本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# 允許存取 Athena 聯合查詢:範例政策
本主題中的許可政策範例示範需要允許的動作,以及允許這些動作的資源。將這些政策連接至 IAM 身分之前,請仔細檢查政策,並根據您的需求進行修改。
如需有關將政策連接至 IAM 身分的資訊,請參閱《[IAM 使用者指南](https://docs.aws.amazon.com/IAM/latest/UserGuide/)》中的[新增和移除 IAM 身分許可](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html)。
+ [Example policy to allow an IAM principal to run and return results using Athena Federated Query](#fed-using-iam)
+ [Example Policy to Allow an IAM Principal to Create a Data Source Connector](#fed-creating-iam)
**Example - 允許 IAM 主體使用 Athena 聯合查詢執行並傳回結果**
在下列以身分識別為基礎的許可政策中,允許使用者或其他 IAM 委託人需要的動作,有這些動作才能使用 Athena 聯合查詢。獲准執行這些動作的委託人在其執行的查詢中,可以指定與聯合資料來源相關聯的 Athena 目錄。
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Athena",
"Effect": "Allow",
"Action": [
"athena:GetDataCatalog",
"athena:GetQueryExecution",
"athena:GetQueryResults",
"athena:GetWorkGroup",
"athena:StartQueryExecution",
"athena:StopQueryExecution"
],
"Resource": [
"arn:aws:athena:*:111122223333:workgroup/WorkgroupName",
"arn:aws:athena:us-east-1:111122223333:datacatalog/DataCatalogName"
]
},
{
"Sid": "ListAthenaWorkGroups",
"Effect": "Allow",
"Action": "athena:ListWorkGroups",
"Resource": "*"
},
{
"Sid": "Lambda",
"Effect": "Allow",
"Action": "lambda:InvokeFunction",
"Resource": [
"arn:aws:lambda:*:111122223333:function:OneAthenaLambdaFunction",
"arn:aws:lambda:*:111122223333:function:AnotherAthenaLambdaFunction"
]
},
{
"Sid": "S3",
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:ListMultipartUploadParts",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::MyLambdaSpillBucket",
"arn:aws:s3:::MyLambdaSpillBucket/*",
"arn:aws:s3:::MyQueryResultsBucket",
"arn:aws:s3:::MyQueryResultsBucket/*"
]
}
]
}
```
**許可說明**
| 允許的動作 | 說明 |
| --- | --- |
| "athena:GetQueryExecution",
"athena:GetQueryResults",
"athena:GetWorkGroup",
"athena:StartQueryExecution",
"athena:StopQueryExecution"
| 執行聯合查詢所需的 Athena 許可。 |
| "athena:GetDataCatalog",
"athena:GetQueryExecution,"
"athena:GetQueryResults",
"athena:GetWorkGroup",
"athena:StartQueryExecution",
"athena:StopQueryExecution"
| 執行聯合檢視查詢所需的 Athena 許可。檢視需要 `GetDataCatalog` 動作。 |
| "lambda:InvokeFunction"
| 允許查詢叫用 Resource 區塊中指定 AWS Lambda 函數的 AWS Lambda 函數。例如,arn:aws:lambda:\$1:MyAWSAcctId:function:MyAthenaLambdaFunction,其中 MyAthenaLambdaFunction 會指定要叫用的 Lambda 函數的名稱。如範例所示,可以指定多個函式。 |
| "s3:AbortMultipartUpload",
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:ListMultipartUploadParts",
"s3:PutObject"
| 需要 `s3:ListBucket` 和 `s3:GetBucketLocation` 許可才能存取執行 `StartQueryExecution` 的 IAM 主體的查詢輸出儲存貯體。 `s3:PutObject`、`s3:ListMultipartUploadParts` 和 `s3:AbortMultipartUpload` 允許將查詢結果寫入 `arn:aws:s3:::MyQueryResultsBucket/*` 資源識別碼指定的查詢結果儲存貯體的所有子資料夾,其中 *MyQueryResultsBucket* 是 Athena 查詢結果儲存貯體。如需詳細資訊,請參閱[使用查詢結果和近期查詢](querying.md)。 `s3:GetObject` 針對指定為 `arn:aws:s3:::MyQueryResultsBucket` 的資源,允許讀取查詢結果和查詢歷史記錄,其中 *MyQueryResultsBucket* 是 Athena 查詢結果儲存貯體。 `s3:GetObject` 還允許從指定為 `"arn:aws:s3:::MyLambdaSpillBucket/MyLambdaSpillPrefix*"` 的資源讀取,其中 *MyLambdaSpillPrefix* 是在一或多個叫用的 Lambda 函數的組態中指定。 |
**Example - 允許 IAM 主體建立資料來源連接器**
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"lambda:CreateFunction",
"lambda:ListVersionsByFunction",
"iam:CreateRole",
"lambda:GetFunctionConfiguration",
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
"lambda:PutFunctionConcurrency",
"iam:PassRole",
"iam:DetachRolePolicy",
