本文属于机器翻译版本。若本译文内容与英语原文存在差异，则一律以英文原文为准。

# 在 Step Functions 中为非管理员用户创建精细权限
<a name="concept-create-iam-advanced"></a>

IAM 中的默认托管策略（例如`ReadOnly`）并不能完全涵盖所有类型的 AWS Step Functions 权限。本节将介绍这些不同类型的权限并提供一些示例配置。

Step Functions 具有四种类别的权限。根据您要为用户提供的访问权限，您可以使用这些类别的权限控制访问权限。

[服务级别权限](#concept-create-iam-advanced-service)  
适用于**不**对特定资源执行的 API 组件。

[状态机级权限](#concept-create-iam-advanced-state)  
适用于对特定状态机执行的所有 API 组件。

[执行级权限](#concept-create-iam-advanced-execution)  
适用于对特定执行采用的所有 API 组件。

[活动级权限](#concept-create-iam-advanced-activity)  
适用于对特定活动或活动的特殊实例执行的所有 API 组件。

## 服务级别权限
<a name="concept-create-iam-advanced-service"></a>

此权限级别适用于**不**对特定资源执行的所有 API 操作。包括 `[CreateStateMachine](https://docs.aws.amazon.com/step-functions/latest/apireference/API_CreateStateMachine.html)`、`[CreateActivity](https://docs.aws.amazon.com/step-functions/latest/apireference/API_CreateActivity.html)`、`[ListStateMachines](https://docs.aws.amazon.com/step-functions/latest/apireference/API_ListStateMachines.html)`、`[ListActivities](https://docs.aws.amazon.com/step-functions/latest/apireference/API_ListActivities.html)` 和 `[ValidateStateMachineDefinition](https://docs.aws.amazon.com/step-functions/latest/apireference/API_ValidateStateMachineDefinition.html)`。

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "states:ListStateMachines",
                "states:ListActivities",
                "states:CreateStateMachine",
                "states:CreateActivity",
                "states:ValidateStateMachineDefinition"
            ],
            "Resource": [
                "arn:aws:states:*:*:*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:PassRole"
            ],
            "Resource": [
                "arn:aws:iam::123456789012:role/my-execution-role"
            ]
        }
    ]
}
```

## 状态机级权限
<a name="concept-create-iam-advanced-state"></a>

此权限级别适用于对特定状态机执行的所有 API 操作。这些 API 操作要求状态机的 Amazon 资源名称 (ARN) 作为请求的一部分，例如 `[DeleteStateMachine](https://docs.aws.amazon.com/step-functions/latest/apireference/API_DeleteStateMachine.html)`、`[DescribeStateMachine](https://docs.aws.amazon.com/step-functions/latest/apireference/API_DescribeStateMachine.html)`、`[StartExecution](https://docs.aws.amazon.com/step-functions/latest/apireference/API_StartExecution.html)` 和 `[ListExecutions](https://docs.aws.amazon.com/step-functions/latest/apireference/API_ListExecutions.html)`。

****  

```
{
  "Version":"2012-10-17",		 	 	 
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "states:DescribeStateMachine",
        "states:StartExecution",
        "states:DeleteStateMachine",
        "states:ListExecutions",
        "states:UpdateStateMachine",
        "states:TestState",
        "states:RevealSecrets"
      ],
      "Resource": [ 
        "arn:aws:states:*:*:stateMachine:StateMachinePrefix*" 
      ]
    }
  ]
}
```

## 执行级权限
<a name="concept-create-iam-advanced-execution"></a>

此权限级别适用于对特定执行采用的所有 API 操作。这些 API 操作要求执行的 ARN 作为请求的一部分，例如 `[DescribeExecution](https://docs.aws.amazon.com/step-functions/latest/apireference/API_DescribeExecution.html)`、`[GetExecutionHistory](https://docs.aws.amazon.com/step-functions/latest/apireference/API_GetExecutionHistory.html)` 和 `[StopExecution](https://docs.aws.amazon.com/step-functions/latest/apireference/API_StopExecution.html)`。

****  

```
{
  "Version":"2012-10-17",		 	 	 
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "states:DescribeExecution",
        "states:DescribeStateMachineForExecution",
        "states:GetExecutionHistory",
        "states:StopExecution"
      ],
      "Resource": [ 
        "arn:aws:states:*:*:execution:*:ExecutionPrefix*"
      ]
    }
  ]
}
```

## 活动级权限
<a name="concept-create-iam-advanced-activity"></a>

此权限级别适用于将对特定活动或活动的特殊实例执行的所有 API 操作。这些 API 操作要求活动的 ARN 或实例的令牌作为请求的一部分，例如 `[DeleteActivity](https://docs.aws.amazon.com/step-functions/latest/apireference/API_DeleteActivity.html)`、`[DescribeActivity](https://docs.aws.amazon.com/step-functions/latest/apireference/API_DescribeActivity.html)`、`[GetActivityTask](https://docs.aws.amazon.com/step-functions/latest/apireference/API_GetActivityTask.html)` 和 `[SendTaskHeartbeat](https://docs.aws.amazon.com/step-functions/latest/apireference/API_SendTaskHeartbeat.html)`。

****  

```
{
  "Version":"2012-10-17",		 	 	 
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "states:DescribeActivity",
        "states:DeleteActivity",
        "states:GetActivityTask",
        "states:SendTaskHeartbeat"
      ],
      "Resource": [
        "arn:aws:states:*:*:activity:ActivityPrefix*"
      ]
    }
  ]
}
```