亚马逊云科技前置准备
本文主要介绍创建 BYOC 类型仓库涉及的亚马逊云科技相关操作,包括创建 IAM 用户并授权、创建 VPC 和子网、了解资源编排和资源栈 等。
准备 IAM 用户并授权
创建 BYOC 类型仓库前,需提前准备好具备相关权限的亚马逊云科技 IAM 用户。
请将此文档发送给您的亚马逊云科技管理员,请求管理员参照此文档为您创建 IAM 用户,并授权。
管理员访问亚马逊云科技 身份和访问管理 IAM (opens in a new tab) 控制台,执行以下操作:
创建权限策略
创建 SelectDB Cloud BYOC 类型仓库时,需要通过资源编排服务(CloudFormation)执行资源栈模板,会创建 EC2、VPC、S3 等云资源或进行相关操作,因此需要一系列 IAM 权限。
点击左侧 访问管理 > 策略,进入权限策略管理页面,点击创建策略
切换到JSON模式,清空原有文本框,复制以下脚本,输入文本框。详细的权限说明,请见下文 资源栈模板依赖的权限说明 部分。
{
"Version": "2012-10-17",
"Statement": [
{
"Condition": {
"StringEquals": {
"aws:ResourceTag/resource-created-by": [
"selectdb"
]
}
},
"Action": [
"ec2:TerminateInstances",
"ec2:StopInstances",
"ec2:StartInstances",
"ec2:RebootInstances",
"ec2:ModifyInstanceAttribute",
"ec2:DescribeSecurityGroupRules",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:RevokeSecurityGroupEgress",
"ec2:DeleteSecurityGroup",
"ec2:GetEbsEncryptionByDefault",
"ec2:GetEbsDefaultKmsKeyId"
],
"Resource": [
"arn:aws-cn:ec2:*:*:*"
],
"Effect": "Allow"
},
{
"Action": [
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAddresses",
"ec2:DescribeInternetGateways",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInstanceTypes",
"ec2:DescribeVolumes",
"ec2:ModifyVolume",
"ec2:DescribeImages",
"ec2:DescribeSecurityGroups",
"ec2:DescribeInstances",
"ec2:RunInstances",
"ec2:CreateSecurityGroup",
"ec2:DescribeTags",
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:*VpcEndpoint*",
"compute-optimizer:GetEnrollmentStatus",
"elasticloadbalancing:*",
"s3:CreateBucket"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"s3:Get*",
"s3:List*",
"s3:Put*",
"s3:Delete*"
],
"Resource": [
"arn:aws-cn:s3:::selectdb-bucket-*"
],
"Effect": "Allow"
},
{
"Action": [
"sts:GetCallerIdentity",
"sts:AssumeRole",
"iam:GetUser",
"iam:TagUser",
"iam:CreateUser",
"iam:DeleteUser",
"iam:ListAccessKeys",
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:GetRole",
"iam:TagRole",
"iam:ListRoles",
"iam:CreateRole",
"iam:DeleteRole",
"iam:CreatePolicy",
"iam:GetUserPolicy",
"iam:PutUserPolicy",
"iam:GetRolePolicy",
"iam:PutRolePolicy",
"iam:DeleteUserPolicy",
"iam:DeleteRolePolicy",
"iam:GetInstanceProfile",
"iam:CreateInstanceProfile",
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:DeleteInstanceProfile"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"iam:PassRole"
],
"Resource": "arn:aws-cn:iam::*:role/selectdb-*",
"Effect": "Allow"
},
{
"Action": [
"cloudformation:*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"lambda:GetFunction",
