本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# 允許存取 Athena UDF:範例政策
本主題中的許可政策範例示範需要允許的動作,以及允許這些動作的資源。將類似的許可政策連接至 IAM 身分之前,請仔細檢查這些政策,並根據您的需求進行修改。
+ [Example Policy to Allow an IAM Principal to Run and Return Queries that Contain an Athena UDF Statement](#udf-using-iam)
+ [Example Policy to Allow an IAM Principal to Create an Athena UDF](#udf-creating-iam)
**Example - 允許 IAM 主體執行並傳回包含 Athena UDF 陳述式的查詢**
在下列以身分識別為基礎的許可政策中,允許使用者或其他 IAM 委託人需要的動作,有這些動作才能執行使用 Athena UDF 陳述式的查詢。
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"athena:StartQueryExecution",
"lambda:InvokeFunction",
"athena:GetQueryResults",
"s3:ListMultipartUploadParts",
"athena:GetWorkGroup",
"s3:PutObject",
"s3:GetObject",
"s3:AbortMultipartUpload",
"athena:StopQueryExecution",
"athena:GetQueryExecution",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:athena:*:MyAWSAcctId:workgroup/MyAthenaWorkGroup",
"arn:aws:s3:::MyQueryResultsBucket/*",
"arn:aws:lambda:*:MyAWSAcctId:function:OneAthenaLambdaFunction",
"arn:aws:lambda:*:MyAWSAcctId:function:AnotherAthenaLambdaFunction"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "athena:ListWorkGroups",
"Resource": "*"
}
]
}
```
**許可說明**
| 允許的動作 | 說明 |
| --- | --- |
| "athena:StartQueryExecution",
"athena:GetQueryResults",
"athena:GetWorkGroup",
"athena:StopQueryExecution",
"athena:GetQueryExecution",
| 在 `MyAthenaWorkGroup` 工作群組中執行查詢所需的 Athena 許可。 |
| "s3:PutObject",
"s3:GetObject",
"s3:AbortMultipartUpload"
| `s3:PutObject` 和 `s3:AbortMultipartUpload` 允許將查詢結果寫入 `arn:aws:s3:::MyQueryResultsBucket/*` 資源識別碼指定的查詢結果儲存貯體的所有子資料夾,其中 *MyQueryResultsBucket* 是 Athena 查詢結果儲存貯體。如需詳細資訊,請參閱[使用查詢結果和近期查詢](querying.md)。 `s3:GetObject` 針對指定為 `arn:aws:s3:::MyQueryResultsBucket` 的資源,允許讀取查詢結果和查詢歷史記錄,其中 *MyQueryResultsBucket* 是 Athena 查詢結果儲存貯體。如需詳細資訊,請參閱[使用查詢結果和近期查詢](querying.md)。 `s3:GetObject` 還允許從指定為 `"arn:aws:s3:::MyLambdaSpillBucket/MyLambdaSpillPrefix*"` 的資源讀取,其中 *MyLambdaSpillPrefix* 是在一或多個叫用的 Lambda 函數的組態中指定。 |
| "lambda:InvokeFunction"
| 允許查詢叫用 Resource區塊中指定的 AWS Lambda 函數。例如,arn:aws:lambda:\$1:MyAWSAcctId:function:MyAthenaLambdaFunction,其中 MyAthenaLambdaFunction 會指定要叫用的 Lambda 函數的名稱。如範例所示,可以指定多個函數。 |
**Example - 允許 IAM 主體建立 Athena UDF**
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"lambda:CreateFunction",
"lambda:ListVersionsByFunction",
"iam:CreateRole",
"lambda:GetFunctionConfiguration",
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
"lambda:PutFunctionConcurrency",
"iam:PassRole",
"iam:DetachRolePolicy",
"lambda:ListTags",
"iam:ListAttachedRolePolicies",
"iam:DeleteRolePolicy",
"lambda:DeleteFunction",
"lambda:GetAlias",
"iam:ListRolePolicies",
"iam:GetRole",
"iam:GetPolicy",
"lambda:InvokeFunction",
"lambda:GetFunction",
"lambda:ListAliases",
"lambda:UpdateFunctionConfiguration",
"iam:DeleteRole",
"lambda:UpdateFunctionCode",
"s3:GetObject",
"lambda:AddPermission",
"iam:UpdateRole",
