管理角色
建立管理角色以讓 Qlik Cloud 能夠在您的湖存放庫環境中設定執行個體和彈性 IP。
管理角色是您建立的 IAM 角色,用於向 Qlik 授予代表您與 AWS 環境互動所需的權限。在部署和執行階段操作期間,由 Qlik 承擔此角色,以安全地存取和管理 Iceberg 湖存放庫所需的 AWS 資源。
該角色與自訂 IAM 政策相關聯,這定義了 Qlik 獲得授權可執行的特定動作,例如從 S3 值區讀取和寫入到 S3 值區、管理 EC2 執行個體以及與 AWS Glue 或 KMS 等其他服務互動。
此角色可確保安全性、最低存取權限,同時允許 Qlik 自動執行和協調 AWS 帳戶內的關鍵任務,例如中繼資料管理、資料移動和工作執行。
為了正常運作,必須按照設定說明中的概述,使用所需的信任關係和權限政策來建立角色。
必要條件
確保您已建立用於託管 Qlik 開放湖倉庫 的 VPC、子網路和可用區域,並具有以下詳細資訊:
-
您的 AWS 帳戶 ID。
-
對稱 KMS 金鑰 ARN。
建立管理角色
若要建立管理角色,請執行以下操作:
-
在 AWS 主控台中,前往 IAM
-
在角色中,按一下建立角色並進行設定:
-
信任的實體類型:選取自訂信任政策。
-
陳述式:在程式碼窗格中,在 Qlik Cloud 中貼上管理角色設定指南中建立的信任的實體政策。
-
建立角色並記下 ARN 值。其格式應如下:
arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_NAME>.
建立政策
-
在 IAM 中,按一下 角色,然後選取上面建立的角色。
-
按一下新增權限。
-
選取建立內嵌政策。
-
在政策編輯器中,選取 JSON。貼上下列文字,並且務必:
-
將 <AWS_ACCOUNT_ID> 參數變更為您的帳戶。
-
使用您的金鑰 ARN 更新 <KMS_SYMMETRIC_KEY_ARN 值。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": [
"*"
],
"Action": [
"ec2:CancelSpotInstanceRequests",
"ec2:CreateLaunchTemplate",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DescribeAddresses",
"ec2:DescribeImageAttribute",
"ec2:DescribeImages",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstanceTypeOfferings",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInstances",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeSpotInstanceRequests",
"ec2:DescribeSpotPriceHistory",
"ec2:DescribeTags",
"ec2:DescribeRegions",
"ec2:DescribeSubnets",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:RequestSpotInstances",
"ec2:DescribeVolumes"
]
},
{
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:*::image/*",
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:key-pair/*",
"arn:aws:ec2:*:*:launch-template/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:volume/*"
],
"Action": [
"ec2:RunInstances"
]
},
{
"Effect": "Allow",
"Resource": [
"*"
],
"Action": [
"ec2:AttachVolume",
"ec2:DeleteVolume",
"ec2:DetachVolume",
"ec2:DeleteLaunchTemplate",
"ec2:TerminateInstances",
"ec2:StartInstances",
"ec2:ModifyLaunchTemplate",
"ec2:DeleteLaunchTemplateVersions",
"ec2:CreateLaunchTemplateVersion"
],
"Condition": {
"Null": {
"aws:ResourceTag/qlik_cluster": "false"
}
}
},
{
"Effect": "Allow",
"Resource": [
"*"
],
"Action": [
"autoscaling:DeleteAutoScalingGroup",
"autoscaling:DeletePolicy",
"autoscaling:DeleteTags",
"autoscaling:PutScalingPolicy",
"autoscaling:StartInstanceRefresh",
"autoscaling:TerminateInstanceInAutoScalingGroup",
"autoscaling:UpdateAutoScalingGroup"
],
"Condition": {
"Null": {
"aws:ResourceTag/qlik_cluster": "false"
}
}
},
{
"Effect": "Allow",
"Resource": [
"*"
],
"Action": [
"autoscaling:CreateAutoScalingGroup",
"autoscaling:CreateOrUpdateTags",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeInstanceRefreshes",
"autoscaling:DescribePolicies",
"autoscaling:DescribeScalingActivities",
"autoscaling:DescribeTags"
]
},
{
"Effect": "Allow",
"Resource": [
"*"
],
"Action": [
"ec2:DescribeRegions",
"ec2:DescribeSubnets",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeKeyPairs"
]
},
{
"Effect": "Allow",
"Resource": [
"*"
],
"Action": [
"cloudwatch:DescribeAlarmHistory",
"cloudwatch:DescribeAlarms",
"cloudwatch:DescribeAlarmsForMetric",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"cloudwatch:PutMetricData"
]
},
{
"Effect": "Allow",
"Resource": [
"*"
],
"Action": [
"cloudwatch:DeleteAlarms"
],
"Condition": {
"Null": {
"aws:ResourceTag/qlik_cluster": "false"
}
}
},
{
"Effect": "Allow",
"Resource": [
"*"
],
"Action": [
"cloudwatch:PutMetricAlarm"
],
"Condition": {
"Null": {
"aws:RequestTag/qlik_cluster": "false"
}
}
},
{
"Effect": "Allow",
"Resource": [
"*"
],
"Action": [
"iam:AddRoleToInstanceProfile",
"iam:CreateServiceLinkedRole",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:ListAccountAliases",
