本繁體中文版使用機器翻譯,譯文僅供參考,若與英文版本牴觸,應以英文版本為準。
設定IAM角色Cloud Volumes ONTAP 以供使用
貢獻者
建議變更
PDF
具有所需權限的IAM角色必須附加至每Cloud Volumes ONTAP 個節點。HA中介者也是如此。讓BlueXP為您建立IAM角色最簡單、但您可以使用自己的角色。
此工作為選用工作。當您建立Cloud Volumes ONTAP 一個運作環境時、預設選項是讓BlueXP為您建立IAM角色。如果貴企業的安全性原則要求您自行建立IAM角色、請遵循下列步驟。
|
AWS Secret Cloud 需要提供您自己的 IAM 角色。 "瞭解如何在Cloud Volumes ONTAP C2S中部署功能"。 |
步驟
-
前往AWS IAM主控台。
-
建立包含下列權限的IAM原則:
-
適用於節點的基礎原則Cloud Volumes ONTAP
標準區域{ "Version": "2012-10-17", "Statement": [{ "Action": "s3:ListAllMyBuckets", "Resource": "arn:aws:s3:::*", "Effect": "Allow" }, { "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::fabric-pool-*", "Effect": "Allow" }, { "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ], "Resource": "arn:aws:s3:::fabric-pool-*", "Effect": "Allow" } ] }GovCloud(美國)地區{ "Version": "2012-10-17", "Statement": [{ "Action": "s3:ListAllMyBuckets", "Resource": "arn:aws-us-gov:s3:::*", "Effect": "Allow" }, { "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": "arn:aws-us-gov:s3:::fabric-pool-*", "Effect": "Allow" }, { "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ], "Resource": "arn:aws-us-gov:s3:::fabric-pool-*", "Effect": "Allow" }] }最高機密區域{ "Version": "2012-10-17", "Statement": [{ "Action": "s3:ListAllMyBuckets", "Resource": "arn:aws-iso:s3:::*", "Effect": "Allow" }, { "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": "arn:aws-iso:s3:::fabric-pool-*", "Effect": "Allow" }, { "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ], "Resource": "arn:aws-iso:s3:::fabric-pool-*", "Effect": "Allow" }] }秘密區域{ "Version": "2012-10-17", "Statement": [{ "Action": "s3:ListAllMyBuckets", "Resource": "arn:aws-iso-b:s3:::*", "Effect": "Allow" }, { "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": "arn:aws-iso-b:s3:::fabric-pool-*", "Effect": "Allow" }, { "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ], "Resource": "arn:aws-iso-b:s3:::fabric-pool-*", "Effect": "Allow" }] } -
適用於節點的備份原則Cloud Volumes ONTAP
如果您計畫在 Cloud Volumes ONTAP 系統上使用 BlueXP 備份與還原、節點的 IAM 角色必須包含以下所示的第二個原則。
標準區域{ "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::netapp-backup*", "Effect": "Allow" }, { "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:ListAllMyBuckets", "s3:PutObjectTagging", "s3:GetObjectTagging", "s3:RestoreObject", "s3:GetBucketObjectLockConfiguration", "s3:GetObjectRetention", "s3:PutBucketObjectLockConfiguration", "s3:PutObjectRetention" ], "Resource": "arn:aws:s3:::netapp-backup*/*", "Effect": "Allow" } ] }GovCloud(美國)地區{ "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": "arn:aws-us-gov:s3:::netapp-backup*", "Effect": "Allow" }, { "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:ListAllMyBuckets", "s3:PutObjectTagging", "s3:GetObjectTagging", "s3:RestoreObject", "s3:GetBucketObjectLockConfiguration", "s3:GetObjectRetention", "s3:PutBucketObjectLockConfiguration", "s3:PutObjectRetention" ], "Resource": "arn:aws-us-gov:s3:::netapp-backup*/*", "Effect": "Allow" } ] }最高機密區域{ "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": "arn:aws-iso:s3:::netapp-backup*", "Effect": "Allow" }, { "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:ListAllMyBuckets", "s3:PutObjectTagging", "s3:GetObjectTagging", "s3:RestoreObject", "s3:GetBucketObjectLockConfiguration", "s3:GetObjectRetention", "s3:PutBucketObjectLockConfiguration", "s3:PutObjectRetention" ], "Resource": "arn:aws-iso:s3:::netapp-backup*/*", "Effect": "Allow" } ] }秘密區域{ "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": "arn:aws-iso-b:s3:::netapp-backup*", "Effect": "Allow" }, { "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:ListAllMyBuckets", "s3:PutObjectTagging", "s3:GetObjectTagging", "s3:RestoreObject", "s3:GetBucketObjectLockConfiguration", "s3:GetObjectRetention", "s3:PutBucketObjectLockConfiguration", "s3:PutObjectRetention" ], "Resource": "arn:aws-iso-b:s3:::netapp-backup*/*", "Effect": "Allow" } ] }-
HA 中介
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "ec2:AssignPrivateIpAddresses", "ec2:CreateRoute", "ec2:DeleteRoute", "ec2:DescribeNetworkInterfaces", "ec2:DescribeRouteTables", "ec2:DescribeVpcs", "ec2:ReplaceRoute", "ec2:UnassignPrivateIpAddresses", "sts:AssumeRole", "ec2:DescribeSubnets" ], "Resource": "*" } ] }
-
-
建立IAM角色、並將您建立的原則附加至角色。
結果
現在您可以在建立新Cloud Volumes ONTAP 的運作環境時選擇IAM角色。