本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
创建索引、数据源或常见问题解答时, Amazon Kendra 需要访问创建 AWS Amazon Kendra 资源所需的资源。在创建 Amazon Kendra 资源之前,必须先创建 AWS Identity and Access Management (IAM) 策略。当您调用该操作时,请提供附有策略的角色的 Amazon 资源名称(ARN)。例如,如果您调用 BatchPutDocumentAPI 来添加 Amazon S3 存储桶中的文档,则需要为角色提供 Amazon Kendra 具有访问存储桶权限的策略。
您可以在 Amazon Kendra 控制台中创建新 IAM 角色或选择要使用的 IAM 现有角色。控制台显示的角色的角色名称中包含字符串“kendra”或“Kendra”。
以下主题提供了所需策略的详细信息。如果您使用 Amazon Kendra 控制台创建 IAM 角色,则会为您创建这些策略。
主题
IAM 索引的角色
创建索引时,必须为 IAM 角色提供写入的权限 Amazon CloudWatch。您还必须提供允许代入该角色 Amazon Kendra 的信任策略。以下是必须提供的策略。
允许访问 CloudWatch 日志 Amazon Kendra 的角色策略。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "cloudwatch:PutMetricData",
"Resource": "*",
"Condition": {
"StringEquals": {
"cloudwatch:namespace": "AWS/Kendra"
}
}
},
{
"Effect": "Allow",
"Action": "logs:DescribeLogGroups",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "logs:CreateLogGroup",
"Resource": "arn:aws:logs:your-region:your-account-id:log-group:/aws/kendra/*"
},
{
"Effect": "Allow",
"Action": [
"logs:DescribeLogStreams",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:your-region:your-account-id:log-group:/aws/kendra/*:log-stream:*"
}
]
}允许访问 Amazon Kendra 的角色策略 AWS Secrets Manager。如果您使用用户上下文 Secrets Manager 作为关键位置,则可以使用以下策略。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":"cloudwatch:PutMetricData",
"Resource":"*",
"Condition":{
"StringEquals":{
"cloudwatch:namespace":"AWS/Kendra"
}
}
},
{
"Effect":"Allow",
"Action":"logs:DescribeLogGroups",
"Resource":"*"
},
{
"Effect":"Allow",
"Action":"logs:CreateLogGroup",
"Resource":"arn:aws:logs:your-region:your-account-id:log-group:/aws/kendra/*"
},
{
"Effect":"Allow",
"Action":[
"logs:DescribeLogStreams",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource":"arn:aws:logs:your-region:your-account-id:log-group:/aws/kendra/*:log-stream:*"
},
{
"Effect":"Allow",
"Action":[
"secretsmanager:GetSecretValue"
],
"Resource":[
"arn:aws:secretsmanager:your-region:your-account-id:secret:secret-id"
]
},
{
"Effect":"Allow",
"Action":[
"kms:Decrypt"
],
"Resource":[
"arn:aws:kms:your-region:your-account-id:key/key-id"
],
"Condition":{
"StringLike":{
"kms:ViaService":[
"secretsmanager.your-region.amazonaws.com"
]
}
}
}
]
}允许担任角色 Amazon Kendra 的信任策略。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}IAM BatchPutDocumentAPI 的角色
警告
Amazon Kendra 不使用向 Amazon Kendra 委托人授予与 S3 存储桶交互的权限的存储桶策略。它使用 IAM 角色。请确保该成员 Amazon Kendra 未作为可信成员包含在存储桶策略中,以避免在意外向任意委托人授予权限时出现任何数据安全问题。但是,您可以添加存储桶策略,以便在不同的账户中使用 Amazon S3 存储桶。有关更多信息,请参阅跨账户使用 Amazon S3 的策略。有关 S3 数据来源的 IAM 角色的信息,请参阅 IAM 角色。
使用 BatchPutDocumentAPI 为 Amazon S3 存储桶中的文档编制索引时,必须为 IAM 角色 Amazon Kendra 提供对存储桶的访问权限。您还必须提供允许代入该角色 Amazon Kendra 的信任策略。如果存储桶中的文档已加密,则必须提供使用 AWS KMS 客户主密钥 (CMK) 解密文档的权限。
允许 Amazon Kendra 访问 Amazon S3 存储桶的必需角色策略。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::bucket-name/*"
]
}
]
}允许担任角色 Amazon Kendra 的信任策略。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}建议您在信任策略中包含 aws:sourceAccount 和 aws:sourceArn。这会限制权限并安全地检查aws:sourceAccount和aws:sourceArn是否与sts:AssumeRole操作的 IAM 角色策略中提供的相同。这样可以防止未经授权的实体访问您的 IAM 角色及其权限。有关更多信息,请参阅有关困惑的副手问题的 AWS Identity and Access Management指南。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"kendra.amazonaws.com"
]
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "your-account-id"
},
"StringLike": {
"aws:SourceArn": "arn:aws:kendra:your-region:your-account-id:index/*"
}
}
}
]
}一种可选的角色策略 Amazon Kendra ,允许使用 AWS KMS 客户主密钥 (CMK) 解密存储桶中的文档。 Amazon S3
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:your-region:your-account-id:key/key-id"
]
}
]
}IAM 数据源的角色
使用 CreateDataSourceAPI 时,必须 Amazon Kendra 授予有权访问资源的 IAM 角色。所需的特定权限取决于数据来源。
当您使用 Adobe Experience Manager 时,需要为角色提供以下策略。
-
访问您的 AWS Secrets Manager 密钥以对您的 Adobe 体验管理器进行身份验证的权限。
-
允许呼叫 Adobe Experien APIs ce Manager 连接器所需的公众。
-
允许调用
BatchPutDocument、BatchDeleteDocument、PutPrincipalMapping、DeletePrincipalMappingDescribePrincipalMapping、和ListGroupsOlderThanOrderingIdAPIs。
注意
您可以 Amazon Kendra 通过连接 Adobe Experience Manager 数据源 Amazon VPC。如果您使用的是 Amazon VPC,则需要添加其他权限。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:{{your-region}}:{{your-account-id}}:secret:[[secret-id]]"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:{{your-region}}:{{your-account-id}}:key/[[key-id]]"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.{{your-region}}.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:PutPrincipalMapping",
"kendra:DeletePrincipalMapping",
"kendra:ListGroupsOlderThanOrderingId",
"kendra:DescribePrincipalMapping"
],
"Resource": ["arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}", "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}/data-source/*"]
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}"
}]
}允许担任角色 Amazon Kendra 的信任策略。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}当您使用 Alfresco 时,需要为角色提供以下策略。
-
允许访问您的 AWS Secrets Manager 密钥以对您的 Alfresco 进行身份验证。
-
允许致电所需的公众 APIs 以获取 Alfresco 连接器。
-
允许调用
BatchPutDocument、BatchDeleteDocument、PutPrincipalMapping、DeletePrincipalMappingDescribePrincipalMapping、和ListGroupsOlderThanOrderingIdAPIs。
注意
您可以将 Alfresco 数据源连接到。 Amazon Kendra Amazon VPC如果您使用的是 Amazon VPC,则需要添加其他权限。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:{{your-region}}:{{your-account-id}}:secret:[[secret-id]]"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:{{your-region}}:{{your-account-id}}:key/[[key-id]]"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.{{your-region}}.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:PutPrincipalMapping",
"kendra:DeletePrincipalMapping",
"kendra:ListGroupsOlderThanOrderingId",
"kendra:DescribePrincipalMapping"
],
"Resource": ["arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}", "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}/data-source/*"]
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}"
}]
}允许担任角色 Amazon Kendra 的信任策略。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}当您使用 Aurora (MySQL) 时,您需要为角色提供以下策略。
-
访问您的 AWS Secrets Manager 密钥以对您的 Aurora (MySQL) 进行身份验证的权限。
-
有权为 Aurora (MySQL) 连接器调用 APIs 所需的公众。
-
允许调用
BatchPutDocument、BatchDeleteDocument、PutPrincipalMapping、DeletePrincipalMappingDescribePrincipalMapping、和ListGroupsOlderThanOrderingIdAPIs。
注意
您可以 Amazon Kendra 通过连接 Aurora (MySQL) 数据源 Amazon VPC。如果您使用的是 Amazon VPC,则需要添加其他权限。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:{{region}}:{{account_id}}:secret:[[secret_id]]"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:{{region}}:{{account_id}}:key/[[key_id]]"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.*.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:PutPrincipalMapping",
"kendra:DeletePrincipalMapping",
"kendra:ListGroupsOlderThanOrderingId",
"kendra:DescribePrincipalMapping"
],
"Resource": ["arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}", "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}/data-source/*"]
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}"
}]
}允许担任角色 Amazon Kendra 的信任策略。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}当你使用 Aurora (PostgreSQL) 时,你为角色提供以下策略。
-
允许访问您的 AWS Secrets Manager 密钥以对您的 Aurora (PostgreSQL) 进行身份验证。
-
允许呼叫 (PostgreSQL Aurora ) 连接器 APIs 所需的公众。
-
允许调用
BatchPutDocument、BatchDeleteDocument、PutPrincipalMapping、DeletePrincipalMappingDescribePrincipalMapping、和ListGroupsOlderThanOrderingIdAPIs。
注意
您可以将 Aurora (PostgreSQL) 数据源连接到。 Amazon Kendra Amazon VPC如果您使用的是 Amazon VPC,则需要添加其他权限。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:{{region}}:{{account_id}}:secret:[[secret_id]]"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:{{region}}:{{account_id}}:key/[[key_id]]"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.*.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:PutPrincipalMapping",
