本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# 的服務角色 AWS HealthOmics
服務角色是 AWS Identity and Access Management (IAM) 角色,授予 AWS 服務存取您帳戶中資源的許可。當您啟動匯入任務或開始執行 AWS HealthOmics 時,您會向 提供服務角色。
HealthOmics 主控台可以為您建立所需的角色。如果您使用 HealthOmics API 來管理資源,請使用 IAM 主控台建立服務角色。如需詳細資訊,請參閱[建立角色以將許可委派給 AWS 服務](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html)。
服務角色必須具有下列信任政策。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "omics.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
```
------
信任政策允許 HealthOmics 服務擔任該角色。
**Topics**
+ [IAM 服務政策範例](#permissions-service-samplepolicies)
+ [範本範例 CloudFormation](#permissions-service-sampletemplates)
## IAM 服務政策範例
在這些範例中,資源名稱和帳戶 IDs是您以實際值取代 的預留位置。
下列範例顯示可用於啟動執行的服務角色政策。此政策會授予許可,以存取執行的 Amazon S3 輸出位置、工作流程日誌群組和 Amazon ECR 容器。
**注意**
如果您使用呼叫快取來執行,請在 s3 許可中新增執行快取 Amazon S3 位置做為資源。
**Example 啟動執行的服務角色政策**
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket1/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket1"
]
},
{
"Effect": "Allow",
"Action": [
"logs:DescribeLogStreams",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:us-east-1:123456789012:log-group:/aws/omics/WorkflowLog:log-stream:*"
]
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup"
],
"Resource": [
"arn:aws:logs:us-east-1:123456789012:log-group:/aws/omics/WorkflowLog:*"
]
},
{
"Effect": "Allow",
"Action": [
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchCheckLayerAvailability"
],
"Resource": [
"arn:aws:ecr:us-east-1:123456789012:repository/*"
]
}
]
}
```
下列範例顯示您可以用於存放區匯入任務的服務角色政策。政策授予存取 Amazon S3 輸入位置 的許可。
**Example 參考存放區任務的服務角色**
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket"
]
}
]
}
```
## 範本範例 CloudFormation
下列範例 CloudFormation 範本會建立服務角色,讓 HealthOmics 有權存取名稱字首為 的 Amazon S3 儲存貯體`omics-`,以及上傳工作流程日誌。
**Example 參考存放區、Amazon S3 和 CloudWatch Logs 許可**
```
Parameters:
bucketName:
Description: Bucket name
Type: String
Resources:
serviceRole:
Type: AWS::IAM::Role
Properties:
Policies:
- PolicyName: read-reference
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- omics:*
Resource: !Sub arn:${AWS::Partition}:omics:${AWS::Region}:${AWS::AccountId}:referenceStore/*
- PolicyName: read-s3
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- s3:ListBucket
Resource: !Sub arn:${AWS::Partition}:s3:::${bucketName}
- Effect: Allow
Action:
- s3:GetObject
- s3:PutObject
Resource: !Sub arn:${AWS::Partition}:s3:::${bucketName}/*
- PolicyName: upload-logs
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- logs:DescribeLogStreams
- logs:CreateLogStream
- logs:PutLogEvents
Resource: !Sub arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:loggroup:/aws/omics/WorkflowLog:log-stream:*
- Effect: Allow
Action:
- logs:CreateLogGroup
Resource: !Sub arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:loggroup:/aws/omics/WorkflowLog:*
AssumeRolePolicyDocument: |
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sts:AssumeRole"
],
"Effect": "Allow",
"Principal": {
"Service": [
"omics.amazonaws.com"
]
}
}
]
}
```