本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# IAM 角色设置
设置说明中的 CloudFormation 堆栈可自动为您设置 IAM 角色。如果您想手动执行它,请按照以下说明进行操作:
## MCP 服务器的 IAM 角色设置
要访问 SMUS 托管 MCP 服务器,需要使用以下内联策略的 IAM 角色:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUseSagemakerUnifiedStudioMcpServer",
"Effect": "Allow",
"Action": [
"sagemaker-unified-studio-mcp:InvokeMcp",
"sagemaker-unified-studio-mcp:CallReadOnlyTool",
"sagemaker-unified-studio-mcp:CallPrivilegedTool"
],
"Resource": [
"*"
]
}
]
}
```
在接下来的步骤中,我们将为此角色创建个人资料。无论哪个账户担任此角色以获取证书,都应添加到代入角色策略中。
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAccountToAssumeRole",
"Effect": "Allow",
"Principal": { "AWS": "arn:aws:iam:::root" },
"Action": "sts:AssumeRole"
}
]
}
```
## 按部署模式划分的其他权限 (EMR-/EMR-EC2 S)
### EMR-应用程序 EC2
将策略中的 Amazon S3 暂存存储桶替换为您想要存储已升级项目的 Amazon S3 存储桶
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticmapreduce:DescribeCluster",
"elasticmapreduce:DescribeStep",
"elasticmapreduce:ListSteps",
"elasticmapreduce:ListClusters",
"elasticmapreduce:DescribeJobFlows",
"elasticmapreduce:AddJobFlowSteps",
"elasticmapreduce:CreatePersistentAppUI",
"elasticmapreduce:DescribePersistentAppUI",
"elasticmapreduce:GetPersistentAppUIPresignedURL"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetBucket*",
"s3:GetObject*",
"s3:List*",
"s3:Put*"
],
"Resource": [
"arn:aws:s3:::",
"arn:aws:s3:::/*"
]
}
]
}
```
#### KMS 权限-暂存存储桶
如果暂存存储桶使用 CMK 加密,请添加以下策略。上传数据时,该服务将自动使用存储桶上配置的 CMK。
```
{
"Effect": "Allow",
"Action": [
"kms:GenerateDataKey",
"kms:Encrypt"
],
"Resource": "arn:aws:kms:::key/"
}
```
### EMR 无服务器应用程序
将策略中的 Amazon S3 暂存存储桶替换为您想要存储已升级项目的 Amazon S3 存储桶
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"emr-serverless:StartJobRun",
"emr-serverless:GetJobRun",
"emr-serverless:GetApplication",
"emr-serverless:ListApplications",
"emr-serverless:GetDashboardForJobRun"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*",
"Condition": {
"StringLike": {
"iam:PassedToService": "emr-serverless.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Action": [
"logs:GetLogEvents",
"logs:DescribeLogStreams"
],
"Resource": "arn:aws:logs:*:*:log-group:*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetBucket*",
"s3:GetObject*",
"s3:List*",
"s3:Put*"
],
"Resource": [
"arn:aws:s3:::",
"arn:aws:s3:::/*"
]
}
]
}
```
#### KMS 权限-暂存存储桶
如果暂存存储桶使用 CMK 加密,请添加以下策略。上传数据时,该服务将自动使用存储桶上配置的 CMK
```
{
"Effect": "Allow",
"Action": [
"kms:GenerateDataKey",
"kms:Encrypt"
],
"Resource": "arn:aws:kms:::key/"
}
```
#### KMS 权限- CloudWatch 日志
如果 CloudWatch 日志是使用 CMK 加密的,请添加以下策略,以便服务可以读取 EMR-Serverless 应用程序日志。
```
{
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:DescribeKey"
],
"Resource": "arn:aws:kms:::key/"
}
```