"kendra:DeletePrincipalMapping",
"kendra:ListGroupsOlderThanOrderingId",
"kendra:DescribePrincipalMapping"
],
"Resource": ["arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}", "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}/data-source/*"]
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}"
}]
}允许担任角色 Amazon Kendra 的信任策略。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}使用时 Amazon FSx,您可以为角色提供以下策略。
-
访问您的 AWS Secrets Manager 密钥以对您的 Amazon FSx 文件系统进行身份验证的权限。
-
访问您的 Amazon FSx 文件系统所在位置 Amazon Virtual Private Cloud (VPC) 的权限。
-
获取 Amazon FSx 文件系统活动目录域名的权限。
-
允许拨打 Amazon FSx 连接器 APIs 所需公众的电话。
-
调用
BatchPutDocument和BatchDeleteDocumentAPIs 更新索引的权限。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:{{your-region}}:{{your-account-id}}:secret:{{secret-id}}"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:{{your-region}}:{{your-account-id}}:key/{{key-id}}"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.{{your-region}}.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action":[
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface"
],
"Resource": [
"arn:aws:ec2:{{your-region}}:{{your-account-id}}:network-interface/*",
"arn:aws:ec2:{{your-region}}:{{your-account-id}}:subnet/[[subnet-ids]]"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeSubnets",
"ec2:DescribeNetworkInterfaces"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterfacePermission"
],
"Resource": "arn:aws:ec2:{{your-region}}:{{your-account-id}}:network-interface/*",
"Condition": {
"StringEquals": {
"ec2:AuthorizedService": "kendra.*.amazonaws.com"
},
"ArnEquals": {
"ec2:Subnet": [
"arn:aws:ec2:{{your-region}}:{{your-account-id}}:subnet/[[subnet-ids]]"
]
}
}
},
{
"Sid": "AllowsKendraToGetDomainNameOfActiveDirectory",
"Effect": "Allow",
"Action": "ds:DescribeDirectories",
"Resource": "*"
},
{
"Sid": "AllowsKendraToCallRequiredFsxAPIs",
"Effect": "Allow",
"Action": [
"fsx:DescribeFileSystems"
],
"Resource": "*"
},
{
"Sid": "iamPassRole",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"kendra.*.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}"
}
]
}允许担任角色 Amazon Kendra 的信任策略。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}当您使用数据库作为数据源时,您需要提供一个 Amazon Kendra 具有连接所需的权限的角色。这些指令包括:
-
访问包含网站用户名和密码的 AWS Secrets Manager 密钥的权限。有关密钥内容的更多信息,请参阅数据来源。
-
允许使用 AWS KMS 客户主密钥 (CMK) 解密存储的用户名和密码密钥。 Secrets Manager
-
使用
BatchPutDocument和BatchDeleteDocument操作更新索引的权限。 -
访问包含用于与网站通信的 SSL 证书的 Amazon S3 存储桶的权限。
注意
您可以 Amazon Kendra 通过将数据库数据源连接到 Amazon VPC。如果您使用的是 Amazon VPC,则需要添加其他权限。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:your-region:your-account-id:secret:secret-id"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:your-region:your-account-id:key/key-id"
]
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": [
"arn:aws:kendra:your-region:your-account-id:index/index-id"
"Condition": {
"StringLike": {
"kms:ViaService": [
"kendra.your-region.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::bucket-name/*"
]
}
]
}您可以对数据来源使用两种可选策略。
如果您对包含用于与通信的 SSL 证书的 Amazon S3 存储桶进行了加密,请提供 Amazon Kendra 允许访问该密钥的策略。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:your-region:your-account-id:key/key-id"
]
}
]
}如果您使用的是 VPC,请提供 Amazon Kendra 允许访问所需资源的策略。对于所需策略,请参阅 数据来源、VPC 的IAM 角色。
允许担任角色 Amazon Kendra 的信任策略。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}当你使用 Amazon RDS (Microsoft SQL Server)数据源连接器时,需要为角色提供以下策略。
-
访问您的 AWS Secrets Manager 密钥以对您的 Amazon RDS (Microsoft SQL Server)数据源实例进行身份验证的权限。
-
允许呼叫 Amazon RDS (Microsoft SQL Server)数据源连接器所需的公众 APIs 。
-
允许调用
BatchPutDocument、BatchDeleteDocument、PutPrincipalMapping、DeletePrincipalMappingDescribePrincipalMapping、和ListGroupsOlderThanOrderingIdAPIs。
注意
你可以 Amazon Kendra 通过连接 Amazon RDS (微软 SQL Server)数据源 Amazon VPC。如果您使用的是 Amazon VPC,则需要添加其他权限。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:{{region}}:{{account_id}}:secret:[[secret_id]]"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:{{region}}:{{account_id}}:key/[[key_id]]"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.*.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:PutPrincipalMapping",
"kendra:DeletePrincipalMapping",
"kendra:ListGroupsOlderThanOrderingId",
"kendra:DescribePrincipalMapping"
],
"Resource": ["arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}", "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}/data-source/*"]
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}"
}]
}允许担任角色 Amazon Kendra 的信任策略。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}使用 Amazon RDS (MySQL) 数据源连接器时,您需要为角色提供以下策略。
-
访问您的 AWS Secrets Manager 密钥以对您的 Amazon RDS (MySQL) 数据源实例进行身份验证的权限。
-
有权为 Amazon RDS (MySQL) 数据源连接器调用所需的公众 APIs 。
-
允许调用
BatchPutDocument、BatchDeleteDocument、PutPrincipalMapping、DeletePrincipalMappingDescribePrincipalMapping、和ListGroupsOlderThanOrderingIdAPIs。
注意
您可以 Amazon Kendra 通过连接 Amazon RDS (MySQL) 数据源 Amazon VPC。如果您使用的是 Amazon VPC,则需要添加其他权限。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:{{region}}:{{account_id}}:secret:[[secret_id]]"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:{{region}}:{{account_id}}:key/[[key_id]]"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.*.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:PutPrincipalMapping",
"kendra:DeletePrincipalMapping",
"kendra:ListGroupsOlderThanOrderingId",
"kendra:DescribePrincipalMapping"
],
"Resource": ["arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}", "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}/data-source/*"]
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}"
}]
}允许担任角色 Amazon Kendra 的信任策略。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}使用 Amazon RDS Oracle 数据源连接器时,您需要为角色提供以下策略。
-
访问您的 AWS Secrets Manager 密钥以对您的 Amazon RDS (Oracle) 数据源实例进行身份验证的权限。
-
有权呼叫 Amazon RDS (Oracle) 数据源连接器 APIs 所需的公众。
-
允许调用
BatchPutDocument、BatchDeleteDocument、PutPrincipalMapping、DeletePrincipalMappingDescribePrincipalMapping、和ListGroupsOlderThanOrderingIdAPIs。
注意
您可以 Amazon Kendra 通过将 Amazon RDS Oracle 数据源连接到 Amazon VPC。如果您使用的是 Amazon VPC,则需要添加其他权限。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:{{region}}:{{account_id}}:secret:[[secret_id]]"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:{{region}}:{{account_id}}:key/[[key_id]]"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.*.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:PutPrincipalMapping",
"kendra:DeletePrincipalMapping",
"kendra:ListGroupsOlderThanOrderingId",
"kendra:DescribePrincipalMapping"
],
"Resource": ["arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}", "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}/data-source/*"]
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}"
}]
}允许担任角色 Amazon Kendra 的信任策略。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}当您使用 Amazon RDS (PostgreSQL) 数据源连接器时,您需要为角色提供以下策略。
-
访问您的 AWS Secrets Manager 密钥以对您的 Amazon RDS (PostgreSQL) 数据源实例进行身份验证的权限。
-
允许呼叫 Amazon RDS (PostgreSQL) 数据源连接器所需的公众 APIs 。
-
允许调用
BatchPutDocument、BatchDeleteDocument、PutPrincipalMapping、DeletePrincipalMappingDescribePrincipalMapping、和ListGroupsOlderThanOrderingIdAPIs。
注意
您可以将 Amazon RDS (PostgreSQL) 数据源连接到。 Amazon Kendra Amazon VPC如果您使用的是 Amazon VPC,则需要添加其他权限。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:{{region}}:{{account_id}}:secret:[[secret_id]]"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:{{region}}:{{account_id}}:key/[[key_id]]"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.*.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:PutPrincipalMapping",
