本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# 為 Managed Service for Apache Flink Studio 筆記本建立自訂 IAM 政策
您通常會使用受管 IAM 政策來允許應用程式存取相依資源。如果需要更好地控制應用程式的許可,可以使用自訂 IAM 政策。本節包含自訂 IAM 政策的範例。
**注意**
在下列政策範例中,使用應用程式的值取代預留位置文字。
**Topics**
+ [AWS Glue](#how-zeppelin-iam-glue)
+ [CloudWatch Logs](#how-zeppelin-iam-cw)
+ [Kinesis 串流](#how-zeppelin-iam-streams)
+ [Amazon MSK 叢集](#how-zeppelin-iam-msk)
## AWS Glue
下列範例政策會授予存取 AWS Glue 資料庫的許可。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "GlueTable",
"Effect": "Allow",
"Action": [
"glue:GetConnection",
"glue:GetTable",
"glue:GetTables",
"glue:GetDatabase",
"glue:CreateTable",
"glue:UpdateTable"
],
"Resource": [
"arn:aws:glue:{{us-east-1}}:{{123456789012}}:connection/*",
"arn:aws:glue:{{us-east-1}}:{{123456789012}}:table/{{}}/*",
"arn:aws:glue:{{us-east-1}}:{{123456789012}}:database/{{}}",
"arn:aws:glue:{{us-east-1}}:{{123456789012}}:database/hive",
"arn:aws:glue:{{us-east-1}}:{{123456789012}}:catalog"
]
},
{
"Sid": "GlueDatabase",
"Effect": "Allow",
"Action": "glue:GetDatabases",
"Resource": "*"
}
]
}
```
------
## CloudWatch Logs
下列範例授與存取 CloudWatch 的許可。
```
{
"Sid": "ListCloudwatchLogGroups",
"Effect": "Allow",
"Action": [
"logs:DescribeLogGroups"
],
"Resource": [
"arn:aws:logs:{{}}:{{}}:log-group:*"
]
},
{
"Sid": "ListCloudwatchLogStreams",
"Effect": "Allow",
"Action": [
"logs:DescribeLogStreams"
],
"Resource": [
"{{}}:log-stream:*"
]
},
{
"Sid": "PutCloudwatchLogs",
"Effect": "Allow",
"Action": [
"logs:PutLogEvents"
],
"Resource": [
"{{}}"
]
}
```
**注意**
如果使用主控台建立應用程式,則主控台會為應用程式角色新增必要的政策,以存取 CloudWatch Logs。
## Kinesis 串流
應用程式可以將 Kinesis 串流用於來源或目的地。應用程式需要讀取許可才能從來源串流讀取,需要寫入許可才能寫入目的地串流。
下列政策授與從用作來源的 Kinesis 串流讀取的許可:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "KinesisShardDiscovery",
"Effect": "Allow",
"Action": "kinesis:ListShards",
"Resource": "*"
},
{
"Sid": "KinesisShardConsumption",
"Effect": "Allow",
"Action": [
"kinesis:GetShardIterator",
"kinesis:GetRecords",
"kinesis:DescribeStream",
"kinesis:DescribeStreamSummary",
"kinesis:RegisterStreamConsumer",
"kinesis:DeregisterStreamConsumer"
],
"Resource": "arn:aws:kinesis:{{us-east-1}}:{{123456789012}}:stream/{{}}"
},
{
"Sid": "KinesisEfoConsumer",
"Effect": "Allow",
"Action": [
"kinesis:DescribeStreamConsumer",
"kinesis:SubscribeToShard"
],
"Resource": "arn:aws:kinesis:{{us-east-1}}:{{123456789012}}:stream/{{}}/consumer/*"
}
]
}
```
------
下列政策授與向用作目的地的 Kinesis 串流寫入的許可:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "KinesisStreamSink",
"Effect": "Allow",
"Action": [
"kinesis:PutRecord",
"kinesis:PutRecords",
"kinesis:DescribeStreamSummary",
"kinesis:DescribeStream"
],
"Resource": "arn:aws:kinesis:{{us-east-1}}:{{123456789012}}:stream/{{}}"
}
]
}
```
------
如果應用程式存取加密的 Kinesis 串流,則必須授與額外的許可,以存取該串流及其加密金鑰。
下列政策授與存取加密來源的串流和及其加密金鑰的許可:
```
{
"Sid": "ReadEncryptedKinesisStreamSource",
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"{{}}"
]
}
,
```
下列政策授與存取加密目的地的串流和及其加密金鑰的許可:
```
{
"Sid": "WriteEncryptedKinesisStreamSink",
"Effect": "Allow",
"Action": [
"kms:GenerateDataKey"
],
"Resource": [
"{{}}"
]
}
```
## Amazon MSK 叢集
若要授與 Amazon MSK 叢集的存取權,可以授與叢集 VPC 的存取權。如需存取 Amazon VPC 的政策範例,請參閱 [VPC 應用程式許可](https://docs.aws.amazon.com/managed-flink/latest/java/vpc-permissions.html)。