    "Action": [
      "kendra:BatchPutDocument",
      "kendra:BatchDeleteDocument"
    ],
    "Resource": "arn:aws:kendra:your-region:your-account-id:index/index-id"
  }]
}

允许的信任政策 Amazon Kendra 来扮演一个角色。

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "Service":"kendra.amazonaws.com"
         },
         "Action":"sts:AssumeRole"
      }
   ]
}

当您使用 Slack 时,需要为角色提供以下策略。

  • 访问您的 AWS Secrets Manager 对你的 Slack 进行身份验证的秘密。

  • 允许呼叫 Slack 连接器APIs所需的公众。

  • 允许调用BatchPutDocumentBatchDeleteDocumentPutPrincipalMappingDeletePrincipalMappingDescribePrincipalMapping、和ListGroupsOlderThanOrderingIdAPIs。

注意

你可以将 Slack 数据源连接到 Amazon Kendra 通过 Amazon VPC。 如果你使用的是 Amazon VPC,则需要添加其他权限

{
  "Version": "2012-10-17",
  "Statement": [
  {
    "Effect": "Allow",
    "Action": [
      "secretsmanager:GetSecretValue"
    ],
    "Resource": [
      "arn:aws:secretsmanager:{{your-region}}:{{your-account-id}}:secret:[[secret-id]]"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "kms:Decrypt"
    ],
    "Resource": [
      "arn:aws:kms:{{your-region}}:{{account-id}}:key/[[key-id]]"
    ],
    "Condition": {
      "StringLike": {
        "kms:ViaService": [
          "secretsmanager.{{region}}.amazonaws.com"
        ]
      }
    }
  },
  {
    "Effect": "Allow",
    "Action": [
        "kendra:PutPrincipalMapping",
        "kendra:DeletePrincipalMapping",
        "kendra:ListGroupsOlderThanOrderingId",
        "kendra:DescribePrincipalMapping"
    ],
    "Resource": ["arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}", "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}/data-source/*"]
  },
  {
    "Effect": "Allow",
    "Action": [
      "kendra:BatchPutDocument",
      "kendra:BatchDeleteDocument"
    ],
    "Resource": "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}"
  }]
}

允许的信任政策 Amazon Kendra 来扮演一个角色。

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "Service":"kendra.amazonaws.com"
         },
         "Action":"sts:AssumeRole"
      }
   ]
}

当您使用 Zendesk 时,需要为角色提供以下策略。

  • 访问您的 AWS Secrets Manager 对你的 Zendesk 套件进行身份验证的秘密。

  • 允许呼叫 Zendesk 连接器APIs所需的公众。

  • 允许调用BatchPutDocumentBatchDeleteDocumentPutPrincipalMappingDeletePrincipalMappingDescribePrincipalMapping、和ListGroupsOlderThanOrderingIdAPIs。

注意

你可以将 Zendesk 数据源连接到 Amazon Kendra 通过 Amazon VPC。 如果你使用的是 Amazon VPC,则需要添加其他权限

{
  "Version": "2012-10-17",
  "Statement": [
  {
    "Effect": "Allow",
    "Action": [
      "secretsmanager:GetSecretValue"
    ],
    "Resource": [
      "arn:aws:secretsmanager:{{your-region}}:{{your-account-id}}:secret:[[secret-id]]"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "kms:Decrypt"
    ],
    "Resource": [
      "arn:aws:kms:{{your-region}}:{{your-account-id}}:key/[[key-id]]"
    ],
    "Condition": {
      "StringLike": {
        "kms:ViaService": [
          "secretsmanager.{{your-region}}.amazonaws.com"
        ]
      }
    }
  },
  {
    "Effect": "Allow",
    "Action": [
        "kendra:PutPrincipalMapping",
        "kendra:DeletePrincipalMapping",
        "kendra:ListGroupsOlderThanOrderingId",
        "kendra:DescribePrincipalMapping"
    ],
    "Resource": ["arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}", "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}/data-source/*"]
  },
  {
    "Effect": "Allow",
    "Action": [
      "kendra:BatchPutDocument",
      "kendra:BatchDeleteDocument"
    ],
    "Resource": "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}"
  }]
}

允许的信任政策 Amazon Kendra 来扮演一个角色。

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "Service":"kendra.amazonaws.com"
         },
         "Action":"sts:AssumeRole"
      }
   ]
}

