在我的场景中,我想要一个允许在 S3 上读写的策略abc-database-backups/rds/postgresql-backup
?我们希望我的服务器能够添加该访问权限。
创建一个角色并将其附加到服务器是最好的还是向服务器添加密钥最好?
我尝试了这个:
aws iam create-policy \
--policy-name rds-s3-integration-policy \
--policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketACL",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::bucket_name"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:ListMultipartUploadParts",
"s3:AbortMultipartUpload"
],
"Resource": "arn:aws:s3:::bucket_name/key_prefix/*"
}
]
}'
我将非常感激任何帮助,因为我在这个领域的经验有些有限。
答案1
用一个服务相关角色为 RDS 提供对 S3 和您需要的任何其他命名资源的访问。确保 RDS 实例具有此角色。您还应该阅读本文档关于使用扩展将 S3 数据导入 RDS PostgreSQL。
我已经调整了一些 CloudFormation 基础设施代码,应该可以设置一个角色。您需要修改权限和存储桶名称以满足您的要求。它应该可以按原样工作,但我确实必须调整我现有的代码,因此如果它不能 100% 正常工作,请编辑帖子或评论,以便我可以编辑它。
AWSTemplateFormatVersion: '2010-09-09'
Description: Role for RDS
Resources:
RdsS3IntegrationRole:
Type: AWS::IAM::Role
Properties:
RoleName: RdsS3IntegrationRole
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
-
Effect: Allow
Principal:
Service:
- rds.amazonaws.com
Action:
- sts:AssumeRole
RDSS3IntegrationPolicy:
Type: AWS::IAM::Policy
Properties:
Roles:
- !Ref 'RdsS3IntegrationRole'
PolicyName: RDSS3IntegrationPolicy
PolicyDocument:
Statement:
- Effect: Allow
Action:
- s3:GetObject
- s3:ListBucket
- s3:PutObject
Resource:
- !Sub 'arn:aws:s3:::bucketname/*'
- !Sub 'arn:aws:s3:::bucketname'
- Effect: Allow
Action:
- kms:Decrypt
- kms:Encrypt
- kms:GenerateDataKey
- kms:ReEncryptTo
- kms:DescribeKey
- kms:ReEncryptFrom
Resource:
- !Sub 'arn:aws:kms:ap-southeast-2:${AWS::AccountId}:key/*'