本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# 亚马逊的 IAM 角色 DataZone
**Topics**
+ [AmazonDataZoneProvisioningRole-](bootstraprole.md)
+ [AmazonDataZoneDomainExecutionRole](AmazonDataZoneDomainExecutionRole.md)
+ [AmazonDataZoneGlueAccess--](glue-manage-access-role.md)
+ [AmazonDataZoneRedshiftAccess--](redshift-manage-access-role.md)
+ [AmazonDataZoneS3Manage--](AmazonDataZoneS3Manage.md)
+ [AmazonDataZoneSageMakerManageAccessRole--](AmazonDataZoneSageMakerManageAccessRole.md)
+ [AmazonDataZoneSageMakerProvisioningRolePolicyRole-](AmazonDataZoneSageMakerProvisioningRolePolicyRole.md)
# AmazonDataZoneProvisioningRole-
`AmazonDataZoneProvisioningRole-` 已附加 `AmazonDataZoneRedshiftGlueProvisioningPolicy`。此角色向亚马逊 DataZone 授予与 AWS Glue 和 Amazon Redshift 互操作所需的权限。
默认 `AmazonDataZoneProvisioningRole-` 已附加以下信任策略:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "datazone.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "{{domain_account}}"
}
}
}
]
}
```
------
# AmazonDataZoneDomainExecutionRole
**AmazonDataZoneDomainExecutionRole**已**AmazonDataZoneDomainExecutionRolePolicy**附加 AWS 托管策略。Amazon 代表您 DataZone 创建此角色。对于数据门户中的某些操作,Amazon DataZone 将在创建该角色的账户中担任此角色,并检查该角色是否有权执行该操作。
托管您的 Amazon DataZone 域名的**AmazonDataZoneDomainExecutionRole**角色是必需的。 AWS 账户 此角色是在您创建 Amazon DataZone 域名时自动为您创建的。
默认**AmazonDataZoneDomainExecutionRole**角色具有以下信任策略。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "datazone.amazonaws.com"
},
"Action": [
"sts:AssumeRole",
"sts:TagSession"
],
"Condition": {
"StringEquals": {
"aws:SourceAccount": "{{source_account_id}}"
},
"ForAllValues:StringLike": {
"aws:TagKeys": [
"datazone*"
]
}
}
}
]
}
```
------
# AmazonDataZoneGlueAccess--
`AmazonDataZoneGlueAccess--` 角色已附加 `AmazonDataZoneGlueManageAccessRolePolicy`。此角色授予亚马逊向目录发布 AWS Glue 数据的 DataZone 权限。它还授予亚马逊授予访问 DataZone 权限或撤销对目录中已发布的 AWS Glue 资产的访问权限的权限。
默认 `AmazonDataZoneGlueAccess--` 角色已附加以下信任策略:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "datazone.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "111122223333"
},
"ArnEquals": {
"aws:SourceArn": "arn:aws:datazone:us-east-1:111122223333:domain/dzd-12345"
}
}
}
]
}
```
------
# AmazonDataZoneRedshiftAccess--
`AmazonDataZoneRedshiftAccess--` 角色已附加 `AmazonDataZoneRedshiftManageAccessRolePolicy`。此角色授予亚马逊向 DataZone 目录发布亚马逊 Redshift 数据的权限。它还允许亚马逊授予访问 DataZone 权限或撤销对目录中已发布的亚马逊 Redshift 或 Amazon Redshift Serverless 资源的访问权限或撤消访问权限。
默认 `AmazonDataZoneRedshiftAccess--` 角色已附加以下内联权限策略:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Sid": "RedshiftSecretStatement",
"Effect":"Allow",
"Action":"secretsmanager:GetSecretValue",
"Resource":"*",
"Condition":{
"StringEquals":{
"secretsmanager:ResourceTag/AmazonDataZoneDomain":"{{domainId}}"
}
}
}
]
}
```
------
默认 `AmazonDataZoneRedshiftManageAccessRole` 已附加以下信任策略:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "datazone.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "111122223333"
},
"ArnEquals": {
"aws:SourceArn": "arn:aws:datazone:us-east-1:111122223333:domain/dzd-12345"
}
}
}
]
}
```
------
# AmazonDataZoneS3Manage--
当亚马逊致 DataZone电 La AWS ke Formation 注册亚马逊简单存储服务 (Amazon AmazonDataZone S3) 分店时,会使用 S3Manage- AWS Lake Formation 在访问该位置的数据时扮演这个角色。有关更多信息,请参阅[用于注册位置的角色的要求](https://docs.aws.amazon.com/lake-formation/latest/dg/registration-role.html)。