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:InvokeFunction",
"lambda:TagResource"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
}
},
"Effect": "Allow"
}
]
}
点击下一步,输入名称,点击确定,完成创建权限策略。
创建 IAM 用户,并授权
提示: 如果已有 IAM 用户,可以跳过创建 IAM 用户步骤,直接授权。
点击左侧 访问管理 > 用户,进入用户管理页面,点击创建用户,输入相关信息,点击下一步。
选择上述步骤中创建的策略,点击下一步,点击创建用户,完成创建。
创建 IAM 用户组,并授权(可选)
提示: 如果已有 IAM 用户组,可以跳过创建 IAM 用户组步骤,直接授权。
如果企业内存在多名人员使用 SelectDB Cloud,可以创建 IAM 用户组,并将相关人员加入用户组,并统一授权。
点击左侧 访问管理 > 用户组,进入用户组管理页面,点击创建用户组,输入用户组名,选择要添加的用户、权限策略,点击创建用户组,完成创建。
准备 VPC 和子网
创建 BYOC 类型仓库前,需要使用上述 IAM 用户提前创建 VPC 和子网,以下是具体操作。
提示: 如果已有符合地域、可用区和以下子网要求的 VPC 和子网,并期望将 BYOC 仓库部署在此 VPC 内,可以跳过下面创建虚拟私有云 VPC 和子网步骤。
子网要求
由于 SelectDB 服务的部署和管理需要通过互联网访问 AWS 的 EC2 ELB S3服务(以及未来的其他服务),因此我们目前支持两种类型的子网:
1. 具有外网访问能力的私有子网(推荐)
子网路由表中包含有 0.0.0.0/0 到 NAT 公网网关的路由。建议使用该类型子网,在这种情况下,所有创建出的机器都将通过共享 NAT 公网网关的公共 IP 地址访问外部网络,这样更安全。不过需要注意的是,如果你选择了私有子网,我们即假定你们公司内网和该 VPC 网络是互通的,否则将无法顺利访问 WebUI。
2. 公网子网(不推荐)
子网路由表中包含有 0.0.0.0/0 到 IGW 互联网网关的路由。不建议使用该类型子网,在这种情况下,我们将会给 SelectDB 后续所有创建出的机器自动分配一个公网 IP。
当使用 CloudFormation 创建资源栈时,请确保 IGW 或 NAT 状态正常,以及路由表配置正确。对于不满足上述两个条件的子网,我们将在 CloudFormation 构建期间直接报告错误并阻止后续执行。
以下为亚马逊云科技提供的经典网络架构图。子网4为具有外网访问能力的私有子网,子网1和子网2为公网子网,这三个子网符合要求,而子网3将会部署失败。
创建 VPC
打开亚马逊云科技 VPC (opens in a new tab) 控制台,切换到期望部署 BYOC 仓库的地域。
点击 创建 VPC ,进入 VPC 创建页面。
选择 仅 VPC ,输入名称、选择 IPv4 CDR,点击 创建 VPC ,完成创建。
创建子网
点击左侧 子网 > 创建子网 ,进入子网创建页面。
我们建议创建两个子网(注意,子网可用区id需要保持一致),一个作为公共子网,一个作为私有子网,最终我们将在私有子网上部署 SelectDB 服务。
注意: 当前支持的地域和子网可用区如下:
| 云平台 | 地域名称 | 地域 ID | 可用区 ID |
|---|---|---|---|
| 亚马逊云科技 | 宁夏 | cn-northwest-1 | cnnw1-az1 |
创建 IGW 和 NAT 并配置路由表
创建一个 IGW 互联网网关并关联到 VPC
在公网子网的路由表中添加到 IGW 的路由
在公网子网中创建一个 NAT 网关
为私有子网新建一个路由表,并添加到 NAT 的路由
将新的路由表关联到私有子网
最终的网络拓扑应该如下所示
了解资源编排和资源栈
当用户创建 BYOC 类型仓库时,会首先借助云厂商的资源编排服务自动部署 Agent,完成 Agent 与 SelectDB Cloud 平台之间的私有连接,然后由 Agent 负责 BYOC 仓库的部署与管理工作。
资源编排模版说明
SelectDB 提供的资源编排模板运行在您的云账号下,并且模版代码可见、可审计,不会对您的数据与 VPC 内的其他环境进行操作。您可以通过以下链接获取 SelectDB 提供的资源编排模板:
https://selectdb-cloud-online-cn-north-1.s3.cn-north-1.amazonaws.com.cn/public/aws-cn-byoc.yaml当您通过亚马逊云科技 CloudFormation 执行上述资源模板时,它会自动进行 Agent 的创建与部署。然后 Agent 会与 SelectDB Cloud 建立私有连接,并完成仓库初始化流程。
在完成资源编排脚本执行后,您即可从 SelectDB Cloud 平台进入相应仓库,像使用普通的仓库一样,开始新建用于数据分析的计算集群。
如何查看资源栈信息
您可以通过亚马逊云科技 CloudFormation (opens in a new tab) 控制台,切换到地域,查看由 SelectDB 资源栈模板创建的所有资源信息,并可通过资源名称查看特定资源。
注意 所有资源栈模版创建出来的资源,都属于您的云账号,并只在您的 VPC 内使用,不会外泄。
- EC2
- 名称:SelectDBAgent(EC2)
- 用途:用于部署 Agent,Prometheus,FluentBit 等程序
- VPC Endpoint
- 名称:SelectDBEndpoint(VPC Endpoint)
