設定存取資料來源的IAM許可 - Amazon SageMaker

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

設定存取資料來源的IAM許可

您必須設定必要的 AWS IAM許可,才能 JupyterLab 存取您的資料。

若要讓 JupyterLab 應用程式在 Studio 中使用 SageMaker 執行角色透過 AWS Glue 連線存取資料來源,請將下列內嵌政策連接至角色。

若要檢視每個資料存放區或身分驗證方法的許可,請參閱下列相關章節。

注意

建議您將政策的許可限制為僅所需的資源和動作。

若要縮小政策範圍並授予最低權限存取,請將政策"Resource": ["*"]中的萬用字元取代ARNs為需要存取的特定資源。如需如何控制資源存取的詳細資訊,請參閱 使用精細ARN許可微調 AWS 資源存取

注意

我們強烈建議將此政策縮小為僅需要的動作和資源。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "GetS3AndDataSourcesMetadata", "Effect": "Allow", "Action": [ "glue:GetDatabases", "glue:GetSchema", "glue:GetTables", "s3:ListBucket", "s3:GetObject", "s3:GetBucketLocation", "glue:GetDatabase", "glue:GetTable", "glue:ListSchemas", "glue:GetPartitions" ], "Resource": [ "arn:aws:s3:::bucket_name/*", "arn:aws:glue:region:account-id:catalog", "arn:aws:glue:region:account-id:database/db-name", "..." ] }, { "Sid": "ExecuteQueries", "Effect": "Allow", "Action": [ "athena:ListDataCatalogs", "athena:ListDatabases", "athena:ListTableMetadata", "athena:StartQueryExecution", "athena:GetQueryExecution", "athena:RunQuery", "athena:StartSession", "athena:GetQueryResults", "athena:ListWorkGroups", "s3:ListMultipartUploadParts", "s3:ListBucket", "s3:GetBucketLocation", "athena:GetDataCatalog", "s3:AbortMultipartUpload", "s3:GetObject", "s3:PutObject", "athena:GetWorkGroup" ], "Resource": [ "arn:aws:s3:::bucket_name/*", "arn:aws:athena:region:account-id:workgroup/workgroup-name", "..." ] }, { "Sid": "GetGlueConnectionsAndSecrets", "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue", "glue:GetConnections", "glue:GetConnection" "redshift:GetClusterCredentials" ], "Resource": [ "arn:aws:secretsmanager:region:account-id:secret:secret-name", "arn:aws:redshift:region:account-id:cluster:cluster-name", "arn:aws:glue:region:account-id:catalog", "arn:aws:glue:region:account-id:database/db-name", "..." ] } ] }
注意

我們強烈建議將此政策縮小到僅需要的資源。

如需詳細資訊,請參閱 Athena 文件 的範例IAM許可政策

{ "Version": "2012-10-17", "Statement": [ { "Sid": "GetS3AndDataSourcesMetadata", "Effect": "Allow", "Action": [ "glue:GetDatabases", "glue:GetSchema", "glue:GetTables", "s3:ListBucket", "s3:GetObject", "s3:GetBucketLocation", "glue:GetDatabase", "glue:GetTable", "glue:ListSchemas", "glue:GetPartitions" ], "Resource": [ "arn:aws:s3:::bucket_name/*", "arn:aws:glue:region:account-id:catalog", "arn:aws:glue:region:account-id:database/db-name", "..." ] }, { "Sid": "ExecuteAthenaQueries", "Effect": "Allow", "Action": [ "athena:ListDataCatalogs", "athena:ListDatabases", "athena:ListTableMetadata", "athena:StartQueryExecution", "athena:GetQueryExecution", "athena:RunQuery", "athena:StartSession", "athena:GetQueryResults", "athena:ListWorkGroups", "s3:ListMultipartUploadParts", "s3:ListBucket", "s3:GetBucketLocation", "athena:GetDataCatalog", "s3:AbortMultipartUpload", "s3:GetObject", "s3:PutObject", "athena:GetWorkGroup" ], "Resource": [ "arn:aws:s3:::bucket_name", "arn:aws:s3:::amzn-s3-demo-bucket/*", "arn:aws:athena:region:account-id:workgroup/workgroup-name", "..." ] ] }, { "Sid": "GetGlueConnectionsAndSecrets", "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue", "glue:GetConnections", "glue:GetConnection" ], "Resource": [ "arn:aws:secretsmanager:region:account-id:secret:secret-name", "arn:aws:glue:region:account-id:catalog", "arn:aws:glue:region:account-id:database/db-name", "..." ] } ] }
注意

