amazon-redshift - 创建用于频谱S3访问的IAM角色的模板(Template to create IAM role for spectrum S3 access)

Question

The bounty expires in 7 days) . 赏金将 在7天后过期) 。) Answers to this question are eligible for a +50 reputation bounty. 这个问题的答案有资格获得+50声望奖励。) shantanuo wants to draw more attention) to this question. 尚塔诺希望提请更多注意)这个问题。)

In order to access S3 data through spectrum, I need to create an IAM role as explained here...

(为了通过频谱访问S3数据，我需要创建一个IAM角色，如此处所述...)

https://docs.aws.amazon.com/redshift/latest/mgmt/authorizing-redshift-service.html

(https://docs.aws.amazon.com/redshift/latest/mgmt/authorizing-redshift-service.html)

The newly created IAM role needs to be attached to redshift instance.

(新创建的IAM角色需要附加到redshift实例。)

https://docs.aws.amazon.com/redshift/latest/mgmt/copy-unload-iam-role.html#copy-unload-iam-role-associating-with-clusters

(https://docs.aws.amazon.com/redshift/latest/mgmt/copy-unload-iam-role.html#copy-unload-iam-role-associating-with-clusters)

I have managed to complete all the steps successfully.

(我已经成功地完成了所有步骤。)

But I will like to know if a cloudformation template can be written that will be do the needful quickly.

(但是我想知道是否可以编写一个cloudformation模板，该模板可以快速完成需要的工作。)

Here is relevant code that I have extracted.

(这是我提取的相关代码。)

I am not sure how to put is in correct syntax.

(我不确定如何使用正确的语法。)

Step 1

(步骤1)

{
        "Tags": [],
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Action": "sts:AssumeRole",
                    "Effect": "Allow",
                    "Principal": {
                        "Service": "redshift.amazonaws.com"
                    }
                }
            ]
        },
        "RoleId": "AROAJWJGDMYIHSSTPZ6I6CM",
        "CreateDate": "2017-05-15T05:34:46Z",
        "InstanceProfileList": [],
        "RoleName": "RedshiftCopyUnload",
        "Path": "/",
        "AttachedManagedPolicies": [
            {
                "PolicyName": "AmazonAthenaFullAccess",
                "PolicyArn": "arn:aws:iam::aws:policy/AmazonAthenaFullAccess"
            },
            {
                "PolicyName": "AmazonS3ReadOnlyAccess",
                "PolicyArn": "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
            },
            {
                "PolicyName": "AWSGlueConsoleFullAccess",
                "PolicyArn": "arn:aws:iam::aws:policy/AWSGlueConsoleFullAccess"
            }
        ],
        "RolePolicyList": [],
        "Arn": "arn:aws:iam::123456789012:role/RedshiftCopyUnload"
    }

Step 2

(第2步)

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "redshift:DescribeClusters",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                 "redshift:ModifyClusterIamRoles",
                 "redshift:CreateCluster"
            ],
            "Resource": [
                 "arn:aws:redshift:us-east-1:123456789012:cluster:my-redshift-cluster",
                 "arn:aws:redshift:us-east-1:123456789012:cluster:cluster:my-second-redshift-cluster"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": [
                "arn:aws:iam::123456789012:role/MyRedshiftRole",
                "arn:aws:iam::123456789012:role/SecondRedshiftRole",
                "arn:aws:iam::123456789012:role/ThirdRedshiftRole"
             ]
        }
    ]
}

---

Update: will the following cloudformation template correctly create the role mentioned in step 1?

(更新：以下cloudformation模板会正确创建步骤1中提到的角色吗？)

{
  "Resources": {
    "NewRole": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "Service": [
                  "redshift.amazonaws.com"
                ]
              },
              "Action": [
                "sts:AssumeRole"
              ]
            }
          ]
        },
        "RoleName": "RedshiftCopyUnload",
        "Path": "/",
        "ManagedPolicyArns": [
          "arn:aws:iam::aws:policy/AmazonAthenaFullAccess",
          "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess",
          "arn:aws:iam::aws:policy/AWSGlueConsoleFullAccess"
        ]
      }
    }
  }
}

  ask by shantanuo translate from so

Answer 1

Yes.

(是。)

An AWS CloudFormation template can be used to define an IAM Role.

(AWS CloudFormation模板可用于定义IAM角色。)

Here is an example from AWS::IAM::Role - AWS CloudFormation :

(这是来自AWS :: IAM :: Role-AWS CloudFormation的示例：)

AWSTemplateFormatVersion: 2010-09-09
Resources:
  RootRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ec2.&api-domain;
            Action:
              - 'sts:AssumeRole'
      Path: /
      Policies:
        - PolicyName: root
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action: '*'
                Resource: '*'