允許存取 AthenaUDFs:範例政策 - Amazon Athena

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

允許存取 AthenaUDFs:範例政策

本主題中的許可政策範例示範需要允許的動作,以及允許這些動作的資源。在將類似的許可政策連接到IAM身分之前,請仔細檢查這些政策,並根據您的需求進行修改。

範例
– 允許IAM主體執行和傳回包含 Athena UDF陳述式的查詢

下列身分型許可政策允許使用者或其他IAM主體執行使用 Athena UDF陳述式的查詢所需的動作。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "athena:StartQueryExecution", "lambda:InvokeFunction", "athena:GetQueryResults", "s3:ListMultipartUploadParts", "athena:GetWorkGroup", "s3:PutObject", "s3:GetObject", "s3:AbortMultipartUpload", "athena:StopQueryExecution", "athena:GetQueryExecution", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:athena:*:MyAWSAcctId:workgroup/MyAthenaWorkGroup", "arn:aws:s3:::MyQueryResultsBucket/*", "arn:aws:lambda:*:MyAWSAcctId:function:OneAthenaLambdaFunction", "arn:aws:lambda:*:MyAWSAcctId:function:AnotherAthenaLambdaFunction" ] }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": "athena:ListWorkGroups", "Resource": "*" } ] }
許可說明
允許的動作 說明
"athena:StartQueryExecution", "athena:GetQueryResults", "athena:GetWorkGroup", "athena:StopQueryExecution", "athena:GetQueryExecution",

MyAthenaWorkGroup 工作群組中執行查詢所需的 Athena 許可。

"s3:PutObject", "s3:GetObject", "s3:AbortMultipartUpload"

s3:PutObjects3:AbortMultipartUpload允許將查詢結果寫入至arn:aws:s3:::MyQueryResultsBucket/*資源識別符指定的查詢結果儲存貯體的所有子資料夾,其中 MyQueryResultsBucket 是 Athena 查詢結果儲存貯體。如需詳細資訊,請參閱使用查詢結果和最近的查詢

s3:GetObject 允許讀取指定為 之資源的查詢結果和查詢歷史記錄arn:aws:s3:::MyQueryResultsBucket,其中 MyQueryResultsBucket 是 Athena 查詢結果儲存貯體。如需詳細資訊,請參閱使用查詢結果和最近的查詢

s3:GetObject 也允許從指定為 的資源中讀取 "arn:aws:s3:::MyLambdaSpillBucket/MyLambdaSpillPrefix*",其中 MyLambdaSpillPrefix 在叫用 Lambda 函數的組態中指定 。

