允許存取 AthenaUDFs：原則範例

本主題中的許可政策範例示範需要允許的動作，以及允許這些動作的資源。在將類似的權限原則附加到IAM身分識別之前，請仔細檢查這些原則並根據您的需求進行修改。

Example Policy to Allow an IAM Principal to Run and Return Queries that Contain an Athena UDF Statement
Example Policy to Allow an IAM Principal to Create an Athena UDF

範例
— 允許IAM主體執行並傳回包含 Athena UDF 陳述式的查詢

下列以身分識別為基礎的權限原則允許使用者或其他IAM主體執行使用 Athena UDF 陳述式的查詢所需的動作。


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "athena:StartQueryExecution",
                "lambda:InvokeFunction",
                "athena:GetQueryResults",
                "s3:ListMultipartUploadParts",
                "athena:GetWorkGroup",
                "s3:PutObject",
                "s3:GetObject",
                "s3:AbortMultipartUpload",
                "athena:StopQueryExecution",
                "athena:GetQueryExecution",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:athena:*:MyAWSAcctId:workgroup/MyAthenaWorkGroup",
                "arn:aws:s3:::MyQueryResultsBucket/*",
                "arn:aws:lambda:*:MyAWSAcctId:function:OneAthenaLambdaFunction",
                "arn:aws:lambda:*:MyAWSAcctId:function:AnotherAthenaLambdaFunction"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "athena:ListWorkGroups",
            "Resource": "*"
        }
    ]
}

許可說明
允許的動作	說明
`"athena:StartQueryExecution", "athena:GetQueryResults", "athena:GetWorkGroup", "athena:StopQueryExecution", "athena:GetQueryExecution",`	在 `MyAthenaWorkGroup` 工作群組中執行查詢所需的 Athena 許可。
`"s3:PutObject", "s3:GetObject", "s3:AbortMultipartUpload"`	`s3:PutObject`並`s3:AbortMultipartUpload`允許根據`arn:aws:s3:::MyQueryResultsBucket/`資源標識符指定將查詢結果寫入查詢結果存儲桶的所有子文件夾，其中 `MyQueryResultsBucket` 是 Athena 查詢結果值區。如需詳細資訊，請參閱使用查詢結果和最近的查詢。 `s3:GetObject`允許讀取指定為的資源的查詢結果和查詢歷史記錄`arn:aws:s3:::MyQueryResultsBucket`，其中 `MyQueryResultsBucket` 是 Athena 查詢結果值區。如需詳細資訊，請參閱使用查詢結果和最近的查詢。 `s3:GetObject`還允許從指定為的資源讀取`"arn:aws:s3:::MyLambdaSpillBucket/MyLambdaSpillPrefix"`，其中 `MyLambdaSpillPrefix` 在所叫用的 Lambda 函數或函數的組態中指定。
`"lambda:InvokeFunction"`	允許查詢叫用 AWS Lambda 在塊中指定的函`Resource`數。例如，`arn:aws:lambda:*:MyAWSAcctId:function:MyAthenaLambdaFunction`, 其中 `MyAthenaLambdaFunction` 指定要調用的 Lambda 函數的名稱。如範例所示，可以指定多個函數。

