# 允许访问 Athena 联合查询:示例策略
本主题中的权限策略示例演示了需要允许的操作以及允许执行这些操作的资源。仔细检查这些策略并根据您的需求修改它们,然后再将它们附加到 IAM 身份。
有关将 IAM 策略添加到用户的信息,请参阅 [IAM 用户指南](https://docs.aws.amazon.com/IAM/latest/UserGuide/) 中的 [添加和删除 IAM 身份权限](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html)。
+ [Example policy to allow an IAM principal to run and return results using Athena Federated Query](#fed-using-iam)
+ [Example Policy to Allow an IAM Principal to Create a Data Source Connector](#fed-creating-iam)
**Example :允许 IAM 主体运行并使用 Athena 联合查询返回结果**
以下基于身份的权限策略允许用户或其他 IAM 主体执行使用 Athena 联合查询所需的操作。允许执行这些操作的主体可以运行指定与联合数据来源关联的 Athena 目录的查询。
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Athena",
"Effect": "Allow",
"Action": [
"athena:GetDataCatalog",
"athena:GetQueryExecution",
"athena:GetQueryResults",
"athena:GetWorkGroup",
"athena:StartQueryExecution",
"athena:StopQueryExecution"
],
"Resource": [
"arn:aws:athena:*:111122223333:workgroup/WorkgroupName",
"arn:aws:athena:us-east-1:111122223333:datacatalog/DataCatalogName"
]
},
{
"Sid": "ListAthenaWorkGroups",
"Effect": "Allow",
"Action": "athena:ListWorkGroups",
"Resource": "*"
},
{
"Sid": "Lambda",
"Effect": "Allow",
"Action": "lambda:InvokeFunction",
"Resource": [
"arn:aws:lambda:*:111122223333:function:OneAthenaLambdaFunction",
"arn:aws:lambda:*:111122223333:function:AnotherAthenaLambdaFunction"
]
},
{
"Sid": "S3",
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:ListMultipartUploadParts",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::MyLambdaSpillBucket",
"arn:aws:s3:::MyLambdaSpillBucket/*",
"arn:aws:s3:::MyQueryResultsBucket",
"arn:aws:s3:::MyQueryResultsBucket/*"
]
}
]
}
```
**权限说明**
| 允许的操作 | 说明 |
| --- | --- |
| "athena:GetQueryExecution",
"athena:GetQueryResults",
"athena:GetWorkGroup",
"athena:StartQueryExecution",
"athena:StopQueryExecution"
| 运行联合查询所需的 Athena 权限。 |
| "athena:GetDataCatalog",
"athena:GetQueryExecution,"
"athena:GetQueryResults",
"athena:GetWorkGroup",
"athena:StartQueryExecution",
"athena:StopQueryExecution"
| 运行联合视图查询所需的 Athena 权限。视图需要 `GetDataCatalog` 操作。 |
| "lambda:InvokeFunction"
| 允许查询为 Resource 块中指定的 AWS Lambda 函数调用 AWS Lambda 函数。例如 arn:aws:lambda:\$1:MyAWSAcctId:function:MyAthenaLambdaFunction,其中 MyAthenaLambdaFunction 指定要调用的 Lambda 函数的名称。如示例中所示,可以指定多个函数。 |
| "s3:AbortMultipartUpload",
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:ListMultipartUploadParts",
"s3:PutObject"
| 必须具备 `s3:ListBucket` 和 `s3:GetBucketLocation` 权限,才能访问运行 `StartQueryExecution` 的 IAM 主体的查询输出存储桶。 `s3:PutObject`、`s3:ListMultipartUploadParts` 和 `s3:AbortMultipartUpload` 允许将查询结果写入由 `arn:aws:s3:::MyQueryResultsBucket/*` 资源标识符指定的查询结果存储桶的所有子文件夹,其中 *MyQueryResultsBucket* 为 Athena 查询结果存储桶。有关更多信息,请参阅 [使用查询结果和最近查询](querying.md)。 `s3:GetObject` 允许读取指定为 `arn:aws:s3:::MyQueryResultsBucket` 的资源的查询结果和查询历史记录,其中 *MyQueryResultsBucket* 是 Athena 查询结果存储桶。 `s3:GetObject` 还允许从指定为 `"arn:aws:s3:::MyLambdaSpillBucket/MyLambdaSpillPrefix*"` 的资源中读取,其中 *MyLambdaSpillPrefix* 在被调用的一个或多个 Lambda 函数的配置中指定。 |
**Example :允许 IAM 主体创建数据来源连接器**
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"lambda:CreateFunction",
"lambda:ListVersionsByFunction",
"iam:CreateRole",
"lambda:GetFunctionConfiguration",
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
"lambda:PutFunctionConcurrency",
"iam:PassRole",
"iam:DetachRolePolicy",
"lambda:ListTags",
"iam:ListAttachedRolePolicies",
