管理角色
创建管理角色,使 Qlik Cloud 能够在湖空间环境中配置实例和弹性 IP。
管理角色是您创建的 IAM 角色,用于授予 Qlik 代表您与 AWS 环境交互的必要权限。该角色由 Qlik 在部署和运行时操作中承担,以安全访问和管理您的 Iceberg 湖空间所需的 AWS 资源。
该角色与自定义 IAM 策略相关联,该策略定义了 Qlik 被授权执行的具体操作 - 如读取和写入 S3 存储段、管理 EC2 实例以及与 AWS Glue 或 KMS 等其他服务交互。
该角色可确保安全、最少权限的访问,同时允许 Qlik 在 AWS 账户内自动化和协调元数据管理、数据移动和作业执行等关键任务。
要正常运行,必须按照设置说明中概述的所需信任关系和权限策略创建该角色。
先决条件
确保已创建用于托管 Qlik Open Lakehouse 的 VPC、子网和可用区,并掌握以下详细信息:
-
您的 AWS 帐户 ID。
-
对称 KMS 密钥 ARN。
创建管理角色
要创建管理角色,请执行以下操作:
-
在 AWS 控制台中,转到 IAM
-
在角色中,单击创建角色并进行配置:
-
受信任实体类型:选择自定义信任策略。
-
声明:在代码窗格中,将管理角色配置指南中创建的受信任实体策略粘贴到 Qlik Cloud 中。
-
创建角色并记下 ARN 值。格式应如下:
arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_NAME>.
创建策略
-
在 IAM 中单击角色,然后选择上面创建的角色。
-
单击添加权限。
-
选择创建内联策略。
-
在策略编辑器中,选择 JSON。粘贴以下文本,并确保:
-
将 <AWS_ACCOUNT_ID> 参数更改为您的帐户。
-
使用密钥 ARN 更新 <KMS_SYMMETRIC_KEY_ARN> 值。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": [
"*"
],
"Action": [
"ec2:CancelSpotInstanceRequests",
"ec2:CreateLaunchTemplate",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DescribeAddresses",
"ec2:DescribeImageAttribute",
"ec2:DescribeImages",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstanceTypeOfferings",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInstances",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeSpotInstanceRequests",
"ec2:DescribeSpotPriceHistory",
"ec2:DescribeTags",
"ec2:DescribeRegions",
"ec2:DescribeSubnets",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:RequestSpotInstances",
"ec2:DescribeVolumes"
]
},
{
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:*::image/*",
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:key-pair/*",
"arn:aws:ec2:*:*:launch-template/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:volume/*"
],
"Action": [
"ec2:RunInstances"
]
},
{
"Effect": "Allow",
"Resource": [
"*"
],
"Action": [
"ec2:AttachVolume",
"ec2:DeleteVolume",
"ec2:DetachVolume",
"ec2:DeleteLaunchTemplate",
"ec2:TerminateInstances",
"ec2:StartInstances",
"ec2:ModifyLaunchTemplate",
"ec2:DeleteLaunchTemplateVersions",
"ec2:CreateLaunchTemplateVersion"
],
"Condition": {
"Null": {
"aws:ResourceTag/qlik_cluster": "false"
}
}
},
{
"Effect": "Allow",
"Resource": [
"*"
],
"Action": [
"autoscaling:DeleteAutoScalingGroup",
"autoscaling:DeletePolicy",
"autoscaling:DeleteTags",
"autoscaling:PutScalingPolicy",
"autoscaling:StartInstanceRefresh",
"autoscaling:TerminateInstanceInAutoScalingGroup",
"autoscaling:UpdateAutoScalingGroup"
],
"Condition": {
"Null": {
"aws:ResourceTag/qlik_cluster": "false"
}
}
},
{
"Effect": "Allow",
"Resource": [
"*"
],
"Action": [
"autoscaling:CreateAutoScalingGroup",
"autoscaling:CreateOrUpdateTags",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeInstanceRefreshes",
"autoscaling:DescribePolicies",
"autoscaling:DescribeScalingActivities",
"autoscaling:DescribeTags"
]
},
{
"Effect": "Allow",
"Resource": [
"*"
],
"Action": [
"ec2:DescribeRegions",
"ec2:DescribeSubnets",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeKeyPairs"
]
},
{
"Effect": "Allow",
"Resource": [
"*"
],
"Action": [
"cloudwatch:DescribeAlarmHistory",
"cloudwatch:DescribeAlarms",
"cloudwatch:DescribeAlarmsForMetric",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"cloudwatch:PutMetricData"
]
},
{
"Effect": "Allow",
"Resource": [
"*"
],
"Action": [
"cloudwatch:DeleteAlarms"
],
"Condition": {
"Null": {
"aws:ResourceTag/qlik_cluster": "false"
}
}
},
{
"Effect": "Allow",
"Resource": [
"*"
],
"Action": [
"cloudwatch:PutMetricAlarm"
],
"Condition": {
"Null": {
"aws:RequestTag/qlik_cluster": "false"
}
}
},
{
"Effect": "Allow",
"Resource": [
"*"
],
"Action": [
"iam:AddRoleToInstanceProfile",
"iam:CreateServiceLinkedRole",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:ListAccountAliases",
