Question

为了通过频谱访问S3数据，我需要创建一个IAM角色，如此处所述...

https://docs.aws.amazon.com/redshift/latest/mgmt/authorizing-redshift-service.html

新创建的IAM角色需要附加到redshift实例。

https://docs.aws.amazon.com/redshift/latest/mgmt/copy-unload-iam-role.html#copy-unload-iam-role-associating-with-clusters

我已经成功地完成了所有步骤。但是我想知道是否可以编写一个cloudformation模板，该模板可以快速完成需要的工作。这是我提取的相关代码。我不确定如何使用正确的语法。

第1步

{
        "Tags": [],
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Action": "sts:AssumeRole",
                    "Effect": "Allow",
                    "Principal": {
                        "Service": "redshift.amazonaws.com"
                    }
                }
            ]
        },
        "RoleId": "AROAJWJGDMYIHSSTPZ6I6CM",
        "CreateDate": "2017-05-15T05:34:46Z",
        "InstanceProfileList": [],
        "RoleName": "RedshiftCopyUnload",
        "Path": "/",
        "AttachedManagedPolicies": [
            {
                "PolicyName": "AmazonAthenaFullAccess",
                "PolicyArn": "arn:aws:iam::aws:policy/AmazonAthenaFullAccess"
            },
            {
                "PolicyName": "AmazonS3ReadOnlyAccess",
                "PolicyArn": "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
            },
            {
                "PolicyName": "AWSGlueConsoleFullAccess",
                "PolicyArn": "arn:aws:iam::aws:policy/AWSGlueConsoleFullAccess"
            }
        ],
        "RolePolicyList": [],
        "Arn": "arn:aws:iam::123456789012:role/RedshiftCopyUnload"
    }

第2步

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "redshift:DescribeClusters",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                 "redshift:ModifyClusterIamRoles",
                 "redshift:CreateCluster"
            ],
            "Resource": [
                 "arn:aws:redshift:us-east-1:123456789012:cluster:my-redshift-cluster",
                 "arn:aws:redshift:us-east-1:123456789012:cluster:cluster:my-second-redshift-cluster"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": [
                "arn:aws:iam::123456789012:role/MyRedshiftRole",
                "arn:aws:iam::123456789012:role/SecondRedshiftRole",
                "arn:aws:iam::123456789012:role/ThirdRedshiftRole"
             ]
        }
    ]
}

更新：以下cloudformation模板会正确创建步骤1中提到的角色吗？

{
  "Resources": {
    "NewRole": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "Service": [
                  "redshift.amazonaws.com"
                ]
              },
              "Action": [
                "sts:AssumeRole"
              ]
            }
          ]
        },
        "RoleName": "RedshiftCopyUnload",
        "Path": "/",
        "ManagedPolicyArns": [
          "arn:aws:iam::aws:policy/AmazonAthenaFullAccess",
          "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess",
          "arn:aws:iam::aws:policy/AWSGlueConsoleFullAccess"
        ]
      }
    }
  }
}

Answer 1

是的。可以使用AWS CloudFormation模板定义IAM角色。

以下是AWS::IAM::Role - AWS CloudFormation中的一个示例：

AWSTemplateFormatVersion: 2010-09-09
Resources:
  RootRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ec2.&api-domain;
            Action:
              - 'sts:AssumeRole'
      Path: /
      Policies:
        - PolicyName: root
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action: '*'
                Resource: '*'

创建用于频谱S3访问的IAM角色的模板

1 个答案: