使用标准角色部署AWS数据管道

时间:2014-11-04 17:02:05

标签: amazon-web-services amazon-iam amazon-data-pipeline

尝试简单地部署之前有效的数据管道定义。这次我将角色更改为与另一个AWS(生产与登台)帐户保持一致。

当我通过AWS CLI部署时,收到此消息:

{
    "validationErrors": [
        {
            "errors": [
                "Please add following permissions to the role ('DataPipelineDefaultRole') for uploading logs to s3: s3:Get*,s3:List*,s3:Put*"
            ], 
            "id": "EC2_Box_TaskRunner"
        }
    ], 
    "errored": true, 
    "validationWarnings": []
}

以下是DataPipelineDefaultRole的定义:

{                                                                                                                                                                                          
    "Statement": [                                                                                                                                                                         
        {                                                                                                                                                                                  
            "Action": [                                                                                                                                                                    
                "s3:*",                                                                                                                                                         
                "dynamodb:DescribeTable",                                                                                                                                                  
                "dynamodb:Scan",                                                                                                                                                           
                "dynamodb:Query",                                                                                                                                                          
                "dynamodb:GetItem",                                                                                                                                                        
                "dynamodb:BatchGetItem",                                                                                                                                                   
                "dynamodb:UpdateTable",

                "ec2:*",

                "elasticmapreduce:*",                                                                                                                                                      
                "rds:DescribeDBInstances",                                                                                                                                                 
                "rds:DescribeDBSecurityGroups",                                                                                                                                            
                "redshift:DescribeClusters",                                                                                                                                               
                "redshift:DescribeClusterSecurityGroups",                                                                                                                                  
                "sns:GetTopicAttributes",                                                                                                                                                  
                "sns:ListTopics",                                                                                                                                                          
                "sns:Publish",                                                                                                                                                             
                "sns:Subscribe",                                                                                                                                                           
                "sns:Unsubscribe",                                                                                                                                                         
                "iam:PassRole",                                                                                                                                                            
                "iam:ListRolePolicies",                                                                                                                                                    
                "iam:GetRole",                                                                                                                                                             
                "iam:GetRolePolicy",                                                                                                                                                       
                "iam:ListInstanceProfiles",                                                                                                                                                
                "cloudwatch:*",                                                                                                                                                            
                "datapipeline:*"                                                                                                                                          
            ],                                                                                                                                                                             
            "Effect": "Allow",                                                                                                                                                             
            "Resource": [                                                                                                                                                                  
                "*"                                                                                                                                                                        
            ]                                                                                                                                                                              
        }                                                                                                                                                                                  
    ]                                                                                                                                                                                      
}

我还注意到,当我尝试重新创建'DataPipelineDefaultRole'时,有时“实例配置文件ARN(s)”为空。最后,我能够重新创建角色 - 通过“hello world数据管道模板”设置和/或手动步骤的组合。 (有Instance ARN出席)

即使角色设置为:

{                                                                                                                                                                                          
    "Statement": [                                                                                                                                                                         
        {                                                                                                                                                                                  
            "Action": [                                                                                                                                                                    
                "*"                                                                                                                                          
            ],                                                                                                                                                                             
            "Effect": "Allow",                                                                                                                                                             
            "Resource": [                                                                                                                                                                  
                "*"                                                                                                                                                                        
            ]                                                                                                                                                                              
        }                                                                                                                                                                                  
    ]                                                                                                                                                                                      
}

它不起作用。

我做错了什么?

1 个答案:

答案 0 :(得分:0)

好的问题是管道定义中其他对象引用的s3路径,而不是角色或EC2_Box_TaskRunner框