虚拟私有云 (VPC) IAM role

如果您使用虚拟私有云 (VPC) 连接到数据源,则必须提供以下额外权限。

{
      "Effect": "Allow",
      "Action": [
        "ec2:CreateNetworkInterface",
        "ec2:DeleteNetworkInterface"
      ],
      "Resource": [
        "arn:aws:ec2:{{region}}:{{account_id}}:subnet/[[subnet_ids]]",
        "arn:aws:ec2:{{region}}:{{account_id}}:security-group/[[security_group]]"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:CreateNetworkInterface",
        "ec2:DeleteNetworkInterface"
      ],
      "Resource": "arn:aws:ec2:{{region}}:{{account_id}}:network-interface/*",
      "Condition": {
        "StringLike": {
          "aws:RequestTag/AWS_KENDRA": "kendra_{{account_id}}_{{index_id}}_*"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:CreateTags"
      ],
      "Resource": "arn:aws:ec2:{{region}}:{{account_id}}:network-interface/*",
      "Condition": {
        "StringEquals": {
          "ec2:CreateAction": "CreateNetworkInterface"
        }
      }
    },
    
{
      "Effect": "Allow",
      "Action": [
        "ec2:CreateNetworkInterfacePermission"
      ],
      "Resource": "arn:aws:ec2:{{region}}:{{account_id}}:network-interface/*",
      "Condition": {
        "StringLike": {
          "aws:ResourceTag/AWS_KENDRA": "kendra_{{account_id}}_{{index_id}}_*"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeNetworkInterfaces",
        "ec2:DescribeAvailabilityZones",
        "ec2:DescribeNetworkInterfaceAttribute",
        "ec2:DescribeVpcs",
        "ec2:DescribeRegions",
        "ec2:DescribeNetworkInterfacePermissions",
        "ec2:DescribeSubnets"
      ],
      "Resource": "*"
    }
}

允许的信任政策 Amazon Kendra 来扮演一个角色。

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "Service":"kendra.amazonaws.com"
         },
         "Action":"sts:AssumeRole"
      }
   ]
}

IAM 常见问题解答的角色 (FAQs)

使用将问题和答案加载CreateFaqAPI到索引中时,必须提供 Amazon Kendra 用一个 IAM 具有访问权限的角色 Amazon S3 包含源文件的存储桶。如果源文件已加密,则必须提供使用权限 AWS KMS 用于解密文件的客户主密钥 (CMK)。

必需的角色策略才能允许 Amazon Kendra 访问 Amazon S3 桶。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-name/*"
            ]
        }
    ]
}

允许的可选角色策略 Amazon Kendra 使用 AWS KMS 用于解密文件中的客户主密钥 (CMK) Amazon S3 桶。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt"
            ],
            "Resource": [
                "arn:aws:kms:your-region:your-account-id:key/key-id"
            ],
            "Condition": {
                "StringLike": {
                    "kms:ViaService": [
                        "kendra.your-region.amazonaws.com"
                    ]
                }
            }
        }
    ]
}

允许的信任政策 Amazon Kendra 来扮演一个角色。

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "Service":"kendra.amazonaws.com"
         },
         "Action":"sts:AssumeRole"
      }
   ]
}

IAM 查询建议的角色

当你使用 Amazon S3 file 作为查询建议屏蔽列表,则提供一个有权访问的角色 Amazon S3 文件和 Amazon S3 桶。如果是屏蔽列表文本文件 ( Amazon S3 文件)在 Amazon S3 存储桶已加密,您必须提供使用权限 AWS KMS 用于解密文档的客户主密钥 (CMK)。

必需的角色策略才能允许 Amazon Kendra 使用 Amazon S3 file 作为您的查询建议屏蔽列表。

{
    "Version": "2012-10-17",
    "Statement": [
        {"Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-name/*"
            ]
        }
    ]
}

允许的可选角色策略 Amazon Kendra 使用 AWS KMS 用于解密文档的客户主密钥 (CMK) Amazon S3 桶。

{
    "Version": "2012-10-17",
    "Statement": [
        {"Effect": "Allow",
            "Action": [
                "kms:Decrypt"
            ],
            "Resource": [
                "arn:aws:kms:your-region:your-account-id:key/key-id"
            ]
        }
    ]
}

允许的信任政策 Amazon Kendra 来扮演一个角色。

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "Service":"kendra.amazonaws.com"
         },
         "Action":"sts:AssumeRole"
      }
   ]
}

IAM 用于用户和组的主体映射的角色

当您使用将用户映射PutPrincipalMappingAPI到他们的群组以按用户上下文筛选搜索结果时,您需要提供属于某个群组的用户或子群组的列表。如果您的列表中有一个群组的用户或子群组超过 1000 个,则需要提供一个有权访问该群组的角色 Amazon S3 你的清单文件和 Amazon S3 桶。如果是文本文件 ( Amazon S3 file) 列表中的列表 Amazon S3 存储桶已加密,您必须提供使用权限 AWS KMS 用于解密文档的客户主密钥 (CMK)。