- 用途:与 SelectDB Manage服务建立私网连接, 从而可以拉取管控指令并且能够单向推送监控、日志
- S3 Bucket
- 名称:SelectDBBucket(S3 Bucket)
- 用途:用于存储数仓数据
- SecurityGroup
- 名称:SelectDBSecurityGroupForEndpoint,SelectDBSecurityGroup(VPC SecurityGroup)
- 用途:一个绑定在终端节点,只允许访问某些端口,如2222、8666、8888、9090。一个绑定在 SelectDB 创建的所有 EC2 实例,并通过安全组规则限制流量(允许来自同一安全组的所有流量访问所有端口,来自同一子网的流量访问端口5000,并允许所有出站流量)
- IAM User / IAM Role
- 名称:SelectDBUser(子用户),SelectDBUserAccessKey(aksk),SelectDBUserPolicy(子用户权限),SelectDBRole(角色),SelectDBRolePolicy(角色权限)
- 用途:
- 创建出的子用户具备 Agent 所需的最小权限,之后进行的所有的业务操作均使用该子用户的身份(所有子用户信息只会在用户 VPC 内使用,不会外泄)
- 绑定到 EC2 实例获取临时 Token 进行认证,这比使用永久 AkSk 更安全。一个用于控制侧(绑定到 Agent 机器),一个用于内核侧(绑定到 MS/FE/BE 机器)
- Lambda Function
- 名称:
- CustomFunction*(Lambda Function 逻辑)
- CustomResourceRole(执行 Lambda Function 的临时角色)
- 用途:Lambda function 被用来实现一些在 CF 模板中不可用但在 Python SDK 中可用的逻辑。针对该模板,主要有以下几个方面:
- 获取小写的 S3 桶名称。因 Amazon S3 不允许使用大写字母命名 S3 桶。
- 获取用户选择子网的相关信息, 比如子网类型和子网网段。
- 如果 VPC 内没有 S3 网关终端节点,将会自动创建一个新的,从而可以将 S3 存储桶的流量路由到 VPC 内部,而不是通过公共互联网。
- 名称:
资源栈模板依赖的权限说明
在您的云账号下通过资源编排服务(CloudFormation)执行资源栈模板时,会创建 EC2、VPC、S3 等云资源或进行相关操作,因此需要一系列 IAM 权限。在正式执行前,请确保执行此模板的用户具备相应权限,否则可能会遇到执行模板失败的情况。
注意 资源栈模版的执行过程完全在您的云账号下进行,创建出来的资源也都属于您的云账号。SelectDB 不会获取您的云账号信息,也无法使用该账号的相应 IAM 权限。
以下是根据模板中定义的资源和操作所需的权限:
- 权限汇总:
{
"Version": "2012-10-17",
"Statement": [
{
"Condition": {
"StringEquals": {
"aws:ResourceTag/resource-created-by": [
"selectdb"
]
}
},
"Action": [
"ec2:TerminateInstances",
"ec2:StopInstances",
"ec2:StartInstances",
"ec2:RebootInstances",
"ec2:ModifyInstanceAttribute",
"ec2:DescribeSecurityGroupRules",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:RevokeSecurityGroupEgress",
"ec2:DeleteSecurityGroup",
"ec2:GetEbsEncryptionByDefault",
"ec2:GetEbsDefaultKmsKeyId"
],
"Resource": [
"arn:aws-cn:ec2:*:*:*"
],
"Effect": "Allow"
},
{
"Action": [
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAddresses",
"ec2:DescribeInternetGateways",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInstanceTypes",
"ec2:DescribeVolumes",
"ec2:ModifyVolume",
"ec2:DescribeImages",
"ec2:DescribeSecurityGroups",
"ec2:DescribeInstances",
"ec2:RunInstances",
"ec2:CreateSecurityGroup",
"ec2:DescribeTags",
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:*VpcEndpoint*",
"compute-optimizer:GetEnrollmentStatus",
"elasticloadbalancing:*",
"s3:CreateBucket"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"s3:Get*",
"s3:List*",
"s3:Put*",
"s3:Delete*"
],
"Resource": [
"arn:aws-cn:s3:::selectdb-bucket-*"
],
"Effect": "Allow"
},
{
"Action": [
"sts:GetCallerIdentity",