"kendra:DeletePrincipalMapping",
"kendra:ListGroupsOlderThanOrderingId",
"kendra:DescribePrincipalMapping"
],
"Resource": ["arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}", "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}/data-source/*"]
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}"
}]
}允许担任角色 Amazon Kendra 的信任策略。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}警告
Amazon Kendra 不使用向 Amazon Kendra 委托人授予与 S3 存储桶交互的权限的存储桶策略。相反,它使用 IAM 角色。请确保该成员 Amazon Kendra 未作为可信成员包含在存储桶策略中,以避免在意外向任意委托人授予权限时出现任何数据安全问题。但是,您可以添加存储桶策略,以便在不同的账户中使用 Amazon S3 存储桶。有关更多信息,请参阅 跨账户使用 Amazon S3 的策略(向下滚动)。
当您使用 Amazon S3 存储桶作为数据源时,您需要提供一个有权访问存储桶以及使用BatchPutDocument和BatchDeleteDocument操作的角色。如果 Amazon S3
存储桶中的文档已加密,则必须提供使用 AWS KMS 客户主密钥 (CMK) 解密文档的权限。
以下角色策略必须 Amazon Kendra 允许代入角色。继续向下滚动以查看代入角色的信任策略。
允许 Amazon Kendra 将 Amazon S3 存储桶用作数据源的必需角色策略。
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::bucket-name/*"
],
"Effect": "Allow"
},
{
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::bucket-name"
],
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": [
"arn:aws:kendra:your-region:your-account-id:index/index-id"
]
}
]
}一种可选的角色策略 Amazon Kendra ,允许使用 AWS KMS 客户主密钥 (CMK) 解密存储桶中的文档。 Amazon S3
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:your-region:your-account-id:key/key-id"
]
}
]
}一种可选的角色策略, Amazon Kendra 允许在使用 Amazon S3 存储桶时访问存储桶 Amazon VPC,且无需激活 AWS KMS 或共享 AWS KMS 权限。
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::{{bucket-name}}/*"
],
"Effect": "Allow"
},
{
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::{{bucket-name}}"
],
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface"
],
"Resource": [
"arn:aws:ec2:{{your-region}}:{{your-account-id}}:subnet/[[subnet-ids]]",
"arn:aws:ec2:{{your-region}}:{{your-account-id}}:security-group/[[security-group]]"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface"
],
"Resource": "arn:aws:ec2:{{your-region}}:{{your-account-id}}:network-interface/*",
"Condition": {
"StringLike": {
"aws:RequestTag/AWS_KENDRA": "kendra_{{your-account-id}}_{{index-id}}_{data-source-id}}_*"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": "arn:aws:ec2:{{your-region}}:{{your-account-id}}:network-interface/*",
"Condition": {
"StringEquals": {
"ec2:CreateAction": "CreateNetworkInterface"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeSubnets"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeNetworkInterfaces"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterfacePermission"
],
"Resource": "arn:aws:ec2:{{your-region}}:{{your-accoount-id}}:network-interface/*",
"Condition": {
"StringEquals": {
"ec2:AuthorizedService": "kendra.amazonaws.com"
},
"ArnEquals": {
"ec2:Subnet": [
"arn:aws:ec2:{{your-region}}:{{your-account-id}}:subnet/[[subnet-ids]]"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:PutPrincipalMapping",
"kendra:DeletePrincipalMapping",
"kendra:ListGroupsOlderThanOrderingId",
"kendra:DescribePrincipalMapping"
],
"Resource": [
"arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}",
"arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}/data-source/*"
]
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}"
}
]
}一项可选的角色策略 Amazon Kendra ,允许在使用时访问 Amazon S3 存储桶 Amazon VPC,并激活了 AWS KMS 权限。
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::{{bucket-name}}/*"
],
"Effect": "Allow"
},
{
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::{{bucket-name}}"
],
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:{{your-region}}:{{your-account-id}}:key/{{key-id}}"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"s3.{{your-region}}.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface"
],
"Resource": [
"arn:aws:ec2:{{your-region}}:{{your-account-id}}:subnet/[[subnet-ids]]",
"arn:aws:ec2:{{your-region}}:{{your-account-id}}:security-group/[[security-group]]"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface"
],
"Resource": "arn:aws:ec2:{{your-region}}:{{your-account-id}}:network-interface/*",
"Condition": {
"StringLike": {
"aws:RequestTag/AWS_KENDRA": "kendra_{{your-account-id}}_{{index-id}}_{data-source-id}}_*"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": "arn:aws:ec2:{{your-region}}:{{your-account-id}}:network-interface/*",
"Condition": {
"StringEquals": {
"ec2:CreateAction": "CreateNetworkInterface"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeSubnets"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeNetworkInterfaces"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterfacePermission"
],
"Resource": "arn:aws:ec2:{{your-region}}:{{your-account-id}}:network-interface/*",
"Condition": {
"StringEquals": {
"ec2:AuthorizedService": "kendra.amazonaws.com"
},
"ArnEquals": {
"ec2:Subnet": [
"arn:aws:ec2:{{your-region}}:{{your-account-id}}:subnet/[[subnet-ids]]"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:PutPrincipalMapping",
"kendra:DeletePrincipalMapping",
"kendra:ListGroupsOlderThanOrderingId",
"kendra:DescribePrincipalMapping"
],
"Resource": [
"arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}",
"arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}/data-source/*"
]
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}"
}
]
}允许担任角色 Amazon Kendra 的信任策略。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}跨账户使用 Amazon S3 的策略
如果您的 Amazon S3 存储桶与您用于 Amazon Kendra 索引的账户位于不同的账户中,则可以创建跨账户使用该存储桶的策略。
当 Amazon S3 存储桶与您的 Amazon Kendra 索引位于不同的账户中时,使用您的存储桶作为数据源的角色策略。请注意,s3:PutObject 和 s3:PutObjectAcl 是可选的,如果要为访问控制列表包含配置文件,则可以使用此选项。
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::$bucket-in-other-account/*"
],
"Effect": "Allow"
},
{
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::$bucket-in-other-account/*"
],
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": [
"arn:aws:kendra:$your-region:$your-account-id:index/$index-id"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::$bucket-in-other-account/*"
}
]
}允许 Amazon S3 数据源角色跨账户访问 Amazon S3 存储桶的存储桶策略。请注意,s3:PutObject 和 s3:PutObjectAcl 是可选的,如果要为访问控制列表包含配置文件,则可以使用此选项。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "$kendra-s3-connector-role-arn"
},
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::$bucket-in-other-account/*"
]
},
{
"Effect": "Allow",
"Principal": {
"AWS": "$kendra-s3-connector-role-arn"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::$bucket-in-other-account"
}
]
}允许担任角色 Amazon Kendra 的信任策略。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}使用 Amazon Kendra Web Crawler 时,您需要为角色提供以下策略:
-
访问包含连接网站或由基本身份验证支持的 Web 代理服务器的凭据的 AWS Secrets Manager 密钥的权限。有关机密报告内容的更多信息,请参阅使用 Web 爬网程序数据来源。
-
允许使用 AWS KMS 客户主密钥 (CMK) 解密存储的用户名和密码密钥。 Secrets Manager
-
使用
BatchPutDocument和BatchDeleteDocument操作更新索引的权限。 -
如果您使用 Amazon S3 存储桶来存储种子列表 URLs 或站点地图,请包括访问该存储桶的 Amazon S3 权限。
注意
您可以 Amazon Kendra 通过 Amazon VPC连接 Amazon Kendra Web Crawler 数据源。如果您使用的是 Amazon VPC,则需要添加其他权限。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:your-region:your-account-id:secret:secret-id"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:your-region:your-account:key/key-id"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.your-region.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:your-region:your-account-id:index/index-id"
}]
}
如果您将种子 URLs 或站点地图存储在 Amazon S3 存储桶中,则必须向该角色添加此权限。
,
{"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::bucket-name/*"
]
}允许担任角色 Amazon Kendra 的信任策略。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}使用时 Amazon WorkDocs,您可以为角色提供以下策略
-
验证与您的 Amazon WorkDocs 站点存储库对应的目录 ID(组织 ID)的权限。
