本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# Amazon DataZone 的 IAM 角色
**Topics**
+ [AmazonDataZoneProvisioningRole-](bootstraprole.md)
+ [AmazonDataZoneDomainExecutionRole](AmazonDataZoneDomainExecutionRole.md)
+ [AmazonDataZoneGlueAccess--](glue-manage-access-role.md)
+ [AmazonDataZoneRedshiftAccess--](redshift-manage-access-role.md)
+ [AmazonDataZoneS3Manage--](AmazonDataZoneS3Manage.md)
+ [AmazonDataZoneSageMakerManageAccessRole--](AmazonDataZoneSageMakerManageAccessRole.md)
+ [AmazonDataZoneSageMakerProvisioningRolePolicyRole-](AmazonDataZoneSageMakerProvisioningRolePolicyRole.md)
# AmazonDataZoneProvisioningRole-
`AmazonDataZoneProvisioningRole-` 已`AmazonDataZoneRedshiftGlueProvisioningPolicy`連接 。此角色授予 Amazon DataZone 與 Glue AWS 和 Amazon Redshift 交互操作所需的許可。
預設值`AmazonDataZoneProvisioningRole-`已連接下列信任政策:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "datazone.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "{{domain_account}}"
}
}
}
]
}
```
------
# AmazonDataZoneDomainExecutionRole
**AmazonDataZoneDomainExecutionRole** 已連接 AWS 受管政策 **AmazonDataZoneDomainExecutionRolePolicy**。Amazon DataZone 會代表您建立此角色。對於資料入口網站中的特定動作,Amazon DataZone 會在建立角色的帳戶中擔任此角色,並檢查此角色是否有權執行動作。
託管 Amazon DataZone 網域的 中需要 **AmazonDataZoneDomainExecutionRole** 角色。 AWS 帳戶 DataZone 當您建立 Amazon DataZone 網域時,系統會自動為您建立此角色。
預設 **AmazonDataZoneDomainExecutionRole** 角色具有下列信任政策。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "datazone.amazonaws.com"
},
"Action": [
"sts:AssumeRole",
"sts:TagSession"
],
"Condition": {
"StringEquals": {
"aws:SourceAccount": "{{source_account_id}}"
},
"ForAllValues:StringLike": {
"aws:TagKeys": [
"datazone*"
]
}
}
}
]
}
```
------
# AmazonDataZoneGlueAccess--
`AmazonDataZoneGlueAccess--` 角色已`AmazonDataZoneGlueManageAccessRolePolicy`連接 。此角色授予 Amazon DataZone 將 AWS Glue 資料發佈至目錄的許可。它還授予 Amazon DataZone 許可,以授予對目錄中 Glue AWS 發佈資產的存取權或撤銷存取權。
預設`AmazonDataZoneGlueAccess--`角色已連接下列信任政策:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "datazone.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "111122223333"
},
"ArnEquals": {
"aws:SourceArn": "arn:aws:datazone:us-east-1:111122223333:domain/dzd-12345"
}
}
}
]
}
```
------
# AmazonDataZoneRedshiftAccess--
`AmazonDataZoneRedshiftAccess--` 角色已`AmazonDataZoneRedshiftManageAccessRolePolicy`連接 。此角色授予 Amazon DataZone 將 Amazon Redshift 資料發佈至目錄的許可。它還授予 Amazon DataZone 許可,以授予對 目錄中 Amazon Redshift 或 Amazon Redshift Serverless 發佈資產的存取權或撤銷存取權。
預設`AmazonDataZoneRedshiftAccess--`角色已連接下列內嵌許可政策:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Sid": "RedshiftSecretStatement",
"Effect":"Allow",
"Action":"secretsmanager:GetSecretValue",
"Resource":"*",
"Condition":{
"StringEquals":{
"secretsmanager:ResourceTag/AmazonDataZoneDomain":"{{domainId}}"
}
}
}
]
}
```
------
預設值`AmazonDataZoneRedshiftManageAccessRole`已連接下列信任政策:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "datazone.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "111122223333"
},
"ArnEquals": {
"aws:SourceArn": "arn:aws:datazone:us-east-1:111122223333:domain/dzd-12345"
}
}
}
]
}
```
------
# AmazonDataZoneS3Manage--
當 Amazon DataZone 呼叫 Lake Formation 註冊 Amazon Simple Storage Service (Amazon S3) 位置時,會使用 AmazonDataZoneS3Manage--。 AWS Lake Formation 會在存取該位置中的資料時擔任此角色。 DataZone AWS Amazon S3 如需詳細資訊,請參閱[用於註冊位置的角色需求](https://docs.aws.amazon.com/lake-formation/latest/dg/registration-role.html)。
