本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# 設定許可以在 Amazon Keyspaces 中使用 CDC 串流
若要啟用 CDC 串流,委託人,例如 IAM 使用者或角色,需要下列許可。
如需 的詳細資訊 AWS Identity and Access Management,請參閱 [AWS Identity and Access Management 適用於 Amazon Keyspaces](security-iam.md)。
## 為資料表啟用 CDC 串流的許可
若要啟用 Amazon Keyspaces 資料表的 CDC 串流,主體首先需要建立或修改資料表的許可,然後需要第二個許可來建立服務連結角色 [AWSServiceRoleForAmazonKeyspacesCDC](using-service-linked-roles-CDC-streams.md#service-linked-role-permissions-CDC-streams)。Amazon Keyspaces 會使用服務連結角色,代表您將 CloudWatch 指標發佈至您的帳戶
下列 IAM 政策為範例。
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"cassandra:Create",
"cassandra:CreateMultiRegionResource",
"cassandra:Alter",
"cassandra:AlterMultiRegionResource"
],
"Resource":[
"arn:aws:cassandra:{{us-east-1}}:{{111122223333}}:/keyspace/{{my_keyspace}}/*",
"arn:aws:cassandra:{{us-east-1}}:{{111122223333}}:/keyspace/system*"
]
},
{
"Sid": "KeyspacesCDCServiceLinkedRole",
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/cassandra-streams.amazonaws.com/AWSServiceRoleForAmazonKeyspacesCDC",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "cassandra-streams.amazonaws.com"
}
}
}
]
}
```
若要停用串流,只需要`ALTER TABLE`許可。
## 檢視 CDC 串流的許可
若要檢視或列出 CDC 串流,主體需要系統金鑰空間的讀取許可。如需詳細資訊,請參閱[`system_schema_mcs`](working-with-keyspaces.md#keyspace_system_schema_mcs)。
下列 IAM 政策為範例。
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":"cassandra:Select",
"Resource":[
"arn:aws:cassandra:{{us-east-1}}:{{111122223333}}:/keyspace/system*"
]
}
]
}
```
若要使用 或 Amazon Keyspaces API 檢視 AWS CLI 或列出 CDC 串流,委託人需要動作 `cassandra:ListStreams`和 的額外許可`cassandra:GetStream`。
下列 IAM 政策為範例。
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cassandra:Select",
"cassandra:ListStreams",
"cassandra:GetStream"
],
"Resource": "*"
}
]
}
```
## 讀取 CDC 串流的許可
若要讀取 CDC 串流,委託人需要下列許可。
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"cassandra:GetStream",
"cassandra:GetShardIterator",
"cassandra:GetRecords"
],
"Resource":[
"arn:aws:cassandra:{{us-east-1}}:{{111122223333}}:/keyspace/{{my_keyspace}}/table/{{my_table}}/stream/{{stream_label}}"
]
}
]
}
```
## 使用 Kinesis Client Library (KCL) 處理 Amazon Keyspaces CDC 串流的許可
若要使用 KCL 處理 Amazon Keyspaces CDC 串流,IAM 主體需要下列許可。
+ `Amazon Keyspaces` – 對指定 Amazon Keyspaces CDC 串流的唯讀存取。
+ `DynamoDB` – 建立`shard lease`資料表、讀取和寫入資料表存取權,以及視需要讀取索引以進行 KCL 串流處理的許可。
+ `CloudWatch` – 將 Amazon Keyspaces CDC 串流處理中的指標資料發佈到 CloudWatch 帳戶中 KCL 用戶端應用程式命名空間的許可。如需監控的詳細資訊,請參閱[使用 Amazon CloudWatch 監控 Kinesis 用戶端程式庫](https://docs.aws.amazon.com/streams/latest/dev/monitoring-with-kcl.html)。
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"cassandra:GetStream",
"cassandra:GetShardIterator",
"cassandra:GetRecords"
],
"Resource":[
"arn:aws:cassandra:{{us-east-1}}:{{111122223333}}:/keyspace/{{my_keyspace}}/table/{{my_table}}/stream/{{stream_label}}"
]
},
{
"Effect":"Allow",
"Action":[
"dynamodb:CreateTable",
"dynamodb:DescribeTable",
"dynamodb:UpdateTable",
"dynamodb:GetItem",
"dynamodb:UpdateItem",
"dynamodb:PutItem",
"dynamodb:DeleteItem",
"dynamodb:Scan"
],
"Resource":[
"arn:aws:dynamodb:{{us-east-1}}:{{111122223333}}:table/{{KCL_APPLICATION_NAME}}"
]
},
{
"Effect":"Allow",
"Action":[
"dynamodb:CreateTable",
"dynamodb:DescribeTable",
"dynamodb:GetItem",
"dynamodb:UpdateItem",
"dynamodb:PutItem",
"dynamodb:DeleteItem",
"dynamodb:Scan"
],
"Resource":[
"arn:aws:dynamodb:{{us-east-1}}:{{111122223333}}:table/{{KCL_APPLICATION_NAME}}-WorkerMetricStats",
"arn:aws:dynamodb:{{us-east-1}}:{{111122223333}}:table/{{KCL_APPLICATION_NAME}}-CoordinatorState"
]
},
{
"Effect":"Allow",
"Action":[
"dynamodb:Query"
],
"Resource":[
"arn:aws:dynamodb:{{us-east-1}}:{{111122223333}}:table/{{KCL_APPLICATION_NAME}}/index/*"
]
},
{
"Effect":"Allow",
"Action":[
"cloudwatch:PutMetricData"
],
"Resource":"*"
}
]
}
```