はじめに
前回、「AWS もう苦しまない、Athenaでパッとログ整理」を投稿させて頂きました。
以前の社内向けハンズオンで、事前の"権限付与"が足りず時間を多く使ってしまったので、こちらで前回の Athena に対しての権限をメモ投稿します。
IAM ポリシー
Amazon S3
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:DeleteObjectTagging",
"s3:PutObject",
"s3:GetObject",
"s3:ListBucketMultipartUploads",
"s3:AbortMultipartUpload",
"s3:RestoreObject",
"s3:ListBucket",
"s3:PutObjectTagging",
"s3:DeleteObject",
"s3:GetBucketLocation",
"s3:ListMultipartUploadParts"
],
"Resource": "arn:aws:s3:::[バケット名]*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "*"
}
]
}
AWS Glue DataBrew
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"databrew:DescribeJob",
"databrew:UpdateProject",
"databrew:TagResource",
"databrew:StartProjectSession",
"databrew:DeleteJob",
"databrew:DescribeDataset",
"databrew:DeleteDataset",
"databrew:StartJobRun",
"databrew:UpdateRecipe",
"databrew:StopJobRun",
"databrew:DescribeJobRun",
"databrew:ListJobRuns",
"databrew:DescribeProject",
"databrew:DeleteProject",
"databrew:UpdateDataset",
"databrew:UntagResource",
"databrew:ListRecipeVersions",
"databrew:UpdateRecipeJob",
"databrew:DescribeRecipe"
],
"Resource": [
"arn:aws:databrew:[リージョン]:[アカウント]:project/[プロジェクト名]*",
"arn:aws:databrew:[リージョン]:[アカウント]:job/[ジョブ名]*",
"arn:aws:databrew:[リージョン]:[アカウント]:dataset/[データセット名]*",
"arn:aws:databrew:[リージョン]:[アカウント]:recipe/[レシピ名]*"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"databrew:CreateRecipe",
"databrew:ListDatasets",
"databrew:ListJobs",
"databrew:CreateRecipeJob",
"databrew:CreateDataset",
"databrew:ListProjects",
"databrew:CreateProject"
],
"Resource": "*"
}
]
}
AWS Glue
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"glue:GetDatabase",
"glue:GetCrawler",
"glue:GetCrawlers",
"glue:GetCatalogs",
"glue:GetTables",
"glue:GetPartitions",
"glue:GetCatalog",
"glue:GetDatabases",
"glue:ListCrawlers",
"glue:GetTable"
],
"Resource": "*"
}
]
}
Amazon Athena
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"athena:TagResource",
"athena:UntagResource",
"athena:StartQueryExecution",
"athena:GetQueryResults",
"athena:GetDatabase",
"athena:GetDataCatalog",
"athena:GetNamedQuery",
"athena:ListTagsForResource",
"athena:ListQueryExecutions",
"athena:ListNamedQueries",
"athena:GetWorkGroup",
"athena:UpdateNamedQuery",
"athena:CreateNamedQuery",
"athena:ListDatabases",
"athena:StopQueryExecution",
"athena:GetQueryExecution",
"athena:StartSession"
],
"Resource": [
"arn:aws:athena:[リージョン]:[アカウント]:datacatalog/[データカタログ名]",
"arn:aws:athena:[リージョン]:[アカウント]:workgroup/[ワークグループ名]"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"athena:ListDataCatalogs",
"athena:GetExecutionEngine",
"athena:GetTables",
"athena:GetTable",
"athena:ListExecutors",
"athena:RunQuery",
"athena:GetCatalogs"
],
"Resource": "*"
}
]
}
おわりに
意外と気が回らない AWS の権限まわり。つい、自分の権限で確認してしまいますが、ちゃんとテスト用の IAM ユーザーを作成して確認した後に、みんなへ展開しましょう。
※自分への戒めとして記録
参考(感謝)