本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
授予批次操作的許可
建立和執行 S3 批次操作任務之前,您必須授予必要的權限。若要建立 Amazon S3 批次操作任務,則必須具備 s3:CreateJob 使用者許可。建立任務的相同實體也必須具有iam:PassRole許可,才能將為任務指定的 AWS Identity and Access Management (IAM) 角色傳遞至批次操作。
如需指定IAM資源的一般資訊,請參閱 IAM 使用者指南 中的IAMJSON政策、資源元素。下列各節提供有關建立IAM角色和連接政策的資訊。
建立 S3 批次操作IAM角色
Amazon S3 必須擁有代表您執行 S3 批次操作的許可。您可以透過 AWS Identity and Access Management (IAM) 角色授予這些許可。本節提供您在建立IAM角色時使用的信任和許可政策範例。如需詳細資訊,請參閱 IAM 使用者指南 中的IAM角色。如需範例,請參閱 使用任務標籤控制批次操作的許可 和 使用 S3 批次操作複製物件。
在IAM政策中,您也可以使用條件金鑰來篩選 S3 批次操作任務的存取許可。如需詳細資訊和 Amazon S3 特定條件金鑰的完整清單,請參閱服務授權參考 中的 Amazon S3 的動作、資源和條件金鑰。
如需 S3 資源類型對 S3 API操作的許可的詳細資訊,請參閱 Amazon S3 API操作的必要許可。
下列影片說明如何使用 設定批次操作任務的IAM許可 AWS Management Console。
信任政策
若要允許 S3 批次操作服務主體擔任IAM角色,請將下列信任政策連接至角色。
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Principal":{ "Service":"batchoperations.s3.amazonaws.com" }, "Action":"sts:AssumeRole" } ] }
連接許可政策
根據操作類型,您可以附加下列其中一種政策。
在設定許可之前,請注意下列事項:
-
無論是哪一種操作,Amazon S3 都需要許可才能從 S3 儲存貯體中讀取資訊清單物件,並選擇性地將報告寫入儲存貯體。因此,所有下列政策都包含這些許可。
-
對於 Amazon S3 庫存報告清單,S3 批次操作需要許可才能讀取 manifest.json 物件和所有相關資料CSV檔案。
-
只有在指定物件的版本 ID 時才需要版本特定的許可 (如
s3:GetObjectVersion)。 -
如果您在加密的物件上執行 S3 批次操作,IAM角色也必須能夠存取用來加密物件的 AWS KMS 金鑰。
-
如果您提交使用 加密的庫存報告清單 AWS KMS,您的IAM政策必須包括 manifest.json 物件
"kms:Decrypt"和所有相關資料CSV檔案"kms:GenerateDataKey"的許可和 。 如果批次操作任務在已啟用存取控制清單 (ACLs) 的儲存貯體中產生資訊清單,且位於不同的 中 AWS 帳戶,則您必須在為批次任務設定IAM的角色IAM政策中授予
s3:PutObjectAcl許可。如果您未包含此許可,批次任務會失敗,並出現錯誤Error occurred when preparing manifest: Failed to write manifest。
複製物件:PutObject
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:PutObject", "s3:PutObjectAcl", "s3:PutObjectTagging" ], "Effect": "Allow", "Resource": "arn:aws:s3:::amzn-s3-demo-destination-bucket/*" }, { "Action": [ "s3:GetObject", "s3:GetObjectAcl", "s3:GetObjectTagging", "s3:ListBucket" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::amzn-s3-demo-source-bucket", "arn:aws:s3:::amzn-s3-demo-source-bucket/*" ] }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-manifest-bucket/*" ] }, { "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-completion-report-bucket/*" ] } ] }
取代物件標記:PutObjectTagging
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "s3:PutObjectTagging", "s3:PutObjectVersionTagging" ], "Resource": "arn:aws:s3:::amzn-s3-demo-destination-bucket/*" }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-manifest-bucket/*" ] }, { "Effect":"Allow", "Action":[ "s3:PutObject" ], "Resource":[ "arn:aws:s3:::amzn-s3-demo-completion-report-bucket/*" ] } ] }
刪除物件標記:DeleteObjectTagging
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:DeleteObjectTagging", "s3:DeleteObjectVersionTagging" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-destination-bucket/*" ] }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-manifest-bucket/*" ] }, { "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-completion-report-bucket/*" ] } ] }
取代存取控制清單:PutObjectAcl