此角色已連接下列內嵌許可政策。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "LakeFormationDataAccessPermissionsForS3",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "{{accountId}}"
}
}
},
{
"Sid": "LakeFormationDataAccessPermissionsForS3ListBucket",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "{{accountId}}"
}
}
},
{
"Sid": "LakeFormationDataAccessPermissionsForS3ListAllMyBuckets",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "{{accountId}}"
}
}
},
{
"Sid": "LakeFormationExplicitDenyPermissionsForS3",
"Effect": "Deny",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::[[BucketNames]]/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "{{accountId}}"
}
}
},
{
"Sid": "LakeFormationExplicitDenyPermissionsForS3ListBucket",
"Effect": "Deny",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::[[BucketNames]]"
],
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "{{accountId}}"
}
}
}
]
}
```
------
AmazonDataZoneS3Manage-- 已連接下列信任政策:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "TrustLakeFormationForDataLocationRegistration",
"Effect": "Allow",
"Principal": {
"Service": "lakeformation.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "{{source_account_id}}"
}
}
}
]
}
```
------
# AmazonDataZoneSageMakerManageAccessRole--
`AmazonDataZoneSageMakerManageAccessRole` 角色具有 `AmazonDataZoneSageMakerAccess`、 `AmazonDataZoneRedshiftManageAccessRolePolicy`和 `AmazonDataZoneGlueManageAccessRolePolicy` 連接的 。此角色授予 Amazon DataZone 發佈和管理資料湖、資料倉儲和 Amazon Sagemaker 資產訂閱的許可。
`AmazonDataZoneSageMakerManageAccessRole` 角色已連接下列內嵌政策:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Sid": "RedshiftSecretStatement",
"Effect":"Allow",
"Action":"secretsmanager:GetSecretValue",
"Resource":"*",
"Condition":{
"StringEquals":{
"secretsmanager:ResourceTag/AmazonDataZoneDomain":"{{domainId}}"
}
}
}
]
}
```
------
`AmazonDataZoneSageMakerManageAccessRole` 角色已連接下列信任政策:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "DatazoneTrustPolicyStatement",
"Effect": "Allow",
"Principal": {
"Service": ["datazone.amazonaws.com",
"sagemaker.amazonaws.com"]
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "111122223333"
},
"ArnEquals": {
"aws:SourceArn": "arn:aws:datazone:us-east-1:111122223333:domain/dzd-12345"
}
}
}
]
}
```
------
# AmazonDataZoneSageMakerProvisioningRolePolicyRole-
`AmazonDataZoneSageMakerProvisioningRolePolicyRole` 角色已`AmazonDataZoneRedshiftGlueProvisioningPolicy`連接 `AmazonDataZoneSageMakerProvisioningRolePolicy`和 。此角色會授予與 Glue、Amazon Redshift 和 Amazon Sagemaker AWS 交互操作所需的 Amazon DataZone 許可。
`AmazonDataZoneSageMakerProvisioningRolePolicyRole` 角色已連接下列內嵌政策:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "SageMakerStudioTagOnCreate",
"Effect": "Allow",
"Action": [
"sagemaker:AddTags"
],
"Resource": "arn:aws:sagemaker:*:111122223333:*/*",
"Condition": {
"Null": {
"sagemaker:TaggingAction": "false"
}
}
}
]
}
```
------
`AmazonDataZoneSageMakerProvisioningRolePolicyRole` 角色已連接下列信任政策:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "DataZoneTrustPolicyStatement",
"Effect": "Allow",
"Principal": {
"Service": "datazone.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "{{domain_account}}"
}
}
}
]
}
```
------