amazon-redshift - 用于为频谱 S3 访问创建 IAM 角色的模板

Question

为了通过频谱访问 S3 数据，我需要创建一个 IAM 角色，如此处所述...

https://docs.aws.amazon.com/redshift/latest/mgmt/authorizing-redshift-service.html

新创建的 IAM 角色需要附加到 redshift 实例。

https://docs.aws.amazon.com/redshift/latest/mgmt/copy-unload-iam-role.html#copy-unload-iam-role-associating-with-clusters

我已成功完成所有步骤。但我想知道是否可以编写一个云信息模板来快速完成所需的工作。 这是我提取的相关代码。我不确定如何使用正确的语法。

第 1 步

{
        "Tags": [],
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Action": "sts:AssumeRole",
                    "Effect": "Allow",
                    "Principal": {
                        "Service": "redshift.amazonaws.com"
                    }
                }
            ]
        },
        "RoleId": "AROAJWJGDMYIHSSTPZ6I6CM",
        "CreateDate": "2017-05-15T05:34:46Z",
        "InstanceProfileList": [],
        "RoleName": "RedshiftCopyUnload",
        "Path": "/",
        "AttachedManagedPolicies": [
            {
                "PolicyName": "AmazonAthenaFullAccess",
                "PolicyArn": "arn:aws:iam::aws:policy/AmazonAthenaFullAccess"
            },
            {
                "PolicyName": "AmazonS3ReadOnlyAccess",
                "PolicyArn": "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
            },
            {
                "PolicyName": "AWSGlueConsoleFullAccess",
                "PolicyArn": "arn:aws:iam::aws:policy/AWSGlueConsoleFullAccess"
            }
        ],
        "RolePolicyList": [],
        "Arn": "arn:aws:iam::123456789012:role/RedshiftCopyUnload"
    }

步骤 2

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "redshift:DescribeClusters",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                 "redshift:ModifyClusterIamRoles",
                 "redshift:CreateCluster"
            ],
            "Resource": [
                 "arn:aws:redshift:us-east-1:123456789012:cluster:my-redshift-cluster",
                 "arn:aws:redshift:us-east-1:123456789012:cluster:cluster:my-second-redshift-cluster"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": [
                "arn:aws:iam::123456789012:role/MyRedshiftRole",
                "arn:aws:iam::123456789012:role/SecondRedshiftRole",
                "arn:aws:iam::123456789012:role/ThirdRedshiftRole"
             ]
        }
    ]
}

---

更新:以下 cloudformation 模板能否正确创建步骤 1 中提到的角色？

{
  "Resources": {
    "NewRole": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "Service": [
                  "redshift.amazonaws.com"
                ]
              },
              "Action": [
                "sts:AssumeRole"
              ]
            }
          ]
        },
        "RoleName": "RedshiftCopyUnload",
        "Path": "/",
        "ManagedPolicyArns": [
          "arn:aws:iam::aws:policy/AmazonAthenaFullAccess",
          "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess",
          "arn:aws:iam::aws:policy/AWSGlueConsoleFullAccess"
        ]
      }
    }
  }
}

Answer 1

是的。 AWS CloudFormation 模板可用于定义 IAM 角色。

这是来自 AWS::IAM::Role - AWS CloudFormation 的示例:

AWSTemplateFormatVersion: 2010-09-09
Resources:
  RootRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ec2.&api-domain;
            Action:
              - 'sts:AssumeRole'
      Path: /
      Policies:
        - PolicyName: root
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action: '*'
                Resource: '*'