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "s3:PutObjectAcl", "s3:PutObjectVersionAcl" ], "Resource": "arn:aws:s3:::amzn-s3-demo-destination-bucket/*" }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-manifest-bucket/*" ] }, { "Effect":"Allow", "Action":[ "s3:PutObject" ], "Resource":[ "arn:aws:s3:::amzn-s3-demo-completion-report-bucket/*" ] } ] }
還原物件:RestoreObject
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "s3:RestoreObject" ], "Resource": "arn:aws:s3:::amzn-s3-demo-destination-bucket/*" }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-manifest-bucket/*" ] }, { "Effect":"Allow", "Action":[ "s3:PutObject" ], "Resource":[ "arn:aws:s3:::amzn-s3-demo-completion-report-bucket/*" ] } ] }
套用物件鎖定保留:PutObjectRetention
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:GetBucketObjectLockConfiguration", "Resource": [ "arn:aws:s3:::amzn-s3-demo-destination-bucket" ] }, { "Effect": "Allow", "Action": [ "s3:PutObjectRetention", "s3:BypassGovernanceRetention" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-destination-bucket/*" ] }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-manifest-bucket/*" ] }, { "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-completion-report-bucket/*" ] } ] }
套用物件鎖定法務保存:PutObjectLegalHold
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:GetBucketObjectLockConfiguration", "Resource": [ "arn:aws:s3:::amzn-s3-demo-destination-bucket" ] }, { "Effect": "Allow", "Action": "s3:PutObjectLegalHold", "Resource": [ "arn:aws:s3:::amzn-s3-demo-destination-bucket/*" ] }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-manifest-bucket/*" ] }, { "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-completion-report-bucket/*" ] } ] }
複寫現有物件:InitiateReplication 使用 S3 產生的資訊清單
如果您使用和存放 S3 產生的清單清單,請使用此政策。如需使用批次操作複寫現有物件的詳細資訊,請參閱 使用批次複寫複寫來複寫現有物件。
{ "Version":"2012-10-17", "Statement":[ { "Action":[ "s3:InitiateReplication" ], "Effect":"Allow", "Resource":[ "arn:aws:s3:::amzn-s3-demo-source-bucket/*" ] }, { "Action":[ "s3:GetReplicationConfiguration", "s3:PutInventoryConfiguration" ], "Effect":"Allow", "Resource":[ "arn:aws:s3:::amzn-s3-demo-source-bucket" ] }, { "Action":[ "s3:GetObject", "s3:GetObjectVersion" ], "Effect":"Allow", "Resource":[ "arn:aws:s3:::amzn-s3-demo-manifest-bucket/*" ] }, { "Effect":"Allow", "Action":[ "s3:PutObject" ], "Resource":[ "arn:aws:s3:::amzn-s3-demo-completion-report-bucket/*", "arn:aws:s3:::amzn-s3-demo-manifest-bucket/*" ] } ] }
複寫現有物件:InitiateReplication 使用使用者資訊清單
如果您使用的是使用者提供的清單,請使用此政策。如需使用批次操作複寫現有物件的詳細資訊,請參閱 使用批次複寫複寫來複寫現有物件。
{ "Version":"2012-10-17", "Statement":[ { "Action":[ "s3:InitiateReplication" ], "Effect":"Allow", "Resource":[ "arn:aws:s3:::amzn-s3-demo-source-bucket/*" ] }, { "Action":[ "s3:GetObject", "s3:GetObjectVersion" ], "Effect":"Allow", "Resource":[ "arn:aws:s3:::amzn-s3-demo-manifest-bucket/*" ] }, { "Effect":"Allow", "Action":[ "s3:PutObject" ], "Resource":[ "arn:aws:s3:::amzn-s3-demo-completion-report-bucket/*" ] } ] }