-
获取包含您的 Amazon WorkDocs 网站目录的 Active Directory 域名的权限。
-
允许拨打 Amazon WorkDocs 连接器 APIs 所需公众的电话。
-
调用
BatchPutDocument和BatchDeleteDocumentAPIs 更新索引的权限。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowsKendraToGetDomainNameOfActiveDirectory",
"Effect": "Allow",
"Action": "ds:DescribeDirectories",
"Resource": "*"
},
{
"Sid": "AllowsKendraToCallRequiredWorkDocsAPIs",
"Effect": "Allow",
"Action": [
"workdocs:GetDocumentPath",
"workdocs:GetGroup",
"workdocs:GetDocument",
"workdocs:DownloadDocumentVersions",
"workdocs:DescribeUsers",
"workdocs:DescribeFolderContents",
"workdocs:DescribeActivities",
"workdocs:DescribeComments",
"workdocs:GetFolder",
"workdocs:DescribeResourcePermissions",
"workdocs:GetFolderPath",
"workdocs:DescribeInstances"
],
"Resource": "*"
},
{
"Sid": "iamPassRole",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"kendra.amazonaws.com"
]
}
}
},
{
"Sid": "AllowsKendraToCallBatchPutDeleteAPIs",
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": [
"arn:aws:kendra:your-region:account-id:index/$index-id"
]
}
]
}允许担任角色 Amazon Kendra 的信任策略。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}当您使用 Box 时,为角色提供以下策略。
-
访问您的 AWS Secrets Manager 密钥以对您的 Slack 进行身份验证的权限。
-
允许呼叫 Box 连接器 APIs 所需的公众。
-
允许调用
BatchPutDocument、BatchDeleteDocument、PutPrincipalMapping、DeletePrincipalMappingDescribePrincipalMapping、和ListGroupsOlderThanOrderingIdAPIs。
注意
您可以 Amazon Kendra 通过连接 Box 数据源 Amazon VPC。如果您使用的是 Amazon VPC,则需要添加其他权限。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:{{your-region}}:{{your-account-id}}:secret:[[secret-id]]"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:{{your-region}}:{{your-account-id}}:key/[[key-id]]"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.{{your-region}}.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:PutPrincipalMapping",
"kendra:DeletePrincipalMapping",
"kendra:ListGroupsOlderThanOrderingId",
"kendra:DescribePrincipalMapping"
],
"Resource": ["arn:aws:kendra:{{your-region}}:{{your-account-d}}:index/{{index-id}}", "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}/data-source/*"]
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}"
}]
}允许担任角色 Amazon Kendra 的信任策略。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}当您使用 Confluence Server 作为数据来源时,您需要为角色提供以下策略:
-
访问包含连接 Confluence 所需凭据的 AWS Secrets Manager 密钥的权限。有关密钥内容的更多信息,请参阅 Confluence 数据来源。
-
允许使用 AWS KMS 客户主密钥 (CMK) 解密存储的用户名和密码密钥。 Secrets Manager
-
使用
BatchPutDocument和BatchDeleteDocument操作更新索引的权限。
注意
您可以通过连接 Confluence 数据源。 Amazon Kendra Amazon VPC如果您使用的是 Amazon VPC,则需要添加其他权限。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:your-region:your-account-id:secret:secret-id"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:your-region:your-account-id:key/key-id"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.your-region.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:your-region:your-account-id:index/index-id"
}]
}如果您使用的是 VPC,请提供 Amazon Kendra 允许访问所需资源的策略。对于所需策略,请参阅 数据来源、VPC 的IAM 角色。
允许担任角色 Amazon Kendra 的信任策略。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}对于 Confluence 连接器 v2.0 数据来源,您需要为角色提供以下策略。
-
访问包含 Confluence 身份验证凭据的 AWS Secrets Manager 密钥的权限。有关密钥内容的更多信息,请参阅 Confluence 数据来源。
-
允许使用 AWS KMS 客户主密钥 (CMK) 解密存储的用户名和密码密钥。 AWS Secrets Manager
-
使用
BatchPutDocument和BatchDeleteDocument操作更新索引的权限。
您还必须附上允许代入该角色 Amazon Kendra 的信任策略。
注意
您可以通过连接 Confluence 数据源。 Amazon Kendra Amazon VPC如果您使用的是 Amazon VPC,则需要添加其他权限。
允许连接 Amazon Kendra 到 Confluence 的角色策略。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:your-region:your-account-id:secret:secret-id"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:your-region:your-account-id:key/key-id"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.your-region.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:PutPrincipalMapping",
"kendra:DeletePrincipalMapping",
"kendra:ListGroupsOlderThanOrderingId",
"kendra:DescribePrincipalMapping"
],
"Resource": [
"arn:aws:kendra:your-region:your-account-id:index/index-id",
"arn:aws:kendra:your-region:your-account-id:index/index-id/data-source/*"
]
}
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:your-region:your-account-id:index/index-id"
}
]
}允许担任角色 Amazon Kendra 的信任策略。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}当您使用 Dropbox 时,为角色提供以下策略。
-
访问您的 AWS Secrets Manager 密钥以对您的 Dropbox 进行身份验证的权限。
-
允许向 Dropbox 连接器致电 APIs 所需的公众。
-
允许调用
BatchPutDocument、BatchDeleteDocument、PutPrincipalMapping、DeletePrincipalMappingDescribePrincipalMapping、和ListGroupsOlderThanOrderingIdAPIs。
注意
您可以 Amazon Kendra 通过连接 Dropbox 数据源 Amazon VPC。如果您使用的是 Amazon VPC,则需要添加其他权限。
{
"Version": "2012-10-17",
"Statement": [
{"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:{{your-region}}:{{your-account-id}}:secret:[[secret-id]]"
]
},
{"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:{{your-region}}:{{your-account-id}}:key/[[key-id]]"
],
"Condition": {"StringLike": {"kms:ViaService": [
"secretsmanager.{{your-region}}.amazonaws.com"
]
}
}
},
{"Effect": "Allow",
"Action": [
"kendra:PutPrincipalMapping",
"kendra:DeletePrincipalMapping",
"kendra:ListGroupsOlderThanOrderingId",
"kendra:DescribePrincipalMapping"
],
"Resource": ["arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}", "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}/data-source/*"]
},
{"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}"
}]
}允许担任角色 Amazon Kendra 的信任策略。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}当您使用 Drupal 时,为角色提供以下策略。
-
访问您的 AWS Secrets Manager 密钥以对您的 Drupal 进行身份验证的权限。
-
允许呼叫 Drupal 连接器 APIs 所需的公众。
-
允许调用
BatchPutDocument、BatchDeleteDocument、PutPrincipalMapping、DeletePrincipalMappingDescribePrincipalMapping、和ListGroupsOlderThanOrderingIdAPIs。
注意
您可以将 Drupal 数据源连接 Amazon Kendra 到 Amazon VPC。如果您使用的是 Amazon VPC,则需要添加其他权限。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:{{region}}:{{account_id}}:secret:[[secret_id]]"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:{{region}}:{{account_id}}:key/[[key_id]]"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.*.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:PutPrincipalMapping",
"kendra:DeletePrincipalMapping",
"kendra:ListGroupsOlderThanOrderingId",
"kendra:DescribePrincipalMapping"
],
"Resource": ["arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}", "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}/data-source/*"]
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}"
}]
}允许担任角色 Amazon Kendra 的信任策略。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}使用时 GitHub,您可以为角色提供以下策略。
-
访问您的 AWS Secrets Manager 密钥以对您进行身份验证的权限 GitHub。
-
允许拨打 GitHub 连接器 APIs 所需公众的电话。
-
允许调用
BatchPutDocument、BatchDeleteDocument、PutPrincipalMapping、DeletePrincipalMappingDescribePrincipalMapping、和ListGroupsOlderThanOrderingIdAPIs。
注意
您可以 Amazon Kendra 通过将 GitHub 数据源连接到 Amazon VPC。如果您使用的是 Amazon VPC,则需要添加其他权限。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:{{your-region}}:{{your-account-id}}:secret:[[secret-id]]"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:{{your-region}}:{{your-account-id}}:key/[[key-id]]"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.{{your-region}}.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:PutPrincipalMapping",
"kendra:DeletePrincipalMapping",
"kendra:ListGroupsOlderThanOrderingId",
"kendra:DescribePrincipalMapping"
],
"Resource": ["arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}", "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}/data-source/*"]
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}"
}]
}允许担任角色 Amazon Kendra 的信任策略。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}当您使用 Gmail 时,为角色提供以下策略。