"sts:AssumeRole",
"iam:GetUser",
"iam:TagUser",
"iam:CreateUser",
"iam:DeleteUser",
"iam:ListAccessKeys",
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:GetRole",
"iam:TagRole",
"iam:ListRoles",
"iam:CreateRole",
"iam:DeleteRole",
"iam:CreatePolicy",
"iam:GetUserPolicy",
"iam:PutUserPolicy",
"iam:GetRolePolicy",
"iam:PutRolePolicy",
"iam:DeleteUserPolicy",
"iam:DeleteRolePolicy",
"iam:GetInstanceProfile",
"iam:CreateInstanceProfile",
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:DeleteInstanceProfile"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"iam:PassRole"
],
"Resource": "arn:aws-cn:iam::*:role/selectdb-*",
"Effect": "Allow"
},
{
"Action": [
"cloudformation:*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"lambda:GetFunction",
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:InvokeFunction",
"lambda:TagResource"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
}
},
"Effect": "Allow"
}
]
}-
EC2 & VPC 权限:
- 管理 EC2、安全组
{ "Condition": { "StringEquals": { "aws:ResourceTag/resource-created-by": [ "selectdb" ] } }, "Action": [ "ec2:TerminateInstances", "ec2:StopInstances", "ec2:StartInstances", "ec2:RebootInstances", "ec2:ModifyInstanceAttribute", "ec2:DescribeSecurityGroupRules", "ec2:AuthorizeSecurityGroupIngress", "ec2:RevokeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupEgress", "ec2:RevokeSecurityGroupEgress", "ec2:DeleteSecurityGroup", "ec2:GetEbsEncryptionByDefault", "ec2:GetEbsDefaultKmsKeyId" ], "Resource": [ "arn:aws-cn:ec2:*:*:*" ], "Effect": "Allow" } -
获取 VPC 相关资源信息,管理终端节点
{ "Action": [ "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeAccountAttributes", "ec2:DescribeAddresses", "ec2:DescribeInternetGateways", "ec2:DescribeAvailabilityZones", "ec2:DescribeInstanceTypes", "ec2:DescribeVolumes", "ec2:ModifyVolume", "ec2:DescribeImages", "ec2:DescribeSecurityGroups", "ec2:DescribeInstances", "ec2:RunInstances", "ec2:CreateSecurityGroup", "ec2:DescribeTags", "ec2:CreateTags", "ec2:DeleteTags", "ec2:*VpcEndpoint*", "compute-optimizer:GetEnrollmentStatus" ], "Resource": [ "*" ], "Effect": "Allow" }, -
ELB 权限:
- 管理负载均衡器 ELB 资源
elasticloadbalancing:*
- 管理负载均衡器 ELB 资源
-
S3 权限:
- 管理 S3 存储桶以及对存储桶及其内容进行读写操作(针对特定桶)
{ "Action": [ "s3:CreateBucket" ], "Resource": [ "*" ], "Effect": "Allow" }, { "Action": [ "s3:Get*", "s3:List*", "s3:Put*", "s3:Delete*" ], "Resource": [ "arn:aws-cn:s3:::selectdb-bucket-*" ], "Effect": "Allow" }, -
IAM & STS & Lambda 权限:
- IAM & STS 服务相关