此角色已附加以下内联权限策略。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "LakeFormationDataAccessPermissionsForS3",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "{{accountId}}"
}
}
},
{
"Sid": "LakeFormationDataAccessPermissionsForS3ListBucket",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "{{accountId}}"
}
}
},
{
"Sid": "LakeFormationDataAccessPermissionsForS3ListAllMyBuckets",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "{{accountId}}"
}
}
},
{
"Sid": "LakeFormationExplicitDenyPermissionsForS3",
"Effect": "Deny",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::[[BucketNames]]/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "{{accountId}}"
}
}
},
{
"Sid": "LakeFormationExplicitDenyPermissionsForS3ListBucket",
"Effect": "Deny",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::[[BucketNames]]"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "{{accountId}}"
}
}
}
]
}
```
------
AmazonDataZoneS3Manage--附带了以下信任政策:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "TrustLakeFormationForDataLocationRegistration",
"Effect": "Allow",
"Principal": {
"Service": "lakeformation.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "{{source_account_id}}"
}
}
}
]
}
```
------
# AmazonDataZoneSageMakerManageAccessRole--
`AmazonDataZoneSageMakerManageAccessRole` 角色已附加 `AmazonDataZoneSageMakerAccess`、`AmazonDataZoneRedshiftManageAccessRolePolicy` 和 `AmazonDataZoneGlueManageAccessRolePolicy`。此角色授予亚马逊发布和管理数据湖、数据仓库和 Amazon Sagemaker 资产订阅的 DataZone 权限。
`AmazonDataZoneSageMakerManageAccessRole` 角色已附加以下内联策略:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Sid": "RedshiftSecretStatement",
"Effect":"Allow",
"Action":"secretsmanager:GetSecretValue",
"Resource":"*",
"Condition":{
"StringEquals":{
"secretsmanager:ResourceTag/AmazonDataZoneDomain":"{{domainId}}"
}
}
}
]
}
```
------
`AmazonDataZoneSageMakerManageAccessRole` 角色已附加以下信任策略:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "DatazoneTrustPolicyStatement",
"Effect": "Allow",
"Principal": {
"Service": ["datazone.amazonaws.com",
"sagemaker.amazonaws.com"]
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "111122223333"
},
"ArnEquals": {
"aws:SourceArn": "arn:aws:datazone:us-east-1:111122223333:domain/dzd-12345"
}
}
}
]
}
```
------
# AmazonDataZoneSageMakerProvisioningRolePolicyRole-
`AmazonDataZoneSageMakerProvisioningRolePolicyRole` 角色已附加 `AmazonDataZoneSageMakerProvisioningRolePolicy` 和 `AmazonDataZoneRedshiftGlueProvisioningPolicy`。该角色向亚马逊授予与 AWS Glue、Amazon Redshift 和 Amazon Sagemaker 互操作所需的 DataZone 权限。
`AmazonDataZoneSageMakerProvisioningRolePolicyRole` 角色已附加以下内联策略:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "SageMakerStudioTagOnCreate",
"Effect": "Allow",
"Action": [
"sagemaker:AddTags"
],
"Resource": "arn:aws:sagemaker:*:111122223333:*/*",
"Condition": {
"Null": {
"sagemaker:TaggingAction": "false"
}
}
}
]
}
```
------
`AmazonDataZoneSageMakerProvisioningRolePolicyRole` 角色已附加以下信任策略:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "DataZoneTrustPolicyStatement",
"Effect": "Allow",
"Principal": {
"Service": "datazone.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "{{domain_account}}"
}
}
}
]
}
```
------