-
访问您的 AWS Secrets Manager 密钥以对您的 Gmail 进行身份验证的权限。
-
允许呼叫 Gmailconnecnector APIs 所需的公众。
-
允许调用
BatchPutDocument、BatchDeleteDocument、PutPrincipalMapping、DeletePrincipalMappingDescribePrincipalMapping、和ListGroupsOlderThanOrderingIdAPIs。
注意
您可以 Amazon Kendra 通过将 Gmail 数据源连接到 Amazon VPC。如果您使用的是 Amazon VPC,则需要添加其他权限。
{
"Version": "2012-10-17",
"Statement": [
{"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:{{your-region}}:{{your-account-id}}:secret:[[secret-id]]"
]
},
{"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:{{your-region}}:{{your-account-id}}:key/[[key-id]]"
],
"Condition": {"StringLike": {"kms:ViaService": [
"secretsmanager.{{your-region}}.amazonaws.com"
]
}
}
},
{"Effect": "Allow",
"Action": [
"kendra:PutPrincipalMapping",
"kendra:DeletePrincipalMapping",
"kendra:ListGroupsOlderThanOrderingId",
"kendra:DescribePrincipalMapping"
],
"Resource": ["arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}", "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}/data-source/*"]
},
{"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}"
}]
}允许担任角色 Amazon Kendra 的信任策略。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}当您使用 Google Workspace 云端硬盘数据源时,您提供的 Amazon Kendra 角色具有连接到该网站所需的权限。这些指令包括:
-
获取和解 AWS Secrets Manager 密包含客户帐号电子邮件、管理员帐号电子邮件地址和连接 Google 云端硬盘网站所需的私钥的密钥的权限。有关密钥内容的更多信息,请参阅 Google Drive 数据来源。
-
使用BatchPutDocument和的权限BatchDeleteDocument APIs。
注意
您可以 Amazon Kendra 通过连接 Google 云端硬盘数据源 Amazon VPC。如果您使用的是 Amazon VPC,则需要添加其他权限。
以下 IAM 策略提供了必要的权限:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:your-region:your-account-id:secret:secret-id"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:your-region:your-account-id:key/key-id"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.your-region.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:your-region:your-account-id:index/index-id"
}]
}
允许担任角色 Amazon Kendra 的信任策略。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}使用 IBM DB2 数据源连接器时,您需要为角色提供以下策略。
-
访问您的 AWS Secrets Manager 密钥以对 IBM DB2 数据源实例进行身份验证的权限。
-
有权呼叫 IBM DB2 数据源连接器 APIs 所需的公众。
-
允许调用
BatchPutDocument、BatchDeleteDocument、PutPrincipalMapping、DeletePrincipalMappingDescribePrincipalMapping、和ListGroupsOlderThanOrderingIdAPIs。
注意
您可以将 IBM DB2 数据源连接 Amazon Kendra 到 Amazon VPC。如果您使用的是 Amazon VPC,则需要添加其他权限。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:{{region}}:{{account_id}}:secret:[[secret_id]]"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:{{region}}:{{account_id}}:key/[[key_id]]"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.*.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:PutPrincipalMapping",
"kendra:DeletePrincipalMapping",
"kendra:ListGroupsOlderThanOrderingId",
"kendra:DescribePrincipalMapping"
],
"Resource": ["arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}", "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}/data-source/*"]
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}"
}]
}允许担任角色 Amazon Kendra 的信任策略。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}当您使用 Jira 时,为角色提供以下策略。
-
访问您的 AWS Secrets Manager 密钥以对 Jira 进行身份验证的权限。
-
允许呼叫 Jira 连接器 APIs 所需的公众。
-
允许调用
BatchPutDocument、BatchDeleteDocument、PutPrincipalMapping、DeletePrincipalMappingDescribePrincipalMapping、和ListGroupsOlderThanOrderingIdAPIs。
注意
您可以 Amazon Kendra 通过 Amazon VPC连接 Jira 数据源。如果您使用的是 Amazon VPC,则需要添加其他权限。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:{{your-region}}:{{your-account-id}}:secret:[[secret-id]]"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:{{your-region}}:{{your-account-id}}:key/[[key-id]]"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.{{your-region}}.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:PutPrincipalMapping",
"kendra:DeletePrincipalMapping",
"kendra:ListGroupsOlderThanOrderingId",
"kendra:DescribePrincipalMapping"
],
"Resource": ["arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}", "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}/data-source/*"]
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}"
}]
}允许担任角色 Amazon Kendra 的信任策略。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}当你使用 Microsoft Exchange 数据源时,你需要提供一个 Amazon Kendra 具有连接到该站点所需的权限的角色。这些指令包括:
-
允许获取和解 AWS Secrets Manager 密包含连接到 Microsoft Exchange 站点所需的应用程序 ID 和密钥的密钥。有关密钥内容的更多信息,请参阅 Microsoft Exchange 数据来源。
-
使用BatchPutDocument和的权限BatchDeleteDocument APIs。
注意
你可以 Amazon Kendra 通过连接微软 Exchange 数据源 Amazon VPC。如果您使用的是 Amazon VPC,则需要添加其他权限。
以下 IAM 策略提供了必要的权限:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:your-region:your-account-id:secret:secret-id"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:your-region:your-account-id:key/key-id"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.your-region.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:your-region:your-account-id:index/index-id"
}]
}
如果您要将要索引的用户列表存储在 Amazon S3 存储桶中,则还必须提供使用 S3 GetObject 操作的权限。以下 IAM 策略提供了必要权限:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:your-region:your-account-id:secret:secret-id"
]
},
{
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::bucket-name/*"
],
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:your-region:your-account-id:key/[[key-ids]]"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.your-region.amazonaws.com",
"s3.your-region.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:your-region:your-account-id:index/index-id"
}]
}
允许担任角色 Amazon Kendra 的信任策略。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}当你使用 Microsoft OneDrive 数据源时,你提供的 Amazon Kendra 角色具有连接到该站点所需的权限。这些指令包括:
-
获取和解 AWS Secrets Manager 密包含连接网站所需的应用程序 ID 和密钥的密钥的 OneDrive 权限。有关密钥内容的更多信息,请参阅 Microsoft OneDrive 数据源。
-
使用BatchPutDocument和的权限BatchDeleteDocument APIs。
注意
你可以 Amazon Kendra 通过连接 Microsoft OneDrive 数据源 Amazon VPC。如果您使用的是 Amazon VPC,则需要添加其他权限。
以下 IAM 策略提供了必要的权限:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:your-region:your-account-id:secret:secret-id"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:your-region:your-account-id:key/key-id"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.your-region.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:your-region:your-account-id:index/index-id"
}]
}
如果您要将要索引的用户列表存储在 Amazon S3 存储桶中,则还必须提供使用 S3 GetObject 操作的权限。以下 IAM 策略提供了必要权限:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:your-region:your-account-id:secret:secret-id"
]
},
{
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::bucket-name/*"
],
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:your-region:your-account-id:key/[[key-ids]]"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.your-region.amazonaws.com",
"s3.your-region.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:your-region:your-account-id:index/index-id"
}]
}
允许担任角色 Amazon Kendra 的信任策略。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}对于 Microsoft SharePoint 连接器 v1.0 数据源,您需要为角色提供以下策略。
-
访问包含 SharePoint 网站用户名和密码的 AWS Secrets Manager 密钥的权限。有关密钥内容的更多信息,请参阅 Microsoft SharePoint 数据源。
-
允许使用 AWS KMS 客户主密钥 (CMK) 解密存储的用户名和密码密钥。 AWS Secrets Manager
-
使用
BatchPutDocument和BatchDeleteDocument操作更新索引的权限。 -
访问包含用于与 SharePoint 网站通信的 SSL 证书的 Amazon S3 存储桶的权限。
您还必须附上允许代入该角色 Amazon Kendra 的信任策略。
注意
你可以 Amazon Kendra 通过连接 Microsoft SharePoint 数据源 Amazon VPC。如果您使用的是 Amazon VPC,则需要添加其他权限。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:your-region:your-account-id:secret:secret-id"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:your-region:your-account-id:key/key-id"
]
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": [
