我正试图通过红移光谱将拼花地板数据加载到红移中
我有我的信任关系等设置,可以承担红移罚款的作用
然而,我得到一个S3访问拒绝错误,我似乎无法解决
S3桶策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::<BUCKET>",
"arn:aws:s3:::<BUCKET>/*"
],
"Condition": {
"ArnEquals": {
"aws:PrincipalArn": [
"<ADMIN ROLE 1 ARN>",
"<ADMIN ROLE 2 ARN>"
]
}
}
},
{
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetBucketNotification",
"s3:GetBucketVersioning",
"s3:DeleteObject",
"s3:PutObject",
"s3:ListBucket",
"s3:GetObject",
"s3:ListBucketVersions"
],
"Resource": [
"arn:aws:s3:::<BUCKET>",
"arn:aws:s3:::<BUCKET>/*"
],
"Condition": {
"ArnEquals": {
"aws:PrincipalArn": [
"arn:aws:iam::123456781234:role/GlueRole",
"arn:aws:iam::123456781234:role/ExtractSQLRole",
"arn:aws:iam::123456781234:role/RedshiftRole"
]
}
}
},
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::<BUCKET>/*",
"arn:aws:s3:::<BUCKET>"
],
"Condition": {
"ArnNotEquals": {
"aws:PrincipalArn": [
"<ADMIN ROLE 1 ARN>",
"<ADMIN ROLE 2 ARN>",
"arn:aws:iam::123456781234:role/GlueRole",
"arn:aws:iam::123456781234:role/ExtractSQLRole",
"arn:aws:iam::123456781234:role/RedshiftRole"
]
}
}
}
]
}
使用以下命令创建频谱架构:
create external schema 'Schema1'
from data catalog
database 'spectrum_database'
iam_role 'arn:aws:iam::123456781234:role/RedshiftRole'
catalog_role 'arn:aws:iam::123456781234:role/GlueRole'
粘合角色:
GlueRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service: glue.amazonaws.com
Action: sts:AssumeRole
- Effect: Allow
Principal:
Service: redshift.amazonaws.com
Action: sts:AssumeRole
Condition:
StringEquals:
sts:ExternalId:
- arn:aws:iam::123456781234:role/GlueRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSGlueServiceRole
通过此操作,我得到了一个表列表,但始终存在以下错误:
我需要保持桶安全,只有某些角色,但也需要频谱查询它。。。有什么建议吗
你必须明确否认你的所有原则:
拒绝总是赢,因此您将始终被拒绝,并且没有
allow
会改变它。我不知道你想用这个来实现什么。也许你想用ArnNotEquals
相关问题 更多 >
编程相关推荐