{ "Action": [ "sts:GetCallerIdentity", "sts:AssumeRole", "iam:GetUser", "iam:TagUser", "iam:CreateUser", "iam:DeleteUser", "iam:ListAccessKeys", "iam:CreateAccessKey", "iam:DeleteAccessKey", "iam:GetRole", "iam:TagRole", "iam:ListRoles", "iam:CreateRole", "iam:DeleteRole", "iam:CreatePolicy", "iam:GetUserPolicy", "iam:PutUserPolicy", "iam:GetRolePolicy", "iam:PutRolePolicy", "iam:DeleteUserPolicy", "iam:DeleteRolePolicy", "iam:GetInstanceProfile", "iam:CreateInstanceProfile", "iam:AddRoleToInstanceProfile", "iam:RemoveRoleFromInstanceProfile", "iam:DeleteInstanceProfile" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::*:role/selectdb-*", "Effect": "Allow" },- Lambda 服务相关
{ "Action": [ "lambda:GetFunction", "lambda:CreateFunction", "lambda:DeleteFunction", "lambda:InvokeFunction", "lambda:TagResource" ], "Resource": "*", "Effect": "Allow" },- ELB 服务关联角色相关
{ "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": "elasticloadbalancing.amazonaws.com" } }, "Effect": "Allow" } -
CloudFormation 权限:
{ "Action": [ "cloudformation:*" ], "Resource": "*", "Effect": "Allow" },
资源栈模板创建的子用户的权限说明
初次执行完资源栈模板后会创建一个子用户,用于后续在您的 VPC 内管控数据仓库相关组件,以下为该子用户权限示例:
注意 创建出来的子用户隶属于您的云账号,并只在您的 VPC 内使用,不会外泄。
{
"Version": "2012-10-17",
"Statement": [
{
"Condition": {
"StringEquals": {
"aws:ResourceTag/resource-created-by": [
"selectdb"
]
}
},
"Action": [
"ec2:TerminateInstances",
"ec2:StopInstances",
"ec2:StartInstances",
"ec2:RebootInstances",
"ec2:ModifyInstanceAttribute",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSecurityGroupRules",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:DeleteSecurityGroup",
"ec2:GetEbsEncryptionByDefault",
"ec2:GetEbsDefaultKmsKeyId"
],
"Resource": [
"arn:aws-cn:ec2:cn-northwest-1:*:*"
],
"Effect": "Allow"
},
{
"Action": [
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAddresses",
"ec2:DescribeInternetGateways",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInstanceTypes",
"ec2:DescribeVolumes",
"ec2:ModifyVolume",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:RunInstances",
"ec2:CreateSecurityGroup",
"ec2:DescribeTags",
"ec2:CreateTags",
"ec2:DeleteTags",
"compute-optimizer:GetEnrollmentStatus",
"elasticloadbalancing:*"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Condition": {
"StringEquals": {
"aws:ResourceTag/resource-created-by": [
"selectdb"
]
}
},
"Action": [
"s3:*"
],
"Resource": [
"arn:aws-cn:s3:::selectdb-bucket-*/*",
"arn:aws-cn:s3:::selectdb-bucket-*"
],
"Effect": "Allow"
},
{
"Action": [
"sts:GetCallerIdentity",
"sts:AssumeRole",