"arn:aws:kendra:your-region:your-account-id:index/index-id"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"kendra.your-region.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::bucket-name/*"
]
}
]
}如果您对包含用于与 SharePoint 网站通信的 SSL 证书的 Amazon S3 存储桶进行了加密,请提供 Amazon Kendra 允许访问该密钥的策略。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:your-region:your-account-id:key/key-id"
]
}
]
}允许担任角色 Amazon Kendra 的信任策略。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}对于 Microsoft SharePoint 连接器 v2.0 数据源,您需要为角色提供以下策略。
-
访问包含 SharePoint 站点身份验证凭据的 AWS Secrets Manager 密钥的权限。有关密钥内容的更多信息,请参阅 Microsoft SharePoint 数据源。
-
允许使用 AWS KMS 客户主密钥 (CMK) 解密存储的用户名和密码密钥。 AWS Secrets Manager
-
使用
BatchPutDocument和BatchDeleteDocument操作更新索引的权限。 -
访问包含用于与 SharePoint 网站通信的 SSL 证书的 Amazon S3 存储桶的权限。
您还必须附上允许代入该角色 Amazon Kendra 的信任策略。
注意
你可以 Amazon Kendra 通过连接 Microsoft SharePoint 数据源 Amazon VPC。如果您使用的是 Amazon VPC,则需要添加其他权限。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:your-region:your-account-id:secret:secret-id"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:your-region:your-account-id:key/key-id"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.your-region.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:PutPrincipalMapping",
"kendra:DeletePrincipalMapping",
"kendra:ListGroupsOlderThanOrderingId",
"kendra:DescribePrincipalMapping"
],
"Resource": [
"arn:aws:kendra:your-region:your-account-id:index/index-id",
"arn:aws:kendra:your-region:your-account-id:index/index-id/data-source/*"
]
},
{
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::bucket-name/key-name"
],
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:your-region:your-account-id:index/index-id"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface"
],
"Resource": [
"arn:aws:ec2:your-region:your-account-id:subnet/subnet-ids",
"arn:aws:ec2:your-region:your-account-id:security-group/security-group"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface"
],
"Resource": "arn:aws:ec2:region:account_id:network-interface/*",
"Condition": {
"StringLike": {
"aws:RequestTag/AWS_KENDRA": "kendra_your-account-id_index-id_*"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": "arn:aws:ec2:your-region:your-account-id:network-interface/*",
"Condition": {
"StringEquals": {
"ec2:CreateAction": "CreateNetworkInterface"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterfacePermission"
],
"Resource": "arn:aws:ec2:your-region:your-account-id:network-interface/*",
"Condition": {
"StringLike": {
"aws:ResourceTag/AWS_KENDRA": "kendra_your-account-id_index-id_*"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeNetworkInterfaceAttribute",
"ec2:DescribeVpcs",
"ec2:DescribeRegions",
"ec2:DescribeNetworkInterfacePermissions",
"ec2:DescribeSubnets"
],
"Resource": "*"
}
]
}如果您对包含用于与 SharePoint 网站通信的 SSL 证书的 Amazon S3 存储桶进行了加密,请提供 Amazon Kendra 允许访问该密钥的策略。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:your-region:youraccount-id:key/key-id"
]
}
]
}允许担任角色 Amazon Kendra 的信任策略。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}当您使用 Microsoft SQL Server 时,需要为角色提供以下策略。
-
访问您的 AWS Secrets Manager 密钥以对微软 SQL Server 实例进行身份验证的权限。
-
允许呼叫 Microsoft SQL Server 连接器 APIs 所需的公众。
-
允许调用
BatchPutDocument、BatchDeleteDocument、PutPrincipalMapping、DeletePrincipalMappingDescribePrincipalMapping、和ListGroupsOlderThanOrderingIdAPIs。
注意
你可以 Amazon Kendra 通过连接微软 SQL Server 数据源 Amazon VPC。如果您使用的是 Amazon VPC,则需要添加其他权限。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:{{region}}:{{account_id}}:secret:[[secret_id]]"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:{{region}}:{{account_id}}:key/[[key_id]]"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.*.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:PutPrincipalMapping",
"kendra:DeletePrincipalMapping",
"kendra:ListGroupsOlderThanOrderingId",
"kendra:DescribePrincipalMapping"
],
"Resource": ["arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}", "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}/data-source/*"]
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}"
}]
}允许担任角色 Amazon Kendra 的信任策略。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}当你使用 Microsoft Team Amazon Kendra s 数据源时,你提供的角色具有连接到该站点所需的权限。这些指令包括:
-
获取和解 AWS Secrets Manager 密包含连接到 Microsoft Teams 所需的客户端 ID 和客户端密钥的密钥的权限。有关密钥内容的更多信息,请参阅 Microsoft Teams 数据来源。
注意
你可以 Amazon Kendra 通过连接 Microsoft Teams 数据源 Amazon VPC。如果您使用的是 Amazon VPC,则需要添加其他权限。
以下 IAM 策略提供了必要的权限:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:your-region:client-id:secret:secret-id"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:your-region:your-account-id:key/key-id"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.your-region.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:your-region:your-account-id:index/index-id"
}]
}
允许担任角色 Amazon Kendra 的信任策略。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}当你使用 Microsoft Yammer 数据源时,你提供的 Amazon Kendra 角色具有连接到该站点所需的权限。这些指令包括:
-
允许获取和解 AWS Secrets Manager 密包含连接到 Microsoft Yammer 网站所需的应用程序 ID 和密钥的密钥。有关密钥内容的更多信息,请参阅 Microsoft Yammer 数据来源。
-
使用BatchPutDocument和的权限BatchDeleteDocument APIs。
注意
你可以 Amazon Kendra 通过 Amazon VPC连接 Microsoft Yammer 数据源。如果您使用的是 Amazon VPC,则需要添加其他权限。
以下 IAM 策略提供了必要的权限:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:your-region:your-account-id:secret:secret-id"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:your-region:your-account-id:key/key-id"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.your-region.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:your-region:your-account-id:index/index-id"
}]
}
如果您要将要索引的用户列表存储在 Amazon S3 存储桶中,则还必须提供使用 S3 GetObject 操作的权限。以下 IAM 策略提供了必要权限:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:your-region:your-account-id:secret:secret-id"
]
},
{
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::bucket-name/*"
],
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:your-region:your-account-id:key/[[key-ids]]"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.your-region.amazonaws.com",
"s3.your-region.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:your-region:your-account-id:index/index-id"
}]
}
允许担任角色 Amazon Kendra 的信任策略。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}当您使用 MySQL 数据来源连接器时,需要为角色提供以下策略。
-
访问您的 AWS Secrets Manager 密钥以对您的 My SQL 数据源实例进行身份验证的权限。
-
有权呼叫 My SQL 数据源连接器 APIs 所需的公众。
-
允许调用
BatchPutDocument、BatchDeleteDocument、PutPrincipalMapping、DeletePrincipalMappingDescribePrincipalMapping、和ListGroupsOlderThanOrderingIdAPIs。
注意
您可以 Amazon Kendra 通过连接 MySQL 数据源 Amazon VPC。如果您使用的是 Amazon VPC,则需要添加其他权限。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:{{region}}:{{account_id}}:secret:[[secret_id]]"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:{{region}}:{{account_id}}:key/[[key_id]]"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.*.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:PutPrincipalMapping",
"kendra:DeletePrincipalMapping",
"kendra:ListGroupsOlderThanOrderingId",
"kendra:DescribePrincipalMapping"
],
"Resource": ["arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}", "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}/data-source/*"]
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}"
}]
}允许担任角色 Amazon Kendra 的信任策略。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}当您使用 Oracle 数据来源连接器时,需要为角色提供以下策略。
-
访问您的 AWS Secrets Manager 密钥以对 Oracle 数据源实例进行身份验证的权限。
-
有权呼叫 Oracle 数据源连接器 APIs 所需的公众。
-
允许调用
BatchPutDocument、BatchDeleteDocument、PutPrincipalMapping、DeletePrincipalMappingDescribePrincipalMapping、和ListGroupsOlderThanOrderingIdAPIs。
注意
