本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# 在 Amazon Keyspaces 中配置使用 CDC 流的权限
要启用 CDC 直播,委托人(例如 IAM 用户或角色)需要以下权限。
有关的更多信息 AWS Identity and Access Management,请参阅[AWS Identity and Access Management 适用于 Amazon Keyspaces](security-iam.md)。
## 为表启用 CDC 直播的权限
[要为 Amazon Keyspaces 表启用 CDC 流,委托人首先需要创建或更改表的权限,其次需要创建服务关联角色 AWSService RoleForAmazonKeyspaces CDC 的权限。](using-service-linked-roles-CDC-streams.md#service-linked-role-permissions-CDC-streams)Amazon Keyspaces 使用服务关联角色代表您向您的账户发布 CloudWatch 指标
以下 IAM 策略就是一个例子。
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"cassandra:Create",
"cassandra:CreateMultiRegionResource",
"cassandra:Alter",
"cassandra:AlterMultiRegionResource"
],
"Resource":[
"arn:aws:cassandra:us-east-1:111122223333:/keyspace/my_keyspace/*",
"arn:aws:cassandra:us-east-1:111122223333:/keyspace/system*"
]
},
{
"Sid": "KeyspacesCDCServiceLinkedRole",
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/cassandra-streams.amazonaws.com/AWSServiceRoleForAmazonKeyspacesCDC",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "cassandra-streams.amazonaws.com"
}
}
}
]
}
```
要禁用直播,只需要`ALTER TABLE`权限。
## 查看 CDC 直播的权限
要查看或列出 CDC 流,主体需要系统密钥空间的读取权限。有关更多信息,请参阅 [`system_schema_mcs`](working-with-keyspaces.md#keyspace_system_schema_mcs)。
以下 IAM 策略就是一个例子。
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":"cassandra:Select",
"Resource":[
"arn:aws:cassandra:us-east-1:111122223333:/keyspace/system*"
]
}
]
}
```
要使用或 Amazon Keyspaces API 查看 AWS CLI 或列出 CDC 直播,委托人需要额外的操作`cassandra:ListStreams`权限和。`cassandra:GetStream`
以下 IAM 策略就是一个例子。
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cassandra:Select",
"cassandra:ListStreams",
"cassandra:GetStream"
],
"Resource": "*"
}
]
}
```
## 读取 CDC 直播的权限
要读取 CDC 直播,主体需要以下权限。
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"cassandra:GetStream",
"cassandra:GetShardIterator",
"cassandra:GetRecords"
],
"Resource":[
"arn:aws:cassandra:us-east-1:111122223333:/keyspace/my_keyspace/table/my_table/stream/stream_label"
]
}
]
}
```
## 使用 Kinesis 客户端库 (KCL) 处理 Amazon Keyspaces CDC 直播的权限
要使用 KCL 处理 Amazon Keyspaces CDC 流,IAM 委托人需要以下权限。
+ `Amazon Keyspaces`— 对指定的 Amazon Keyspaces CDC 流的只读访问权限。
+ `DynamoDB`— KCL 流处理所需的创建`shard lease`表、对表的读写访问权限以及对索引的读取访问权限。
+ `CloudWatch`— 有权发布来自 Amazon Keyspaces CDC 的指标数据,将使用 KCL 处理的数据流式传输到账户中 KCL 客户端应用程序的命名空间。 CloudWatch 有关监控的更多信息,请参阅使用[亚马逊监控 Kinesis 客户端库](https://docs.aws.amazon.com/streams/latest/dev/monitoring-with-kcl.html)。 CloudWatch
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"cassandra:GetStream",
"cassandra:GetShardIterator",
"cassandra:GetRecords"
],
"Resource":[
"arn:aws:cassandra:us-east-1:111122223333:/keyspace/my_keyspace/table/my_table/stream/stream_label"
]
},
{
"Effect":"Allow",
"Action":[
"dynamodb:CreateTable",
"dynamodb:DescribeTable",
"dynamodb:UpdateTable",
"dynamodb:GetItem",
"dynamodb:UpdateItem",
"dynamodb:PutItem",
"dynamodb:DeleteItem",
"dynamodb:Scan"
],
"Resource":[
"arn:aws:dynamodb:us-east-1:111122223333:table/KCL_APPLICATION_NAME"
]
},
{
"Effect":"Allow",
"Action":[
"dynamodb:CreateTable",
"dynamodb:DescribeTable",
"dynamodb:GetItem",
"dynamodb:UpdateItem",
"dynamodb:PutItem",
"dynamodb:DeleteItem",
"dynamodb:Scan"
],
"Resource":[
"arn:aws:dynamodb:us-east-1:111122223333:table/KCL_APPLICATION_NAME-WorkerMetricStats",
"arn:aws:dynamodb:us-east-1:111122223333:table/KCL_APPLICATION_NAME-CoordinatorState"
]
},
{
"Effect":"Allow",
"Action":[
"dynamodb:Query"
],
"Resource":[
"arn:aws:dynamodb:us-east-1:111122223333:table/KCL_APPLICATION_NAME/index/*"
]
},
{
"Effect":"Allow",
"Action":[
"cloudwatch:PutMetricData"
],
"Resource":"*"
}
]
}
```