Amazon 身份和访问管理 (IAM) 可控制对 Amazon Web Services (AWS) 资源的访问权限。 以下示例 JSON 片段可显示访问 ArcGIS Enterprise 所使用的特定资源所需的 IAM 策略。
运行 ArcGIS Enterprise Cloud Builder for AWS
如果您运行 ArcGIS Enterprise Cloud Builder for AWS 应用程序或 ArcGIS Enterprise Cloud Builder Command Line Interface for Amazon Web Services 来创建部署,请按如下所述创建 IAM 策略并将其分配给 IAM 用户。 您将使用此用户的凭据(例如访问密钥 ID 和保密访问密钥)登录到 Cloud Builder。
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "rds:*", "events:*", "logs:*", "dynamodb:*", "autoscaling:*", "acm:*", "s3:*", "cloudformation:*", "elasticloadbalancing:*", "iam:*", "cloudwatch:*", "ssm:*", "ssmmessages:*", "lambda:*", "route53:*", "ec2:*", "ec2messages:*", "secretsmanager:*" ], "Effect": "Allow", "Resource": "*" } ] }
来自 Esri 的 CloudFormation 模板
当您运行 Esri 提供的 AWS CloudFormation 模板时,将为您创建 IAM 角色和策略。 以下内容将介绍策略。
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeLifecycleHooks", "autoscaling:DescribeLifecycleHookTypes", "autoscaling:DescribeLoadBalancers", "autoscaling:DescribeTags", "autoscaling:AttachInstances", "autoscaling:AttachLoadBalancers", "autoscaling:AttachLoadBalancerTargetGroups", "autoscaling:CompleteLifecycleAction", "autoscaling:DeleteLifecycleHook", "autoscaling:DetachInstances", "autoscaling:DetachLoadBalancers", "autoscaling:DetachLoadBalancerTargetGroups", "autoscaling:PutLifecycleHook", "autoscaling:UpdateAutoScalingGroup" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "cloudformation:DescribeStacks", "cloudformation:DescribeStackResources", "cloudformation:DescribeStackResource", "cloudformation:SignalResource" ], "Resource": "*", "Effect": "Allow" }, { "Action": "dynamodb:*", "Resource": "*", "Effect": "Allow" }, { "Action": [ "ec2:DescribeAddresses", "ec2:DescribeImages", "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:DescribeNetworkInterfaces", "ec2:DescribeRegions", "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateNetworkInterface", "ec2:DeleteNetworkInterface", "ec2:ModifyNetworkInterfaceAttribute", "ec2:ModifyInstanceMetadataOptions", "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress", "ec2:StartInstances", "ec2:StopInstances" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ec2messages:GetEndpoint", "ec2messages:GetMessages", "ec2messages:AcknowledgeMessage", "ec2messages:DeleteMessage", "ec2messages:FailMessage", "ec2messages:SendReply" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "elasticloadbalancing:ConfigureHealthCheck", "elasticloadbalancing:CreateLoadBalancerListeners", "elasticloadbalancing:CreateLoadBalancerPolicy", "elasticloadbalancing:CreateRule", "elasticloadbalancing:DeleteLoadBalancerListeners", "elasticloadbalancing:DeleteLoadBalancerPolicy", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerAttributes", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeRules", "elasticloadbalancing:DescribeTags", "elasticloadbalancing:DescribeTargetGroupAttributes", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DeleteRule", "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyRule", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:SetLoadBalancerListenerSSLCertificate", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", "elasticloadbalancing:SetRulePriorities" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "events:DescribeRule", "events:PutRule", "events:DeleteRule", "events:DisableRule", "events:EnableRule", "events:PutEvents", "events:PutTargets", "events:RemoveTargets" ], "Resource": "*", "Effect": "Allow" }, { "Action": "iam:PassRole", "Resource": "arn:aws:iam::0123456789:role/XXXXXXXX", "Effect": "Allow" }, { "Action": [ "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:PutMetricFilter" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "s3:ListBucket", "s3:GetBucketLocation", "s3:GetBucketPolicy", "s3:GetObject", "s3:DeleteObjectTagging", "s3:PutBucketTagging", "s3:PutObjectTagging", "s3:CreateBucket", "s3:DeleteBucket", "s3:DeleteObject", "s3:PutObject" ], "Resource": "*", "Effect": "Allow" }, { "Action": "secretsmanager:GetSecretValue", "Resource": "*", "Effect": "Allow" }, { "Action": [ "ssm:ListAssociations", "ssm:DescribeAssociation", "ssm:DescribeDocument", "ssm:DescribeInstanceInformation", "ssm:GetDeployablePatchSnapshotForInstance", "ssm:GetDocument", "ssm:GetManifest", "ssm:GetParameter", "ssm:GetParameters", "ssm:ListCommands", "ssm:ListCommandInvocations", "ssm:ListInstanceAssociations", "ssm:PutConfigurePackageResult", "ssm:DeleteAssociation", "ssm:PutComplianceItems", "ssm:PutInventory", "ssm:SendCommand", "ssm:StartAutomationExecution", "ssm:UpdateAssociationStatus", "ssm:UpdateInstanceAssociationStatus", "ssm:UpdateInstanceInformation" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ssmmessages:CreateControlChannel", "ssmmessages:CreateDataChannel", "ssmmessages:OpenControlChannel", "ssmmessages:OpenDataChannel" ], "Resource": "*", "Effect": "Allow" } ] }