範例
— 允許IAM校長創建一個 Athena UDF


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "lambda:CreateFunction",
                "lambda:ListVersionsByFunction",
                "iam:CreateRole",
                "lambda:GetFunctionConfiguration",
                "iam:AttachRolePolicy",
                "iam:PutRolePolicy",
                "lambda:PutFunctionConcurrency",
                "iam:PassRole",
                "iam:DetachRolePolicy",
                "lambda:ListTags",
                "iam:ListAttachedRolePolicies",
                "iam:DeleteRolePolicy",
                "lambda:DeleteFunction",
                "lambda:GetAlias",
                "iam:ListRolePolicies",
                "iam:GetRole",
                "iam:GetPolicy",
                "lambda:InvokeFunction",
                "lambda:GetFunction",
                "lambda:ListAliases",
                "lambda:UpdateFunctionConfiguration",
                "iam:DeleteRole",
                "lambda:UpdateFunctionCode",
                "s3:GetObject",
                "lambda:AddPermission",
                "iam:UpdateRole",
                "lambda:DeleteFunctionConcurrency",
                "lambda:RemovePermission",
                "iam:GetRolePolicy",
                "lambda:GetPolicy"
            ],
            "Resource": [
                "arn:aws:lambda:*:111122223333:function:MyAthenaLambdaFunctionsPrefix*",
                "arn:aws:s3:::awsserverlessrepo-changesets-1iiv3xa62ln3m/*",
                "arn:aws:iam::*:role/RoleName",
                "arn:aws:iam::111122223333:policy/*"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "cloudformation:CreateUploadBucket",
                "cloudformation:DescribeStackDriftDetectionStatus",
                "cloudformation:ListExports",
                "cloudformation:ListStacks",
                "cloudformation:ListImports",
                "lambda:ListFunctions",
                "iam:ListRoles",
                "lambda:GetAccountSettings",
                "ec2:DescribeSecurityGroups",
                "cloudformation:EstimateTemplateCost",
                "ec2:DescribeVpcs",
                "lambda:ListEventSourceMappings",
                "cloudformation:DescribeAccountLimits",
                "ec2:DescribeSubnets",
                "cloudformation:CreateStackSet",
                "cloudformation:ValidateTemplate"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": "cloudformation:*",
            "Resource": [
                "arn:aws:cloudformation:*:111122223333:stack/aws-serverless-repository-MyCFStackPrefix*/*",
                "arn:aws:cloudformation:*:111122223333:stack/serverlessrepo-MyCFStackPrefix*/*",
                "arn:aws:cloudformation:*:*:transform/Serverless-*",
                "arn:aws:cloudformation:*:111122223333:stackset/aws-serverless-repository-MyCFStackPrefix*:*",
                "arn:aws:cloudformation:*:111122223333:stackset/serverlessrepo-MyCFStackPrefix*:*"
            ]
        },
        {
            "Sid": "VisualEditor3",
            "Effect": "Allow",
            "Action": "serverlessrepo:*",
            "Resource": "arn:aws:serverlessrepo:*:*:applications/*"
        }
    ]
}

許可說明
允許的動作	說明
"lambda:CreateFunction", "lambda:ListVersionsByFunction", "lambda:GetFunctionConfiguration", "lambda:PutFunctionConcurrency", "lambda:ListTags", "lambda:DeleteFunction", "lambda:GetAlias", "lambda:InvokeFunction", "lambda:GetFunction", "lambda:ListAliases", "lambda:UpdateFunctionConfiguration", "lambda:UpdateFunctionCode", "lambda:AddPermission", "lambda:DeleteFunctionConcurrency", "lambda:RemovePermission", "lambda:GetPolicy" "lambda:GetAccountSettings", "lambda:ListFunctions", "lambda:ListEventSourceMappings",	允許建立和管理列為資源的 Lambda 函數。在此範例中，資源識別元中使用名稱前置詞`arn:aws:lambda::MyAWSAcctId:function:MyAthenaLambdaFunctionsPrefix`，其中 `MyAthenaLambdaFunctionsPrefix` 是一組 Lambda 函數名稱中使用的共享前綴，因此不需要單獨指定它們作為資源。您可以指定一或多個 Lambda 函數資源。
`"s3:GetObject"`	允許讀取存儲桶 AWS Serverless Application Repository 需要由資源標識符指定`arn:aws:s3:::awsserverlessrepo-changesets-1iiv3xa62ln3m/*`。
`"cloudformation:*"`	允許創建和管理 AWS CloudFormation 由資源指定的堆棧 `MyCFStackPrefix`。這些堆棧和堆棧集是如何 AWS Serverless Application Repository 部署連接器和UDFs.
`"serverlessrepo:*"`	允許搜尋、檢視、發佈和更新中的應用程式 AWS Serverless Application Repository，由資源識別碼指定`arn:aws:serverlessrepo:::applications/*`。

您的瀏覽器已停用或無法使用 Javascript。

您必須啟用 Javascript，才能使用 AWS 文件。請參閱您的瀏覽器說明頁以取得說明。

文件慣用形式

允許存取 Athena 聯合查詢

允許透過 Athena 存取 ML

允許存取 AthenaUDFs：原則範例

範例 — 允許IAM主體執行並傳回包含 Athena UDF 陳述式的查詢

範例 — 允許IAM校長創建一個 Athena UDF

範例
— 允許IAM主體執行並傳回包含 Athena UDF 陳述式的查詢

範例
— 允許IAM校長創建一個 Athena UDF