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfiles",
"iam:ListInstanceProfilesForRole",
"iam:ListPolicies",
"iam:ListRoles",
"iam:PassRole"
]
},
{
"Effect": "Allow",
"Resource": [
"*"
],
"Action": [
"sts:DecodeAuthorizationMessage"
]
},
{
"Effect": "Allow",
"Resource": [
"arn:aws:ssm:*:<AWS_ACCOUNT_ID>:parameter/qlik/*"
],
"Action": [
"ssm:PutParameter"
]
},
{
"Effect": "Allow",
"Resource": [
"<KMS_SYMMETRIC_KEY_ARN>"
],
"Action": [
"kms:GenerateDataKeyPairWithoutPlaintext",
"kms:Encrypt"
]
}
]
}
要求权限理由
下表解释了管理角色的各项权限:
| 策略 | 权限 | 解释 |
|---|---|---|
| EC2 - 资源管理操作 |
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:CancelSpotInstanceRequests", "ec2:CreateLaunchTemplate", "ec2:CreateTags", "ec2:CreateVolume", "ec2:DescribeAddresses", "ec2:DescribeImageAttribute", "ec2:DescribeImages", "ec2:DescribeInstanceStatus", "ec2:DescribeInstanceTypeOfferings", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", "ec2:DescribeLaunchTemplateVersions", "ec2:DescribeLaunchTemplates", "ec2:DescribeSpotInstanceRequests", "ec2:DescribeSpotPriceHistory", "ec2:DescribeTags", "ec2:DescribeRegions", "ec2:DescribeSubnets", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:RequestSpotInstances", "ec2:DescribeVolumes" ], "Effect": "Allow", "Resource": "*" }, { "Action": "ec2:RunInstances", "Effect": "Allow", "Resource": [ "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:network-interface/*", "arn:aws:ec2:*::image/*" ] } ] } |
该策略授予 Qlik 管理 EC2 实例和资源(如卷、安全组和子网)的权限。由于所有方法都是描述或创建操作,因此不包含任何条件。 |
| EC2 - 资源操纵操作 |
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:AttachVolume", "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:DeleteLaunchTemplate", "ec2:TerminateInstances", "ec2:StartInstances", "ec2:ModifyLaunchTemplate", "ec2:DeleteLaunchTemplateVersions", "ec2:CreateLaunchTemplateVersion" ], "Condition": { "Null": { "aws:ResourceTag/qlik_cluster": "false" } }, "Effect": "Allow", "Resource": "*" }, { "Action": [ "autoscaling:PutScalingPolicy", "autoscaling:UpdateAutoScalingGroup", "autoscaling:DeleteAutoScalingGroup", "autoscaling:DeletePolicy", "autoscaling:DeleteTags", "autoscaling:StartInstanceRefresh" ], "Condition": { "Null": { "aws:ResourceTag/qlik_cluster": "false" } }, "Effect": "Allow", "Resource": "*" } ] } |
该策略授予 Qlik 管理 EC2 实例和 Qlik 基于 qlik_cluster 标签创建的资源的权限。权限包括附加卷、终止实例及修改启动模板等操作。 |
| EC2 - 验证操作 |
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "ec2:DescribeRegions", "ec2:DescribeSubnets", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeKeyPairs" ], "Resource": "*" } ] } |
该策略授予 Qlik 在创建网络集成时验证输入的权限。这些操作不是强制性的,只有在提供特定输入时才需要。 |
| IAM - 实例配置文件操作 | "Version": "2012-10-17", "Statement": [ { "Action": [ "iam:AddRoleToInstanceProfile", "iam:CreateServiceLinkedRole", "iam:GetPolicy", "iam:GetPolicyVersion", "iam:ListAccountAliases", "iam:ListAttachedRolePolicies", "iam:ListInstanceProfiles", "iam:ListInstanceProfilesForRole", "iam:ListPolicies", "iam:ListRoles", "iam:PassRole" ], "Effect": "Allow", "Resource": "*" } ] } | 该策略允许管理角色处理 EC2 实例配置文件,包括创建服务链接角色和将角色传递至 EC2 实例等操作。 |
| STS - 授权行动 | "Version": "2012-10-17", "Statement": [ { "Action": "sts:DecodeAuthorizationMessage", "Effect": "Allow", "Resource": "*" } ] } | 该策略授予 Qlik 解码授权信息的权限,以帮助排除授权问题。 |
| SSM - 秘密管理行动 | "Version": "2012-10-17", "Statement": [ { "Action": [ "ssm:PutParameter" ], "Effect": "Allow", "Resource": "arn:aws:ssm:*:<AWS_ACCOUNT_ID>:parameter/qlik/*", } ] } | 此策略授予管理角色在 AWS Systems Manager 参数存储中存储密码的权限。Qlik 提供的实例将读取这些密码。<AWS_ACCOUNT_ID> 是用户配置的值 |
| KMS | "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "kms:GenerateDataKeyPairWithoutPlaintext", "kms:Encrypt" ], "Resource": "<KMS_SYMMETRIC_KEY_ARN>" } ] } | 该策略允许 Qlik 在无法访问私钥的情况下生成加密密钥对,并对将由 Qlik 提供的计算机读取和解密的数据进行加密。<KMS_SYMMETRIC_KEY_ARN> 是用户配置的值。 |