为频谱S3访问创建IAM角色的模板

问题描述 投票:0回答:1

为了通过频谱访问S3数据,我需要创建一个IAM角色,如此处所述...

https://docs.aws.amazon.com/redshift/latest/mgmt/authorizing-redshift-service.html

新创建的IAM角色需要附加到redshift实例。

https://docs.aws.amazon.com/redshift/latest/mgmt/copy-unload-iam-role.html#copy-unload-iam-role-associating-with-clusters

我设法成功完成了所有步骤。但是我想知道是否可以编写一个cloudformation模板,该模板可以快速完成需要的工作。这是我提取的相关代码。我不确定如何使用正确的语法。

步骤1

{
        "Tags": [],
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Action": "sts:AssumeRole",
                    "Effect": "Allow",
                    "Principal": {
                        "Service": "redshift.amazonaws.com"
                    }
                }
            ]
        },
        "RoleId": "AROAJWJGDMYIHSSTPZ6I6CM",
        "CreateDate": "2017-05-15T05:34:46Z",
        "InstanceProfileList": [],
        "RoleName": "RedshiftCopyUnload",
        "Path": "/",
        "AttachedManagedPolicies": [
            {
                "PolicyName": "AmazonAthenaFullAccess",
                "PolicyArn": "arn:aws:iam::aws:policy/AmazonAthenaFullAccess"
            },
            {
                "PolicyName": "AmazonS3ReadOnlyAccess",
                "PolicyArn": "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
            },
            {
                "PolicyName": "AWSGlueConsoleFullAccess",
                "PolicyArn": "arn:aws:iam::aws:policy/AWSGlueConsoleFullAccess"
            }
        ],
        "RolePolicyList": [],
        "Arn": "arn:aws:iam::123456789012:role/RedshiftCopyUnload"
    }

步骤2

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "redshift:DescribeClusters",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                 "redshift:ModifyClusterIamRoles",
                 "redshift:CreateCluster"
            ],
            "Resource": [
                 "arn:aws:redshift:us-east-1:123456789012:cluster:my-redshift-cluster",
                 "arn:aws:redshift:us-east-1:123456789012:cluster:cluster:my-second-redshift-cluster"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": [
                "arn:aws:iam::123456789012:role/MyRedshiftRole",
                "arn:aws:iam::123456789012:role/SecondRedshiftRole",
                "arn:aws:iam::123456789012:role/ThirdRedshiftRole"
             ]
        }
    ]
}
amazon-redshift amazon-cloudformation
1个回答
0
投票

是。可以使用AWS CloudFormation模板定义IAM角色。

这里是AWS::IAM::Role - AWS CloudFormation的示例:

AWSTemplateFormatVersion: 2010-09-09
Resources:
  RootRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ec2.&api-domain;
            Action:
              - 'sts:AssumeRole'
      Path: /
      Policies:
        - PolicyName: root
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action: '*'
                Resource: '*'
© www.soinside.com 2019 - 2024. All rights reserved.