必需的角色策略才能允许 Amazon Kendra 使用 Amazon S3 file 作为属于某个群组的用户和子群组的列表。

{
    "Version": "2012-10-17",
    "Statement": [
        {"Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-name/*"
            ]
        }
    ]
}

允许的可选角色策略 Amazon Kendra 使用 AWS KMS 用于解密文档的客户主密钥 (CMK) Amazon S3 桶。

{
    "Version": "2012-10-17",
    "Statement": [
        {"Effect": "Allow",
            "Action": [
                "kms:Decrypt"
            ],
            "Resource": [
                "arn:aws:kms:your-region:your-account-id:key/key-id"
            ]
        }
    ]
}

允许的信任政策 Amazon Kendra 来扮演一个角色。

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "Service":"kendra.amazonaws.com"
         },
         "Action":"sts:AssumeRole"
      }
   ]
}

建议您在信任策略中包含 aws:sourceAccountaws:sourceArn。这会限制权限并安全地检查aws:sourceAccountaws:sourceArn是否与中提供的相同 IAM sts:AssumeRole操作的角色策略。这样可以防止未经授权的实体访问您的 IAM 角色及其权限。有关更多信息,请参阅 AWS Identity and Access Management 关于困惑的副手问题的指南。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "kendra.amazonaws.com"
                ]
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "aws:SourceAccount": "your-account-id"
                },
                "StringLike": {
                    "aws:SourceArn": "arn:aws:kendra:your-region:your-account-id:index-id/*"
                }
            }
        }
    ]
}

IAM 的角色 AWS IAM Identity Center

当您使用UserGroupResolutionConfiguration对象从中获取群组和用户的访问权限级别时 AWS IAM Identity Center 身份源,你需要提供一个有权访问的角色 IAM Identity Center.

必需的角色策略才能允许 Amazon Kendra 访问 IAM Identity Center.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sso-directory:SearchUsers",
                "sso-directory:ListGroupsForUser",
                "sso-directory:DescribeGroups",
                "sso:ListDirectoryAssociations"
            ],
            "Resource": [
                 "*"
            ]
        },
        {
          "Sid": "iamPassRole",
          "Effect": "Allow",
          "Action": "iam:PassRole",
          "Resource": "*",
          "Condition": {
            "StringEquals": {
              "iam:PassedToService": [
                "kendra.amazonaws.com"
              ]
            }
          }
        }
     ]
}

允许的信任政策 Amazon Kendra 来扮演一个角色。

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "Service":"kendra.amazonaws.com"
         },
         "Action":"sts:AssumeRole"
      }
   ]
}

IAM 的角色 Amazon Kendra 经验

使用或创建CreateExperienceUpdateExperienceAPIs更新搜索应用程序时,必须提供一个有权访问必要操作和 Ident IAM ity Center 的角色。

必需的角色策略才能允许 Amazon Kendra 访问存储您的用户和群组信息的QueryQuerySuggestionsSubmitFeedback操作、操作、操作和IAM身份中心。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowsKendraSearchAppToCallKendraApi",
      "Effect": "Allow",
      "Action": [
        "kendra:GetQuerySuggestions",
        "kendra:Query",
        "kendra:DescribeIndex",
        "kendra:ListFaqs",
        "kendra:DescribeDataSource",
        "kendra:ListDataSources",
        "kendra:DescribeFaq",
        "kendra:SubmitFeedback"
      ],
      "Resource": [
        "arn:aws:kendra:your-region:your-account-id:index/index-id"
      ]
    },
    {
      "Sid": "AllowKendraSearchAppToDescribeDataSourcesAndFaq",
      "Effect": "Allow",
      "Action": [
        "kendra:DescribeDataSource",
        "kendra:DescribeFaq"
      ],
      "Resource": [
        "arn:aws:kendra:your-region:your-account-id:index/index-id/data-source/data-source-id",
        "arn:aws:kendra:your-region:your-account-id:index/index-id/faq/faq-id"
      ]
    },
    {
      "Sid": "AllowKendraSearchAppToCallSSODescribeUsersAndGroups",
      "Effect": "Allow",
      "Action": [
        "sso-directory:ListGroupsForUser",
        "sso-directory:SearchGroups",
        "sso-directory:SearchUsers",
        "sso-directory:DescribeUser",
        "sso-directory:DescribeGroup",
        "sso-directory:DescribeGroups",
        "sso-directory:DescribeUsers",
        "sso:ListDirectoryAssociations"
      ],
      "Resource": [
        "*"
      ],
      "Condition": {
        "StringLike": {
          "kms:ViaService": [
            "kendra.your-region.amazonaws.com"
          ]
        }
      }
    }
  ]
}

