jer*_*oen 5 amazon-s3 amazon-ec2 amazon-web-services amazon-data-pipeline aws-data-pipeline
我正在使用Load S3 data into RDS MySql tableAWS Data Pipeline 中的模板将 csv 从 S3 存储桶导入到我们的 RDS MySql 中。但是,我(作为具有完全管理权限的 IAM 用户)遇到了无法解决的警告:
对象:Ec2Instance - 警告:无法验证角色的 S3 访问权限。请确保角色 ('DataPipelineDefaultRole') 具有 DataPipeline 的 s3:Get*、s3:List*、s3:Put* 和 sts:AssumeRole 权限。
DataPipelineDefaultRoleGoogle 告诉我不要使用和的默认策略DataPipelineDefaultResourceRole。根据AWS Data Pipeline 的 IAM 角色文档和此 AWS 支持论坛上的主题,我使用了内联策略并编辑了这两个角色的信任关系。
政策DataPipelineDefaultRole:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:*",
"datapipeline:DescribeObjects",
"datapipeline:EvaluateExpression",
"dynamodb:BatchGetItem",
"dynamodb:DescribeTable",
"dynamodb:GetItem",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:UpdateTable",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CancelSpotInstanceRequests",
"ec2:CreateSecurityGroup",
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:Describe*",
"ec2:ModifyImageAttribute",
"ec2:ModifyInstanceAttribute",
"ec2:RequestSpotInstances",
"ec2:RunInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:DeleteSecurityGroup",
"ec2:RevokeSecurityGroupEgress",
"ec2:DescribeNetworkInterfaces",
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface",
"ec2:DetachNetworkInterface",
"elasticmapreduce:*",
"iam:GetInstanceProfile",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:ListInstanceProfiles",
"iam:PassRole",
"rds:DescribeDBInstances",
"rds:DescribeDBSecurityGroups",
"redshift:DescribeClusters",
"redshift:DescribeClusterSecurityGroups",
"s3:CreateBucket",
"s3:DeleteObject",
"s3:Get*",
"s3:List*",
"s3:Put*",
"sdb:BatchPutAttributes",
"sdb:Select*",
"sns:GetTopicAttributes",
"sns:ListTopics",
"sns:Publish",
"sns:Subscribe",
"sns:Unsubscribe",
"sqs:CreateQueue",
"sqs:Delete*",
"sqs:GetQueue*",
"sqs:PurgeQueue",
"sqs:ReceiveMessage"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringLike": {
"iam:AWSServiceName": [
"elasticmapreduce.amazonaws.com",
"spot.amazonaws.com"
]
}
}
}
]
}
信任关系DataPipelineDefaultRole:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com",
"elasticmapreduce.amazonaws.com",
"datapipeline.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
政策DataPipelineDefaultResourceRole:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudwatch:*",
"datapipeline:*",
"dynamodb:*",
"ec2:Describe*",
"elasticmapreduce:AddJobFlowSteps",
"elasticmapreduce:Describe*",
"elasticmapreduce:ListInstance*",
"rds:Describe*",
"redshift:DescribeClusters",
"redshift:DescribeClusterSecurityGroups",
"s3:*",
"sdb:*",
"sns:*",
"sqs:*"
],
"Resource": [
"*"
]
}
]
}
信任关系DataPipelineDefaultResourceRole:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
我尝试了几种选项/组合,但警告仍然存在。有谁知道如何解决这个权限问题?
我认为您的政策和角色的定义方式没有任何问题。一切看起来都不错。我唯一能想到的是在定义角色后您创建管道的速度有多快?
请记住,IAM 策略是全局性的,而数据管道存在于特定区域中,因此在创建策略/角色和创建数据管道之间给它一些睡眠时间,AWS 需要时间在所有区域中复制 IAM 策略更改。
Ex. if you are using bash aws-cli to create/update role & then create/activate data-pipeline, insert `sleep Xs` between role & datapipeline creation.
挑剔你不需要ec2.amazonaws.com信任关系DataPipelineDefaultRole。
| 归档时间: |
|
| 查看次数: |
3001 次 |
| 最近记录: |