"lambda:InvokeFunction"
允許查詢調用Resource區塊中指定的 AWS Lambda 函數。例如 arn:aws:lambda:*:MyAWSAcctId:function:MyAthenaLambdaFunction,其中 MyAthenaLambdaFunction 指定要叫用之 Lambda 函數的名稱。如範例所示,可以指定多個函數。
範例
– 允許IAM委託人建立 Athena UDF
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "lambda:CreateFunction", "lambda:ListVersionsByFunction", "iam:CreateRole", "lambda:GetFunctionConfiguration", "iam:AttachRolePolicy", "iam:PutRolePolicy", "lambda:PutFunctionConcurrency", "iam:PassRole", "iam:DetachRolePolicy", "lambda:ListTags", "iam:ListAttachedRolePolicies", "iam:DeleteRolePolicy", "lambda:DeleteFunction", "lambda:GetAlias", "iam:ListRolePolicies", "iam:GetRole", "iam:GetPolicy", "lambda:InvokeFunction", "lambda:GetFunction", "lambda:ListAliases", "lambda:UpdateFunctionConfiguration", "iam:DeleteRole", "lambda:UpdateFunctionCode", "s3:GetObject", "lambda:AddPermission", "iam:UpdateRole", "lambda:DeleteFunctionConcurrency", "lambda:RemovePermission", "iam:GetRolePolicy", "lambda:GetPolicy" ], "Resource": [ "arn:aws:lambda:*:111122223333:function:MyAthenaLambdaFunctionsPrefix*", "arn:aws:s3:::awsserverlessrepo-changesets-1iiv3xa62ln3m/*", "arn:aws:iam::*:role/RoleName", "arn:aws:iam::111122223333:policy/*" ] }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "cloudformation:CreateUploadBucket", "cloudformation:DescribeStackDriftDetectionStatus", "cloudformation:ListExports", "cloudformation:ListStacks", "cloudformation:ListImports", "lambda:ListFunctions", "iam:ListRoles", "lambda:GetAccountSettings", "ec2:DescribeSecurityGroups", "cloudformation:EstimateTemplateCost", "ec2:DescribeVpcs", "lambda:ListEventSourceMappings", "cloudformation:DescribeAccountLimits", "ec2:DescribeSubnets", "cloudformation:CreateStackSet", "cloudformation:ValidateTemplate" ], "Resource": "*" }, { "Sid": "VisualEditor2", "Effect": "Allow", "Action": "cloudformation:*", "Resource": [ "arn:aws:cloudformation:*:111122223333:stack/aws-serverless-repository-MyCFStackPrefix*/*", "arn:aws:cloudformation:*:111122223333:stack/serverlessrepo-MyCFStackPrefix*/*", "arn:aws:cloudformation:*:*:transform/Serverless-*", "arn:aws:cloudformation:*:111122223333:stackset/aws-serverless-repository-MyCFStackPrefix*:*", "arn:aws:cloudformation:*:111122223333:stackset/serverlessrepo-MyCFStackPrefix*:*" ] }, { "Sid": "VisualEditor3", "Effect": "Allow", "Action": "serverlessrepo:*", "Resource": "arn:aws:serverlessrepo:*:*:applications/*" }, { "Sid": "ECR", "Effect": "Allow", "Action": [ "ecr:BatchGetImage", "ecr:GetDownloadUrlForLayer" ], "Resource": "arn:aws:ecr:*:*:repository/*" } ] }
許可說明
允許的動作 說明
"lambda:CreateFunction", "lambda:ListVersionsByFunction", "lambda:GetFunctionConfiguration", "lambda:PutFunctionConcurrency", "lambda:ListTags", "lambda:DeleteFunction", "lambda:GetAlias", "lambda:InvokeFunction", "lambda:GetFunction", "lambda:ListAliases", "lambda:UpdateFunctionConfiguration", "lambda:UpdateFunctionCode", "lambda:AddPermission", "lambda:DeleteFunctionConcurrency", "lambda:RemovePermission", "lambda:GetPolicy" "lambda:GetAccountSettings", "lambda:ListFunctions", "lambda:ListEventSourceMappings",

允許建立和管理列為資源的 Lambda 函數。在此範例中,名稱字首會用於資源識別符 中arn:aws:lambda:*:MyAWSAcctId:function:MyAthenaLambdaFunctionsPrefix*,其中 MyAthenaLambdaFunctionsPrefix 是 Lambda 函數群組名稱中使用的共用字首,因此不需要個別指定為資源。您可以指定一或多個 Lambda 函數資源。

"s3:GetObject"
允許讀取資源識別碼 所指定的 AWS Serverless Application Repository 需要 的儲存貯體arn:aws:s3:::awsserverlessrepo-changesets-1iiv3xa62ln3m/*
"cloudformation:*"

允許建立和管理 資源指定的 AWS CloudFormation 堆疊 MyCFStackPrefix。 這些堆疊和堆疊集是 AWS Serverless Application Repository 部署連接器和 的方式UDFs。

"serverlessrepo:*"
允許搜尋、檢視、發佈和更新 中由資源識別符 AWS Serverless Application Repository指定的應用程式arn:aws:serverlessrepo:*:*:applications/*