允许的信任政策 Amazon Kendra 来扮演一个角色。

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "Service":"kendra.amazonaws.com"
         },
         "Action":"sts:AssumeRole"
      }
   ]
}

建议您在信任策略中包含 aws:sourceAccountaws:sourceArn。这会限制权限并安全地检查aws:sourceAccountaws:sourceArn是否与中提供的相同 IAM sts:AssumeRole操作的角色策略。这样可以防止未经授权的实体访问您的 IAM 角色及其权限。有关更多信息,请参阅 AWS Identity and Access Management 关于困惑的副手问题的指南。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "kendra.amazonaws.com"
                ]
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "aws:SourceAccount": "your-account-id"
                },
                "StringLike": {
                    "aws:SourceArn": "arn:aws:kendra:your-region:your-account-id:index-id/*"
                }
            }
        }
    ]
}

IAM 自定义文档扩充的角色

当您使用该CustomDocumentEnrichmentConfiguration对象对文档元数据和内容进行高级更改时,必须提供一个具有运行和 PreExtractionHookConfiguration /或PostExtractionHookConfiguration所需权限的角色。您可以配置 Lambda 函数,以便 PreExtractionHookConfiguration 和/或 PostExtractionHookConfiguration 在提取过程中对文档元数据和内容进行高级更改。如果您选择为自己激活服务器端加密 Amazon S3 存储桶,您必须提供使用权限 AWS KMS 客户主密钥 (CMK) 用于加密和解密存储在您的中的对象 Amazon S3 桶。

必需的角色策略才能允许 Amazon Kendra 运行PreExtractionHookConfigurationPostExtractionHookConfiguration为您加密 Amazon S3 桶。

{
  "Version": "2012-10-17",
  "Statement": [{
    "Action": [
      "s3:GetObject",
      "s3:PutObject"
    ],
    "Resource": [
      "arn:aws:s3:::bucket-name/*"
    ],
    "Effect": "Allow"
  },
  {
    "Action": [
      "s3:ListBucket"
    ],
    "Resource": [
      "arn:aws:s3:::bucket-name"
    ],
    "Effect": "Allow"
  },
  {
    "Effect": "Allow",
    "Action": [
      "kms:Decrypt",
      "kms:GenerateDataKey"
    ],
    "Resource": [
      "arn:aws:kms:your-region:your-account-id:key/key-id"
    ]
  },
  {
    "Effect": "Allow",
    "Action": [
      "lambda:InvokeFunction"
    ],
    "Resource": "arn:aws:lambda:your-region:your-account-id:function:lambda-function"
  }]
}

允许的可选角色策略 Amazon Kendra 可以运行PreExtractionHookConfigurationPostExtractionHookConfiguration无需加密 Amazon S3 桶。

{
  "Version": "2012-10-17",
  "Statement": [{
    "Action": [
      "s3:GetObject",
      "s3:PutObject"
    ],
    "Resource": [
      "arn:aws:s3:::bucket-name/*"
    ],
    "Effect": "Allow"
  },
  {
    "Action": [
      "s3:ListBucket"
    ],
    "Resource": [
      "arn:aws:s3:::bucket-name"
    ],
    "Effect": "Allow"
  },
  {
    "Effect": "Allow",
    "Action": [
      "lambda:InvokeFunction"
    ],
    "Resource": "arn:aws:lambda:your-region:your-account-id:function:lambda-function"
  }]
}

允许的信任政策 Amazon Kendra 来扮演一个角色。

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "Service":"kendra.amazonaws.com"
         },
         "Action":"sts:AssumeRole"
      }
   ]
}

建议您在信任策略中包含 aws:sourceAccountaws:sourceArn。这会限制权限并安全地检查aws:sourceAccountaws:sourceArn是否与中提供的相同 IAM sts:AssumeRole操作的角色策略。这样可以防止未经授权的实体访问您的 IAM 角色及其权限。有关更多信息,请参阅 AWS Identity and Access Management 关于困惑的副手问题的指南。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "kendra.amazonaws.com"
                ]
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "aws:SourceAccount": "your-account-id"
                },
                "StringLike": {
                    "aws:SourceArn": "arn:aws:kendra:your-region:your-account-id:index-id/*"
                }
            }
        }
    ]
}