您可以 Amazon Kendra 通过将 Oracle 数据源连接到 Amazon VPC。如果您使用的是 Amazon VPC,则需要添加其他权限。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:{{region}}:{{account_id}}:secret:[[secret_id]]"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:{{region}}:{{account_id}}:key/[[key_id]]"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.*.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:PutPrincipalMapping",
"kendra:DeletePrincipalMapping",
"kendra:ListGroupsOlderThanOrderingId",
"kendra:DescribePrincipalMapping"
],
"Resource": ["arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}", "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}/data-source/*"]
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}"
}]
}允许担任角色 Amazon Kendra 的信任策略。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}当您使用 PostgreSQL 数据来源连接器时,需要为角色提供以下策略。
-
访问您的 AWS Secrets Manager 密钥以验证您的 PostgreSQL 数据源实例的权限。
-
允许呼叫 PostgreSQL 数据源连接器 APIs 所需的公众。
-
允许调用
BatchPutDocument、BatchDeleteDocument、PutPrincipalMapping、DeletePrincipalMappingDescribePrincipalMapping、和ListGroupsOlderThanOrderingIdAPIs。
注意
您可以将 PostgreSQL 数据源连接到。 Amazon Kendra Amazon VPC如果您使用的是 Amazon VPC,则需要添加其他权限。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:{{region}}:{{account_id}}:secret:[[secret_id]]"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:{{region}}:{{account_id}}:key/[[key_id]]"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.*.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:PutPrincipalMapping",
"kendra:DeletePrincipalMapping",
"kendra:ListGroupsOlderThanOrderingId",
"kendra:DescribePrincipalMapping"
],
"Resource": ["arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}", "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}/data-source/*"]
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:{{region}}:{{account_id}}:index/{{index_id}}"
}]
}允许担任角色 Amazon Kendra 的信任策略。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}当您使用 Quip 时,需要为角色提供以下策略。
-
访问您的 AWS Secrets Manager 密钥以对 Quip 进行身份验证的权限。
-
允许呼叫 Quip 连接器 APIs 所需的公众。
-
允许调用
BatchPutDocument、BatchDeleteDocument、PutPrincipalMapping、DeletePrincipalMappingDescribePrincipalMapping、和ListGroupsOlderThanOrderingIdAPIs。
注意
您可以 Amazon Kendra 通过 Amazon VPC连接 Quip 数据源。如果您使用的是 Amazon VPC,则需要添加其他权限。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:{{your-region}}:{{your-account-id}}:secret:[[secret-id]]"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:{{your-region}}:{{yoour-account-id}}:key/[[key-id]]"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.{{your-region}}.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:PutPrincipalMapping",
"kendra:DeletePrincipalMapping",
"kendra:ListGroupsOlderThanOrderingId",
"kendra:DescribePrincipalMapping"
],
"Resource": ["arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{your-index-id}}", "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{your-index-id}}/data-source/*"]
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}"
}]
}允许担任角色 Amazon Kendra 的信任策略。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}当您使用 Salesforce 作为数据来源时,需要为角色提供以下策略:
-
访问包含 Salesforce 网站用户名和密码的 AWS Secrets Manager 密钥的权限。有关清单报告内容的更多信息,请参阅 Salesforce 数据来源。
-
允许使用 AWS KMS 客户主密钥 (CMK) 解密存储的用户名和密码密钥。 Secrets Manager
-
使用
BatchPutDocument和BatchDeleteDocument操作更新索引的权限。
注意
您可以 Amazon Kendra 通过 Amazon VPC连接 Salesforce 数据源。如果您使用的是 Amazon VPC,则需要添加其他权限。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:your-region:your-account-id:secret:secret-id"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:your-region:your-account-id:key/key-id"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.your-region.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:your-region:account-id:index/index-id"
}]
}允许担任角色 Amazon Kendra 的信任策略。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}当您使用 ServiceNow 作为数据源时,您需要为角色提供以下策略:
-
访问包含 ServiceNow 网站用户名和密码的 Secrets Manager 密钥的权限。有关密钥内容的更多信息,请参阅ServiceNow 数据来源。
-
允许使用 AWS KMS 客户主密钥 (CMK) 解密存储的用户名和密码密钥。 Secrets Manager
-
使用
BatchPutDocument和BatchDeleteDocument操作更新索引的权限。
注意
您可以 Amazon Kendra 通过将 ServiceNow 数据源连接到 Amazon VPC。如果您使用的是 Amazon VPC,则需要添加其他权限。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:your-region:your-account-id:secret:secret-id"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:your-region:your-account-id:key/key-id"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.your-region.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:your-region:your-account-id:index/index-id"
}]
}允许担任角色 Amazon Kendra 的信任策略。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}当您使用 Slack 时,需要为角色提供以下策略。
-
访问您的 AWS Secrets Manager 密钥以对您的 Slack 进行身份验证的权限。
-
允许呼叫 Slack 连接器 APIs 所需的公众。
-
允许调用
BatchPutDocument、BatchDeleteDocument、PutPrincipalMapping、DeletePrincipalMappingDescribePrincipalMapping、和ListGroupsOlderThanOrderingIdAPIs。
注意
您可以 Amazon Kendra 通过 Amazon VPC连接 Slack 数据源。如果您使用的是 Amazon VPC,则需要添加其他权限。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:{{your-region}}:{{your-account-id}}:secret:[[secret-id]]"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:{{your-region}}:{{account-id}}:key/[[key-id]]"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.{{region}}.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:PutPrincipalMapping",
"kendra:DeletePrincipalMapping",
"kendra:ListGroupsOlderThanOrderingId",
"kendra:DescribePrincipalMapping"
],
"Resource": ["arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}", "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}/data-source/*"]
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}"
}]
}允许担任角色 Amazon Kendra 的信任策略。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}当您使用 Zendesk 时,需要为角色提供以下策略。
-
访问您的 AWS Secrets Manager 密钥以对您的 Zendesk 套件进行身份验证的权限。
-
允许呼叫 Zendesk 连接器 APIs 所需的公众。
-
允许调用
BatchPutDocument、BatchDeleteDocument、PutPrincipalMapping、DeletePrincipalMappingDescribePrincipalMapping、和ListGroupsOlderThanOrderingIdAPIs。
注意
您可以 Amazon Kendra 通过 Amazon VPC连接 Zendesk 数据源。如果您使用的是 Amazon VPC,则需要添加其他权限。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"arn:aws:secretsmanager:{{your-region}}:{{your-account-id}}:secret:[[secret-id]]"
]
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:{{your-region}}:{{your-account-id}}:key/[[key-id]]"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"secretsmanager.{{your-region}}.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"kendra:PutPrincipalMapping",
"kendra:DeletePrincipalMapping",
"kendra:ListGroupsOlderThanOrderingId",
"kendra:DescribePrincipalMapping"
],
"Resource": ["arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}", "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}/data-source/*"]
},
{
"Effect": "Allow",
"Action": [
"kendra:BatchPutDocument",
"kendra:BatchDeleteDocument"
],
"Resource": "arn:aws:kendra:{{your-region}}:{{your-account-id}}:index/{{index-id}}"
}]
}允许担任角色 Amazon Kendra 的信任策略。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}虚拟私有云 (VPC) IAM 角色
如果您使用虚拟私有云 (VPC) 连接到数据源,则必须提供以下额外权限。
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface"
],
"Resource": [
"arn:aws:ec2:{{region}}:{{account_id}}:subnet/[[subnet_ids]]",
"arn:aws:ec2:{{region}}:{{account_id}}:security-group/[[security_group]]"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface"
],
"Resource": "arn:aws:ec2:{{region}}:{{account_id}}:network-interface/*",
"Condition": {
"StringLike": {
"aws:RequestTag/AWS_KENDRA": "kendra_{{account_id}}_{{index_id}}_*"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": "arn:aws:ec2:{{region}}:{{account_id}}:network-interface/*",
"Condition": {
"StringEquals": {