"lambda:ListTags",
"iam:ListAttachedRolePolicies",
"iam:DeleteRolePolicy",
"lambda:DeleteFunction",
"lambda:GetAlias",
"iam:ListRolePolicies",
"iam:GetRole",
"iam:GetPolicy",
"lambda:InvokeFunction",
"lambda:GetFunction",
"lambda:ListAliases",
"lambda:UpdateFunctionConfiguration",
"iam:DeleteRole",
"lambda:UpdateFunctionCode",
"s3:GetObject",
"lambda:AddPermission",
"iam:UpdateRole",
"lambda:DeleteFunctionConcurrency",
"lambda:RemovePermission",
"iam:GetRolePolicy",
"lambda:GetPolicy"
],
"Resource": [
"arn:aws:lambda:*:111122223333:function:MyAthenaLambdaFunctionsPrefix*",
"arn:aws:s3:::awsserverlessrepo-changesets-1iiv3xa62ln3m/*",
"arn:aws:iam::*:role/RoleName",
"arn:aws:iam::111122223333:policy/*"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"cloudformation:CreateUploadBucket",
"cloudformation:DescribeStackDriftDetectionStatus",
"cloudformation:ListExports",
"cloudformation:ListStacks",
"cloudformation:ListImports",
"lambda:ListFunctions",
"iam:ListRoles",
"lambda:GetAccountSettings",
"ec2:DescribeSecurityGroups",
"cloudformation:EstimateTemplateCost",
"ec2:DescribeVpcs",
"lambda:ListEventSourceMappings",
"cloudformation:DescribeAccountLimits",
"ec2:DescribeSubnets",
"cloudformation:CreateStackSet",
"cloudformation:ValidateTemplate"
],
"Resource": "*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "cloudformation:*",
"Resource": [
"arn:aws:cloudformation:*:111122223333:stack/aws-serverless-repository-MyCFStackPrefix*/*",
"arn:aws:cloudformation:*:111122223333:stack/serverlessrepo-MyCFStackPrefix*/*",
"arn:aws:cloudformation:*:*:transform/Serverless-*",
"arn:aws:cloudformation:*:111122223333:stackset/aws-serverless-repository-MyCFStackPrefix*:*",
"arn:aws:cloudformation:*:111122223333:stackset/serverlessrepo-MyCFStackPrefix*:*"
]
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": "serverlessrepo:*",
"Resource": "arn:aws:serverlessrepo:*:*:applications/*"
},
{
"Sid": "ECR",
"Effect": "Allow",
"Action": [
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer"
],
"Resource": "arn:aws:ecr:*:*:repository/*"
}
]
}
```
**許可說明**
| 允許的動作 | 說明 |
| --- | --- |
| "lambda:CreateFunction",
"lambda:ListVersionsByFunction",
"lambda:GetFunctionConfiguration",
"lambda:PutFunctionConcurrency",
"lambda:ListTags",
"lambda:DeleteFunction",
"lambda:GetAlias",
"lambda:InvokeFunction",
"lambda:GetFunction",
"lambda:ListAliases",
"lambda:UpdateFunctionConfiguration",
"lambda:UpdateFunctionCode",
"lambda:AddPermission",
"lambda:DeleteFunctionConcurrency",
"lambda:RemovePermission",
"lambda:GetPolicy"
"lambda:GetAccountSettings",
"lambda:ListFunctions",
"lambda:ListEventSourceMappings",
| 允許建立和管理列為資源的 Lambda 函數。在範例中,資源識別符 `arn:aws:lambda:*:MyAWSAcctId:function:MyAthenaLambdaFunctionsPrefix*` 中使用名稱字首,其中 `MyAthenaLambdaFunctionsPrefix` 是 Lambda 函式群組的名稱中使用的共同字首,因此不需要個別指定為資源。您可以指定一或多個 Lambda 函數資源。 |
| "s3:GetObject"
| 允許讀取資源識別符 所指定 AWS Serverless Application Repository 需要 的儲存貯體arn:aws:s3:::awsserverlessrepo-changesets-1iiv3xa62ln3m/\$1。此儲存貯體可能專屬於您的帳戶。 |
| "cloudformation:*"
| 允許建立和管理資源 指定的 CloudFormation 堆疊`MyCFStackPrefix`。這些堆疊和堆疊集是部署連接器和 UDFs AWS Serverless Application Repository 的方式。 |
| "serverlessrepo:*"
| 允許搜尋、檢視、發佈和更新 中由資源識別符 AWS Serverless Application Repository指定的應用程式arn:aws:serverlessrepo:\$1:\$1:applications/\$1。 |
| "ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer"
| 允許已建立的 Lambda 函式存取聯合連接器 ECR 映像。 |