"iam:DeleteRolePolicy",
"lambda:DeleteFunction",
"lambda:GetAlias",
"iam:ListRolePolicies",
"iam:GetRole",
"iam:GetPolicy",
"lambda:InvokeFunction",
"lambda:GetFunction",
"lambda:ListAliases",
"lambda:UpdateFunctionConfiguration",
"iam:DeleteRole",
"lambda:UpdateFunctionCode",
"s3:GetObject",
"lambda:AddPermission",
"iam:UpdateRole",
"lambda:DeleteFunctionConcurrency",
"lambda:RemovePermission",
"iam:GetRolePolicy",
"lambda:GetPolicy"
],
"Resource": [
"arn:aws:lambda:*:111122223333:function:MyAthenaLambdaFunctionsPrefix*",
"arn:aws:s3:::awsserverlessrepo-changesets-1iiv3xa62ln3m/*",
"arn:aws:iam::*:role/RoleName",
"arn:aws:iam::111122223333:policy/*"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"cloudformation:CreateUploadBucket",
"cloudformation:DescribeStackDriftDetectionStatus",
"cloudformation:ListExports",
"cloudformation:ListStacks",
"cloudformation:ListImports",
"lambda:ListFunctions",
"iam:ListRoles",
"lambda:GetAccountSettings",
"ec2:DescribeSecurityGroups",
"cloudformation:EstimateTemplateCost",
"ec2:DescribeVpcs",
"lambda:ListEventSourceMappings",
"cloudformation:DescribeAccountLimits",
"ec2:DescribeSubnets",
"cloudformation:CreateStackSet",
"cloudformation:ValidateTemplate"
],
"Resource": "*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "cloudformation:*",
"Resource": [
"arn:aws:cloudformation:*:111122223333:stack/aws-serverless-repository-MyCFStackPrefix*/*",
"arn:aws:cloudformation:*:111122223333:stack/serverlessrepo-MyCFStackPrefix*/*",
"arn:aws:cloudformation:*:*:transform/Serverless-*",
"arn:aws:cloudformation:*:111122223333:stackset/aws-serverless-repository-MyCFStackPrefix*:*",
"arn:aws:cloudformation:*:111122223333:stackset/serverlessrepo-MyCFStackPrefix*:*"
]
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": "serverlessrepo:*",
"Resource": "arn:aws:serverlessrepo:*:*:applications/*"
},
{
"Sid": "ECR",
"Effect": "Allow",
"Action": [
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer"
],
"Resource": "arn:aws:ecr:*:*:repository/*"
}
]
}
```
**权限说明**
| 允许的操作 | 说明 |
| --- | --- |
| "lambda:CreateFunction",
"lambda:ListVersionsByFunction",
"lambda:GetFunctionConfiguration",
"lambda:PutFunctionConcurrency",
"lambda:ListTags",
"lambda:DeleteFunction",
"lambda:GetAlias",
"lambda:InvokeFunction",
"lambda:GetFunction",
"lambda:ListAliases",
"lambda:UpdateFunctionConfiguration",
"lambda:UpdateFunctionCode",
"lambda:AddPermission",
"lambda:DeleteFunctionConcurrency",
"lambda:RemovePermission",
"lambda:GetPolicy"
"lambda:GetAccountSettings",
"lambda:ListFunctions",
"lambda:ListEventSourceMappings",
| 允许创建和管理列为资源的 Lambda 函数。在此示例中,资源标识符 `arn:aws:lambda:*:MyAWSAcctId:function:MyAthenaLambdaFunctionsPrefix*` 中使用名称前缀,其中 `MyAthenaLambdaFunctionsPrefix` 是一组 Lambda 函数的名称中使用的共享前缀,因此它们不需要单独指定为资源。您可以指定一个或多个 Lambda 函数资源。 |
| "s3:GetObject"
| 允许读取 AWS Serverless Application Repository 所需的存储桶,如资源标识符 arn:aws:s3:::awsserverlessrepo-changesets-1iiv3xa62ln3m/\$1 所指定。此存储桶可能特定于您的账户。 |
| "cloudformation:*"
| 允许创建和管理由资源 `MyCFStackPrefix` 指定的 CloudFormation 堆栈。这些堆栈和堆栈集是 AWS Serverless Application Repository 部署连接器和 UDF 的方式。 |
| "serverlessrepo:*"
| 允许在由资源标识符 arn:aws:serverlessrepo:\$1:\$1:applications/\$1 指定的 AWS Serverless Application Repository 中搜索、查看、发布和更新应用程序。 |
| "ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer"
| 允许创建的 Lambda 函数访问联合身份验证连接器 ECR 映像。 |