"lambda:DeleteFunctionConcurrency",
"lambda:RemovePermission",
"iam:GetRolePolicy",
"lambda:GetPolicy"
],
"Resource": [
"arn:aws:lambda:*:111122223333:function:MyAthenaLambdaFunctionsPrefix*",
"arn:aws:s3:::awsserverlessrepo-changesets-1iiv3xa62ln3m/*",
"arn:aws:iam::*:role/RoleName",
"arn:aws:iam::111122223333:policy/*"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"cloudformation:CreateUploadBucket",
"cloudformation:DescribeStackDriftDetectionStatus",
"cloudformation:ListExports",
"cloudformation:ListStacks",
"cloudformation:ListImports",
"lambda:ListFunctions",
"iam:ListRoles",
"lambda:GetAccountSettings",
"ec2:DescribeSecurityGroups",
"cloudformation:EstimateTemplateCost",
"ec2:DescribeVpcs",
"lambda:ListEventSourceMappings",
"cloudformation:DescribeAccountLimits",
"ec2:DescribeSubnets",
"cloudformation:CreateStackSet",
"cloudformation:ValidateTemplate"
],
"Resource": "*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "cloudformation:*",
"Resource": [
"arn:aws:cloudformation:*:111122223333:stack/aws-serverless-repository-MyCFStackPrefix*/*",
"arn:aws:cloudformation:*:111122223333:stack/serverlessrepo-MyCFStackPrefix*/*",
"arn:aws:cloudformation:*:*:transform/Serverless-*",
"arn:aws:cloudformation:*:111122223333:stackset/aws-serverless-repository-MyCFStackPrefix*:*",
"arn:aws:cloudformation:*:111122223333:stackset/serverlessrepo-MyCFStackPrefix*:*"
]
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": "serverlessrepo:*",
"Resource": "arn:aws:serverlessrepo:*:*:applications/*"
},
{
"Sid": "ECR",
"Effect": "Allow",
"Action": [
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer"
],
"Resource": "arn:aws:ecr:*:*:repository/*"
}
]
}
```
**許可說明**
| 允許的動作 | 說明 |
| --- | --- |
| "lambda:CreateFunction",
"lambda:ListVersionsByFunction",
"lambda:GetFunctionConfiguration",
"lambda:PutFunctionConcurrency",
"lambda:ListTags",
"lambda:DeleteFunction",
"lambda:GetAlias",
"lambda:InvokeFunction",
"lambda:GetFunction",
"lambda:ListAliases",
"lambda:UpdateFunctionConfiguration",
"lambda:UpdateFunctionCode",
"lambda:AddPermission",
"lambda:DeleteFunctionConcurrency",
"lambda:RemovePermission",
"lambda:GetPolicy"
"lambda:GetAccountSettings",
"lambda:ListFunctions",
"lambda:ListEventSourceMappings",
| 允許建立和管理列為資源的 Lambda 函數。在該範例中,資源識別碼 `arn:aws:lambda:*:MyAWSAcctId:function:MyAthenaLambdaFunctionsPrefix*` 中使用名稱字首,其中 *MyAthenaLambdaFunctionsPrefix* 是 Lambda 函數群組的名稱中使用的共同字首,因此不需要個別指定為資源。您可以指定一或多個 Lambda 函數資源。 |
| "s3:GetObject"
| 允許讀取資源識別符 所指定 AWS Serverless Application Repository 需要 的儲存貯體arn:aws:s3:::awsserverlessrepo-changesets-1iiv3xa62ln3m/\$1。 |
| "cloudformation:*"
| 允許建立和管理資源 *MyCFStackPrefix* 指定的 CloudFormation 堆疊。這些堆疊和堆疊集是部署連接器和 UDFs AWS Serverless Application Repository 的方式。 |
| "serverlessrepo:*"
| 允許搜尋、檢視、發佈和更新 中由資源識別符 AWS Serverless Application Repository指定的應用程式arn:aws:serverlessrepo:\$1:\$1:applications/\$1。 |