将 Portal for ArcGIS 内容目录存储在 S3 存储段中
要将 Portal for ArcGIS 内容目录存储在 Amazon Simple Storage Service (S3) 存储段中,您需要一个具有以下 IAM 策略的 IAM 用户或角色:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "<statement-id>", "Effect": "Allow", "Action": [ "s3:Get*", "s3:PutObject", "s3:ListBucket", "s3:CreateBucket", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::<portal-content-bucket-name>/*", "arn:aws:s3:::<portal-content-bucket-name>" ] } ] }
将尖括号 (<>) 内的值替换为部署特定值。
2012-10-17 为此处显示的策略文档格式的版本。 如果更改此版本日期,则可能还需要更改文档格式。
将 ArcGIS Server 配置存储目录存储在 S3 和 DynamoDB 中
要使用 AWS 存储服务存储 ArcGIS Server 配置存储目录,您需要一个具有以下 IAM 策略的 IAM 用户或角色:
{ "Version":"2012-10-17", "Statement":[ { "Sid":"<statement-id1>", "Action":[ "s3:ListBucket", "s3:GetBucketLocation", "s3:GetBucketPolicy", "s3:GetObject", "s3:DeleteObjectTagging", "s3:PutBucketTagging", "s3:PutObjectTagging", "s3:CreateBucket", "s3:DeleteBucket", "s3:DeleteObject", "s3:PutObject" ], "Effect":"Allow", "Resource":[ "arn:aws:s3:::arcgis-config-store-*", "arn:aws:s3:::arcgis-config-store-*/*" ] }, { "Sid":"<statement-id2>", "Action":[ "dynamodb:UntagResource", "dynamodb:PutItem", "dynamodb:ListTables", "dynamodb:DeleteItem", "dynamodb:Scan", "dynamodb:ListTagsOfResource", "dynamodb:Query", "dynamodb:UpdateItem", "dynamodb:DeleteTable", "dynamodb:CreateTable", "dynamodb:TagResource", "dynamodb:DescribeTable", "dynamodb:GetItem", "dynamodb:UpdateTable", "dynamodb:GetRecords" ], "Effect":"Allow", "Resource":[ "arn:aws:dynamodb:*:*:table/ArcGISConfigStores", "arn:aws:dynamodb:*:*:table/ArcGISConfigStore.*" ] } ] }
将尖括号 (<>) 内的值替换为部署特定值。
2012-10-17 为此处显示的策略文档格式的版本。 如果更改此版本日期,则可能还需要更改文档格式。
将缓存存储在 S3 存储段中
要将 S3 存储段注册为云存储以用于存储和访问地图和图像缓存,您的 IAM 用户或角色至少需要具有以下 IAM 策略:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "<statement-id>", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:ListBucket", "s3:GetBucketAcl", "s3:GetObjectVersion", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::<cache-bucket-name>/*", "arn:aws:s3:::<cache-bucket-name>" ] } ] }
将尖括号 (<>) 内的值替换为部署特定值。
2012-10-17 为此处显示的策略文档格式的版本。 如果更改此版本日期,则可能还需要更改文档格式。
将 S3 存储段用作大数据文件共享
要将 S3 存储段注册为大数据文件共享,您的 IAM 用户或角色至少需要具有以下 IAM 策略:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "<statement-id>", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:ListBucket", "s3:CreateBucket", "s3:DeleteBucket", "s3:AbortMultipartUpload" ], "Resource": [ "arn:aws:s3:::<bdfs-bucket-name>/*", "arn:aws:s3:::<bdfs-bucket-name>" ] } ] }
将尖括号 (<>) 内的值替换为部署特定值。
2012-10-17 为此处显示的策略文档格式的版本。 如果更改此版本日期,则可能还需要更改文档格式。
将 S3 存储段用作栅格存储
要将 S3 存储段注册为栅格存储,您的 IAM 用户或角色至少需要具有以下 IAM 策略:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "<statement-id>", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:ListBucket", "s3:GetBucketAcl", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::<raster-store-bucket-name>/*", "arn:aws:s3:::<raster-store-bucket-name>" ] } ] }
将尖括号 (<>) 内的值替换为部署特定值。
2012-10-17 为此处显示的策略文档格式的版本。 如果更改此版本日期,则可能还需要更改文档格式。
为 webgisdr 实用程序生成的备份使用 S3 存储段。
如果您使用随 Portal for ArcGIS 安装的 webgisdr 实用程序在 AWS 上的 S3 存储段中创建备份,则您的 IAM 用户或角色需要用于创建备份文件的策略和用于从这些备份文件恢复部署的策略。
以下是使用 webgisdr 实用程序在 S3 存储段中创建备份所需的最低策略设置:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "<statement-id>", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:ListBucket", "s3:DeleteObject", "s3:GetBucketAcl", "s3:PutObjectAcl" ], "Resource": [ "arn:aws:s3:::<webgisdr-bucket-name>", "arn:aws:s3:::<portal-content-backup-bucket-name>", "arn:aws:s3:::<webgisdr-bucket-name>/*", "arn:aws:s3:::<portal-content-backup-bucket-name>/*" ] } ] }
以下是使用 webgisdr 实用程序从存储在 S3 存储段中的备份文件恢复部署所需的最低策略设置:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "<statement-id>", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket", "s3:GetBucketAcl", "s3:PutObject", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::<webgisdr-bucket-name>", "arn:aws:s3:::<portal-content-backup-bucket-name>", "arn:aws:s3:::<webgisdr-bucket-name>/*", "arn:aws:s3:::<portal-content-backup-bucket-name>/*" ] } ] }
将尖括号 (<>) 内的值替换为部署特定值。
2012-10-17 为此处显示的策略文档格式的版本。 如果更改此版本日期,则可能还需要更改文档格式。