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfiles",
"iam:ListInstanceProfilesForRole",
"iam:ListPolicies",
"iam:ListRoles",
"iam:PassRole"
]
},
{
"Effect": "Allow",
"Resource": [
"*"
],
"Action": [
"sts:DecodeAuthorizationMessage"
]
},
{
"Effect": "Allow",
"Resource": [
"arn:aws:ssm:*:<AWS_ACCOUNT_ID>:parameter/qlik/*"
],
"Action": [
"ssm:PutParameter"
]
},
{
"Effect": "Allow",
"Resource": [
"<KMS_SYMMETRIC_KEY_ARN>"
],
"Action": [
"kms:GenerateDataKeyPairWithoutPlaintext",
"kms:Encrypt"
]
}
]
}
要求權限理由
下表解釋了管理角色的各個權限:
| 政策 | 權限 | 解釋 |
|---|---|---|
| EC2 - 資源管理動作 |
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:CancelSpotInstanceRequests", "ec2:CreateLaunchTemplate", "ec2:CreateTags", "ec2:CreateVolume", "ec2:DescribeAddresses", "ec2:DescribeImageAttribute", "ec2:DescribeImages", "ec2:DescribeInstanceStatus", "ec2:DescribeInstanceTypeOfferings", "ec2:DescribeInstanceTypes", "ec2:DescribeInstances", "ec2:DescribeLaunchTemplateVersions", "ec2:DescribeLaunchTemplates", "ec2:DescribeSpotInstanceRequests", "ec2:DescribeSpotPriceHistory", "ec2:DescribeTags", "ec2:DescribeRegions", "ec2:DescribeSubnets", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:RequestSpotInstances", "ec2:DescribeVolumes" ], "Effect": "Allow", "Resource": "*" }, { "Action": "ec2:RunInstances", "Effect": "Allow", "Resource": [ "arn:aws:ec2:*:*:subnet/*", "arn:aws:ec2:*:*:network-interface/*", "arn:aws:ec2:*::image/*" ] } ] } |
此政策向 Qlik 授予管理 EC2 執行個體和資源 (例如磁碟區、安全性群組和子網路) 的權限。不包括任何條件,因為所有方法都是描述或建立動作。 |
| EC2 - 資源操縱動作 |
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:AttachVolume", "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:DeleteLaunchTemplate", "ec2:TerminateInstances", "ec2:StartInstances", "ec2:ModifyLaunchTemplate", "ec2:DeleteLaunchTemplateVersions", "ec2:CreateLaunchTemplateVersion" ], "Condition": { "Null": { "aws:ResourceTag/qlik_cluster": "false" } }, "Effect": "Allow", "Resource": "*" }, { "Action": [ "autoscaling:PutScalingPolicy", "autoscaling:UpdateAutoScalingGroup", "autoscaling:DeleteAutoScalingGroup", "autoscaling:DeletePolicy", "autoscaling:DeleteTags", "autoscaling:StartInstanceRefresh" ], "Condition": { "Null": { "aws:ResourceTag/qlik_cluster": "false" } }, "Effect": "Allow", "Resource": "*" } ] } |
此政策根據標記 qlik_cluster 向 Qlik 授予管理由 Qlik 建立的 EC2 執行個體和資源的權限。權限包括附加磁碟區、終止執行個體和修改啟動範本等動作。 |
| EC2 - 驗證動作 |
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "ec2:DescribeRegions", "ec2:DescribeSubnets", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeKeyPairs" ], "Resource": "*" } ] } |
此政策向 Qlik 授予權限,以在建立網路整合時驗證輸入。這些動作不是強制性質,僅在提供特定輸入時才需要。 |
| IAM - 執行個體設定檔動作 | "Version": "2012-10-17", "Statement": [ { "Action": [ "iam:AddRoleToInstanceProfile", "iam:CreateServiceLinkedRole", "iam:GetPolicy", "iam:GetPolicyVersion", "iam:ListAccountAliases", "iam:ListAttachedRolePolicies", "iam:ListInstanceProfiles", "iam:ListInstanceProfilesForRole", "iam:ListPolicies", "iam:ListRoles", "iam:PassRole" ], "Effect": "Allow", "Resource": "*" } ] } | 此政策允許管理角色處理 EC2 執行個體設定檔,包括建立服務相關角色以及將角色傳遞給 EC2 執行個體等動作。 |
| STS - 授權動作 | "Version": "2012-10-17", "Statement": [ { "Action": "sts:DecodeAuthorizationMessage", "Effect": "Allow", "Resource": "*" } ] } | 此策略向 Qlik 授予解碼授權訊息的權限,以協助解決授權問題。 |
| SSM - 祕密管理動作 | "Version": "2012-10-17", "Statement": [ { "Action": [ "ssm:PutParameter" ], "Effect": "Allow", "Resource": "arn:aws:ssm:*:<AWS_ACCOUNT_ID>:parameter/qlik/*", } ] } | 此政策授予管理角色在 AWS 系統管理器參數儲存中儲存祕密的權限。這些祕密將由 Qlik 佈建的執行個體讀取。<AWS_ACCOUNT_ID 是使用者設定的值 |
| KMS | "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "kms:GenerateDataKeyPairWithoutPlaintext", "kms:Encrypt" ], "Resource": "<KMS_SYMMETRIC_KEY_ARN>" } ] } | 此政策向 Qlik 授予權限,無需存取私人金鑰即可產生加密金鑰組,並加密將由 Qlik 佈建的機器讀取和解密的資料。<KMS_SYMMETRIC_KEY_ARN 是使用者設定的值。 |