"ec2:CreateAction": "CreateNetworkInterface"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterfacePermission"
],
"Resource": "arn:aws:ec2:{{region}}:{{account_id}}:network-interface/*",
"Condition": {
"StringLike": {
"aws:ResourceTag/AWS_KENDRA": "kendra_{{account_id}}_{{index_id}}_*"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeNetworkInterfaceAttribute",
"ec2:DescribeVpcs",
"ec2:DescribeRegions",
"ec2:DescribeNetworkInterfacePermissions",
"ec2:DescribeSubnets"
],
"Resource": "*"
}
}允许担任角色 Amazon Kendra 的信任策略。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}IAM 常见问题解答的角色 (FAQs)
使用 CreateFaqAPI 将问题和答案加载到索引中时,必须为 IAM 角色 Amazon Kendra 提供对包含源文件的 Amazon S3 存储桶的访问权限。如果源文件已加密,则必须提供使用 AWS KMS 客户主密钥 (CMK) 解密文件的权限。
允许 Amazon Kendra 访问 Amazon S3 存储桶的必需角色策略。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::bucket-name/*"
]
}
]
}一项可选的角色策略 Amazon Kendra ,允许使用 AWS KMS 客户主密钥 (CMK) 解密存储桶中的文件。 Amazon S3
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:your-region:your-account-id:key/key-id"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"kendra.your-region.amazonaws.com"
]
}
}
}
]
}允许担任角色 Amazon Kendra 的信任策略。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}IAM 查询建议的角色
当您使用 Amazon S3 文件作为查询建议阻止列表时,您需要提供一个有权访问该 Amazon S3 文件和 Amazon S3 存储桶的角色。如果 Amazon S3 存储桶中的阻止列表文本 Amazon S3 文件(该文件)已加密,则必须提供使用 AWS KMS 客户主密钥 (CMK) 解密文档的权限。
允许 Amazon Kendra 使用该 Amazon S3 文件作为查询建议屏蔽列表的必需角色策略。
{
"Version": "2012-10-17",
"Statement": [
{"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::bucket-name/*"
]
}
]
}
一种可选的角色策略 Amazon Kendra ,允许使用 AWS KMS 客户主密钥 (CMK) 解密存储桶中的文档。 Amazon S3
{
"Version": "2012-10-17",
"Statement": [
{"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:your-region:your-account-id:key/key-id"
]
}
]
}
允许担任角色 Amazon Kendra 的信任策略。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}IAM 用于用户和组的主体映射的角色
当您使用 PutPrincipalMappingAPI 将用户映射到他们的群组以按用户上下文筛选搜索结果时,您需要提供属于某个群组的用户或子群组的列表。如果您的列表中某个群组的用户或子群组超过 1000 个,则需要提供一个有权访问您的列表 Amazon S3 文件和 Amazon S3 存储桶的角色。如果 Amazon S3 存储桶中列表的文本 Amazon S3 文件(文件)已加密,则必须提供使用 AWS KMS 客户主密钥 (CMK) 解密文档的权限。
一项必需的角色策略 Amazon Kendra ,允许将该 Amazon S3 文件用作属于某个群组的用户和子群组的列表。
{
"Version": "2012-10-17",
"Statement": [
{"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::bucket-name/*"
]
}
]
}
一种可选的角色策略 Amazon Kendra ,允许使用 AWS KMS 客户主密钥 (CMK) 解密存储桶中的文档。 Amazon S3
{
"Version": "2012-10-17",
"Statement": [
{"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:your-region:your-account-id:key/key-id"
]
}
]
}
允许担任角色 Amazon Kendra 的信任策略。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}建议您在信任策略中包含 aws:sourceAccount 和 aws:sourceArn。这会限制权限并安全地检查aws:sourceAccount和aws:sourceArn是否与sts:AssumeRole操作的 IAM 角色策略中提供的相同。这样可以防止未经授权的实体访问您的 IAM 角色及其权限。有关更多信息,请参阅有关困惑的副手问题的 AWS Identity and Access Management指南。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"kendra.amazonaws.com"
]
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "your-account-id"
},
"StringLike": {
"aws:SourceArn": "arn:aws:kendra:your-region:your-account-id:index-id/*"
}
}
}
]
}IAM 的角色 AWS IAM Identity Center
当您使用该UserGroupResolutionConfiguration对象从 AWS IAM Identity Center 身份源获取群组和用户的访问权限级别时,您需要提供一个具有访问权限的角色 IAM Identity Center。
允许 Amazon Kendra 访问的必需角色策略 IAM Identity Center。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sso-directory:SearchUsers",
"sso-directory:ListGroupsForUser",
"sso-directory:DescribeGroups",
"sso:ListDirectoryAssociations"
],
"Resource": [
"*"
]
},
{
"Sid": "iamPassRole",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"kendra.amazonaws.com"
]
}
}
}
]
}允许担任角色 Amazon Kendra 的信任策略。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}IAM 角色换 Amazon Kendra 体验
使用或创建CreateExperience或UpdateExperience APIs 更新搜索应用程序时,必须提供一个有权访问必要操作和 IAM Identity Center 的角色。
允许 Amazon Kendra 访问Query操作、QuerySuggestionsSubmitFeedback操作、操作和存储您的用户和群组信息的 IAM Identity Center 所需的角色策略。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowsKendraSearchAppToCallKendraApi",
"Effect": "Allow",
"Action": [
"kendra:GetQuerySuggestions",
"kendra:Query",
"kendra:DescribeIndex",
"kendra:ListFaqs",
"kendra:DescribeDataSource",
"kendra:ListDataSources",
"kendra:DescribeFaq",
"kendra:SubmitFeedback"
],
"Resource": [
"arn:aws:kendra:your-region:your-account-id:index/index-id"
]
},
{
"Sid": "AllowKendraSearchAppToDescribeDataSourcesAndFaq",
"Effect": "Allow",
"Action": [
"kendra:DescribeDataSource",
"kendra:DescribeFaq"
],
"Resource": [
"arn:aws:kendra:your-region:your-account-id:index/index-id/data-source/data-source-id",
"arn:aws:kendra:your-region:your-account-id:index/index-id/faq/faq-id"
]
},
{
"Sid": "AllowKendraSearchAppToCallSSODescribeUsersAndGroups",
"Effect": "Allow",
"Action": [
"sso-directory:ListGroupsForUser",
"sso-directory:SearchGroups",
"sso-directory:SearchUsers",
"sso-directory:DescribeUser",
"sso-directory:DescribeGroup",
"sso-directory:DescribeGroups",
"sso-directory:DescribeUsers",
"sso:ListDirectoryAssociations"
],
"Resource": [
"*"
],
"Condition": {
"StringLike": {
"kms:ViaService": [
"kendra.your-region.amazonaws.com"
]
}
}
}
]
}允许担任角色 Amazon Kendra 的信任策略。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}建议您在信任策略中包含 aws:sourceAccount 和 aws:sourceArn。这会限制权限并安全地检查aws:sourceAccount和aws:sourceArn是否与sts:AssumeRole操作的 IAM 角色策略中提供的相同。这样可以防止未经授权的实体访问您的 IAM 角色及其权限。有关更多信息,请参阅有关困惑的副手问题的 AWS Identity and Access Management指南。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"kendra.amazonaws.com"
]
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "your-account-id"
},
"StringLike": {
"aws:SourceArn": "arn:aws:kendra:your-region:your-account-id:index-id/*"
}
}
}
]
}IAM 自定义文档扩充的角色
当您使用该CustomDocumentEnrichmentConfiguration对象对文档元数据和内容进行高级更改时,必须提供一个具有运行和 PreExtractionHookConfiguration /或PostExtractionHookConfiguration所需权限的角色。您可以配置 Lambda 函数,以便 PreExtractionHookConfiguration 和/或 PostExtractionHookConfiguration 在提取过程中对文档元数据和内容进行高级更改。如果您选择为 Amazon S3 存储桶激活服务器端加密,则必须提供使用 AWS KMS 客户主密钥 (CMK) 加密和解密存储在存储桶中的对象的权限。 Amazon S3
允许运行的必需角色策略 Amazon Kendra ,PreExtractionHookConfiguration并对存储 Amazon S3
桶PostExtractionHookConfiguration进行加密。
{
"Version": "2012-10-17",
"Statement": [{
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::bucket-name/*"
],
"Effect": "Allow"
},
{
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::bucket-name"
],
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": [
"arn:aws:kms:your-region:your-account-id:key/key-id"
]
},
{
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction"
],
"Resource": "arn:aws:lambda:your-region:your-account-id:function:lambda-function"
}]
}一个可选的角色策略 Amazon Kendra ,允许在PostExtractionHookConfiguration不加密存储 Amazon S3 桶的情况下运行PreExtractionHookConfiguration。
{
"Version": "2012-10-17",
"Statement": [{
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::bucket-name/*"
],
"Effect": "Allow"
},
{
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::bucket-name"
],
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction"
],
"Resource": "arn:aws:lambda:your-region:your-account-id:function:lambda-function"
}]
}允许担任角色 Amazon Kendra 的信任策略。
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"Service":"kendra.amazonaws.com"
},
"Action":"sts:AssumeRole"
}
]
}建议您在信任策略中包含 aws:sourceAccount 和 aws:sourceArn。这会限制权限并安全地检查aws:sourceAccount和aws:sourceArn是否与sts:AssumeRole操作的 IAM 角色策略中提供的相同。这样可以防止未经授权的实体访问您的 IAM 角色及其权限。有关更多信息,请参阅有关困惑的副手问题的 AWS Identity and Access Management指南。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"kendra.amazonaws.com"
]
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "your-account-id"
},
"StringLike": {
"aws:SourceArn": "arn:aws:kendra:your-region:your-account-id:index-id/*"
}
}
}
]
}