Amazon Managed Service for Apache Flink 之前稱為 Amazon Kinesis Data Analytics for Apache Flink。
本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
為 Apache Flink 工作室筆記本的受管理服務建立自訂IAM原則
您通常會使用受管IAM政策來允許應用程式存取相依資源。如果您需要更好地控制應用程式的權限,可以使用自訂IAM原則。本節包含自訂IAM原則的範例。
注意
在下列政策範例中,使用應用程式的值取代預留位置文字。
AWS Glue
下列範例原則會授與存取 AWS Glue 資料庫的權限。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "GlueTable", "Effect": "Allow", "Action": [ "glue:GetConnection", "glue:GetTable", "glue:GetTables", "glue:GetDatabase", "glue:CreateTable", "glue:UpdateTable" ], "Resource": [ "arn:aws:glue:<region>:<accountId>:connection/*", "arn:aws:glue:<region>:<accountId>:table/<database-name>/*", "arn:aws:glue:<region>:<accountId>:database/<database-name>", "arn:aws:glue:<region>:<accountId>:database/hive", "arn:aws:glue:<region>:<accountId>:catalog" ] }, { "Sid": "GlueDatabase", "Effect": "Allow", "Action": "glue:GetDatabases", "Resource": "*" } ] }
CloudWatch 日誌
下列原則授與存取 CloudWatch 記錄檔的權限:
{ "Sid": "ListCloudwatchLogGroups", "Effect": "Allow", "Action": [ "logs:DescribeLogGroups" ], "Resource": [ "arn:aws:logs:<region>:<accountId>:log-group:*" ] }, { "Sid": "ListCloudwatchLogStreams", "Effect": "Allow", "Action": [ "logs:DescribeLogStreams" ], "Resource": [ "<logGroupArn>:log-stream:*" ] }, { "Sid": "PutCloudwatchLogs", "Effect": "Allow", "Action": [ "logs:PutLogEvents" ], "Resource": [ "<logStreamArn>" ] }
注意
如果您使用主控台建立應用程式,則主控台會新增必要的原則,以存取應用程式角色的 CloudWatch 記錄檔。
Kinesis 串流
應用程式可以將 Kinesis 串流用於來源或目的地。應用程式需要讀取許可才能從來源串流讀取,需要寫入許可才能寫入目的地串流。
下列政策授與從用作來源的 Kinesis 串流讀取的許可:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "KinesisShardDiscovery", "Effect": "Allow", "Action": "kinesis:ListShards", "Resource": "*" }, { "Sid": "KinesisShardConsumption", "Effect": "Allow", "Action": [ "kinesis:GetShardIterator", "kinesis:GetRecords", "kinesis:DescribeStream", "kinesis:DescribeStreamSummary", "kinesis:RegisterStreamConsumer", "kinesis:DeregisterStreamConsumer" ], "Resource": "arn:aws:kinesis:<region>:<accountId>:stream/<stream-name>" }, { "Sid": "KinesisEfoConsumer", "Effect": "Allow", "Action": [ "kinesis:DescribeStreamConsumer", "kinesis:SubscribeToShard" ], "Resource": "arn:aws:kinesis:<region>:<account>:stream/<stream-name>/consumer/*" } ] }
下列政策授與向用作目的地的 Kinesis 串流寫入的許可:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "KinesisStreamSink", "Effect": "Allow", "Action": [ "kinesis:PutRecord", "kinesis:PutRecords", "kinesis:DescribeStreamSummary", "kinesis:DescribeStream" ], "Resource": "arn:aws:kinesis:<region>:<accountId>:stream/<stream-name>" } ] }
如果應用程式存取加密的 Kinesis 串流,則必須授與額外的許可,以存取該串流及其加密金鑰。
下列政策授與存取加密來源的串流和及其加密金鑰的許可:
{ "Sid": "ReadEncryptedKinesisStreamSource", "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": [ "<inputStreamKeyArn>" ] } ,
下列政策授與存取加密目的地的串流和及其加密金鑰的許可:
{ "Sid": "WriteEncryptedKinesisStreamSink", "Effect": "Allow", "Action": [ "kms:GenerateDataKey" ], "Resource": [ "<outputStreamKeyArn>" ] }
Amazon MSK 集群
若要授與 Amazon MSK 叢集的存取權,您可以授與叢集的存取權VPC。如需存取 Amazon 的政策範例VPC,請參閱VPC應用程式許可。
