本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# 的服务角色 AWS HealthOmics
服务角色是一个 AWS Identity and Access Management (IAM) 角色,它向 AWS 服务授予访问您账户中资源的权限。当您启动导入任务或开始运行 AWS HealthOmics 时,您可以为其提供服务角色。
HealthOmics 控制台可以为您创建所需的角色。如果您使用 HealthOmics API 管理资源,请使用 IAM 控制台创建服务角色。有关更多信息,请参阅[创建角色以向委派权限 AWS 服务](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html)。
服务角色必须具有以下信任策略。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "omics.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
```
------
信任策略允许 HealthOmics 服务担任该角色。
**Topics**
+ [IAM 服务策略示例](#permissions-service-samplepolicies)
+ [示例 CloudFormation 模板](#permissions-service-sampletemplates)
## IAM 服务策略示例
在这些示例中,资源名称和帐户 IDs 是您可以用实际值替换的占位符。
以下示例显示了可用于启动运行的服务角色的策略。该策略授予访问用于运行的 Amazon S3 输出位置、工作流程日志组和 Amazon ECR 容器的权限。
**注意**
如果您使用呼叫缓存进行运行,请在 s3 权限中添加运行缓存 Amazon S3 位置作为资源。
**Example 用于启动运行的服务角色策略**
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket1/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket1"
]
},
{
"Effect": "Allow",
"Action": [
"logs:DescribeLogStreams",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:us-east-1:123456789012:log-group:/aws/omics/WorkflowLog:log-stream:*"
]
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup"
],
"Resource": [
"arn:aws:logs:us-east-1:123456789012:log-group:/aws/omics/WorkflowLog:*"
]
},
{
"Effect": "Allow",
"Action": [
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchCheckLayerAvailability"
],
"Resource": [
"arn:aws:ecr:us-east-1:123456789012:repository/*"
]
}
]
}
```
以下示例显示了可用于商店导入任务的服务角色的策略。该策略授予访问 Amazon S3 输入位置的权限。
**Example 参考商店作业的服务角色**
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket"
]
}
]
}
```
## 示例 CloudFormation 模板
以下示例 CloudFormation 模板创建了一个服务角色,该角色授予访问名称前缀为前缀的 Amazon S3 存储桶和上传工作流程日志的 HealthOmics 权限。`omics-`
**Example 参考存储、Amazon S3 和 CloudWatch 日志权限**
```
Parameters:
bucketName:
Description: Bucket name
Type: String
Resources:
serviceRole:
Type: AWS::IAM::Role
Properties:
Policies:
- PolicyName: read-reference
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- omics:*
Resource: !Sub arn:${AWS::Partition}:omics:${AWS::Region}:${AWS::AccountId}:referenceStore/*
- PolicyName: read-s3
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- s3:ListBucket
Resource: !Sub arn:${AWS::Partition}:s3:::${bucketName}
- Effect: Allow
Action:
- s3:GetObject
- s3:PutObject
Resource: !Sub arn:${AWS::Partition}:s3:::${bucketName}/*
- PolicyName: upload-logs
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- logs:DescribeLogStreams
- logs:CreateLogStream
- logs:PutLogEvents
Resource: !Sub arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:loggroup:/aws/omics/WorkflowLog:log-stream:*
- Effect: Allow
Action:
- logs:CreateLogGroup
Resource: !Sub arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:loggroup:/aws/omics/WorkflowLog:*
AssumeRolePolicyDocument: |
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sts:AssumeRole"
],
"Effect": "Allow",
"Principal": {
"Service": [
"omics.amazonaws.com"
]
}
}
]
}
```