"iam:CreateInstanceProfile"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"ec2.amazonaws.com.cn"
]
}
},
"Action": [
"iam:PassRole",
"iam:AddRoleToInstanceProfile"
],
"Resource": "arn:aws-cn:iam::*:role/selectdb-*",
"Effect": "Allow"
},
{
"Condition": {
"StringEquals": {
"iam:AWSServiceName": [
"elasticloadbalancing.amazonaws.com"
]
}
},
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "*",
"Effect": "Allow"
}
]
}具体权限划分如下:
-
EC2 & VPC 权限:
-
管理 EC2、安全组
{ "Condition": { "StringEquals": { "aws:ResourceTag/resource-created-by": [ "selectdb" ] } }, "Action": [ "ec2:TerminateInstances", "ec2:StopInstances", "ec2:StartInstances", "ec2:RebootInstances", "ec2:ModifyInstanceAttribute", "ec2:DescribeSecurityGroups", "ec2:DescribeSecurityGroupRules", "ec2:AuthorizeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupEgress", "ec2:DeleteSecurityGroup", "ec2:GetEbsEncryptionByDefault", "ec2:GetEbsDefaultKmsKeyId" ], "Resource": [ "arn:aws-cn:ec2:cn-northwest-1:*:*" ], "Effect": "Allow" },- 获取 VPC 相关资源信息
{ "Action": [ "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeAccountAttributes", "ec2:DescribeAddresses", "ec2:DescribeInternetGateways", "ec2:DescribeInstances", "ec2:DescribeAvailabilityZones", "ec2:DescribeInstanceTypes", "ec2:DescribeVolumes", "ec2:ModifyVolume", "ec2:DescribeImages", "ec2:RunInstances", "ec2:CreateSecurityGroup", "ec2:DescribeTags", "ec2:CreateTags", "ec2:DeleteTags", "compute-optimizer:GetEnrollmentStatus", ], "Resource": "*", "Effect": "Allow" },
-
-
ELB 权限:
- 管理负载均衡器 ELB 资源
elasticloadbalancing:*
- 管理负载均衡器 ELB 资源
-
S3 权限:
- 管理 S3 存储桶以及对存储桶及其内容进行读写操作(针对特定桶)
{ "Condition": { "StringEquals": { "aws:ResourceTag/resource-created-by": [ "selectdb" ] } }, "Action": [ "s3:*" ], "Resource": [ "arn:aws-cn:s3:::selectdb-bucket-008f3509df2de314e/*", "arn:aws-cn:s3:::selectdb-bucket-008f3509df2de314e" ], "Effect": "Allow" }
- 管理 S3 存储桶以及对存储桶及其内容进行读写操作(针对特定桶)
-
IAM & STS 权限:
- IAM & STS 服务相关
{ "Action": [ "sts:GetCallerIdentity", "sts:AssumeRole", "iam:CreateInstanceProfile" ], "Resource": "*", "Effect": "Allow" }, { "Condition": { "StringEquals": { "iam:PassedToService": [ "ec2.amazonaws.com.cn" ] } }, "Action": [ "iam:PassRole", "iam:AddRoleToInstanceProfile" ], "Resource": "arn:aws-cn:iam::*:role/selectdb-*", "Effect": "Allow" }, { "Condition": { "StringEquals": { "iam:AWSServiceName": [ "elasticloadbalancing.amazonaws.com" ] } }, "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": "*", "Effect": "Allow" }
- IAM & STS 服务相关