我們強烈建議將此政策縮小到僅需要的資源。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "GetS3Metadata", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetObject", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::bucket_name/*", "..." ] }, { "Sid": "GetGlueConnectionsAndSecrets", "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue", "glue:GetConnections", "glue:GetConnection" ], "Resource": [ "arn:aws:secretsmanager:region:account-id:secret:secret-name", "arn:aws:glue:region:account-id:catalog", "arn:aws:glue:region:account-id:database/db-name", "..." ] } ] }
注意

我們強烈建議將此政策縮小到僅需要的資源。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "GetS3Metadata", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetObject", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::bucket_name/*", "..." ] }, { "Sid": "GetGlueConnectionsAndClusterCredentials", "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue", "glue:GetConnections", "glue:GetConnection", "redshift:GetClusterCredentials" ], "Resource": [ "arn:aws:secretsmanager:region:account-id:secret:secret-name", "arn:aws:redshift:region:account-id:cluster:cluster-name", "arn:aws:glue:region:account-id:catalog", "arn:aws:glue:region:account-id:database/db-name", "..." ] } ] }
注意

我們強烈建議將此政策縮小到僅需要的資源。

{ { "Version": "2012-10-17", "Statement": [ { "Sid": "GetS3Metadata", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetObject", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::bucket_name/*", "..." ] }, { "Sid": "GetGlueConnectionsAndSecrets", "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue", "glue:GetConnections", "glue:GetConnection" ], "Resource": [ "arn:aws:secretsmanager:region:account-id:secret:secret-name", "arn:aws:glue:region:account-id:catalog", "arn:aws:glue:region:account-id:database/db-name", "..." ] }, { "Sid": "GetRedshiftServerlessCredentials", "Effect": "Allow", "Action": [ "redshift-serverless:GetCredentials" ], "Resource": [ "arn:aws:redshift-serverless:region:account-id:namespace/namespace-id", "..." ] } ] } }

使用精細ARN許可微調 AWS 資源存取

若要更精細地控制對 AWS 資源的存取,請將政策"Resource": ["*"]中的萬用字元資源取代為僅需要存取的特定 Amazon Resource Names (ARNs)。使用確切 ARNs而非萬用字元限制對預期資源的存取。

  • 使用特定的 Amazon S3 儲存貯體 ARNs

    例如, "arn:aws:s3:::bucket-name" "arn:aws:s3:::bucket-name/*" 用於儲存貯體層級或物件層級操作。

    如需 Amazon S3 中所有資源類型的資訊,請參閱 Amazon S3 定義的資源類型

  • 使用特定 AWS Glue 資料庫 ARNs

    例如 "arn:aws:glue:region:account-id:catalog" "arn:aws:glue:region:account-id:database/db-name"。如需 中所有資源類型的資訊 AWS Glue,請參閱 定義的資源類型 AWS Glue

  • 使用特定的 Athena 工作群組 ARNs

    例如 "arn:aws:athena:region:account-id:workgroup/workgroup-name"。如需 Athena 中所有資源類型的資訊,請參閱 Athena 定義的資源類型

  • 使用特定的 AWS Secrets Manager 秘密 ARNs

    例如 "arn:aws:secretsmanager:region:account-id:secret:secret-name"。如需 AWS Secrets Manager 中所有資源類型的資訊,請參閱 AWS Secrets Manager 定義的資源類型

  • 使用特定的 Amazon Redshift 叢集 ARNs

    例如 "arn:aws:redshift:region:account-id:cluster:cluster-name"。如需 Amazon Redshift 中資源類型的資訊,請參閱 Amazon Redshift 定義的資源類型。如需 Redshift Serverless 中所有資源類型的資訊,請參閱 Redshift Serverless 定義的資源類型