本繁體中文版使用機器翻譯,譯文僅供參考,若與英文版本牴觸,應以英文版本為準。

設定IAM角色Cloud Volumes ONTAP 以供使用

貢獻者

具有所需權限的IAM角色必須附加至每Cloud Volumes ONTAP 個節點。HA中介者也是如此。讓Cloud Manager為您建立IAM角色最簡單、但您可以使用自己的角色。

此工作為選用工作。當您建立Cloud Volumes ONTAP 一個運作環境時、預設選項是讓Cloud Manager為您建立IAM角色。如果貴企業的安全性原則要求您自行建立IAM角色、請遵循下列步驟。

附註 AWS商業雲端服務環境需要提供您自己的IAM角色。 "瞭解如何在Cloud Volumes ONTAP C2S中部署功能"
步驟
  1. 前往AWS IAM主控台。

  2. 建立包含下列權限的IAM原則:

    • 節點Cloud Volumes ONTAP

      標準區域
      {
      	"Version": "2012-10-17",
      	"Statement": [{
      			"Action": "s3:ListAllMyBuckets",
      			"Resource": "arn:aws:s3:::*",
      			"Effect": "Allow"
      		}, {
      			"Action": [
      				"s3:ListBucket",
      				"s3:GetBucketLocation"
      			],
      			"Resource": "arn:aws:s3:::fabric-pool-*",
      			"Effect": "Allow"
      		}, {
      			"Action": [
      				"s3:GetObject",
      				"s3:PutObject",
      				"s3:DeleteObject"
      			],
      			"Resource": "arn:aws:s3:::fabric-pool-*",
      			"Effect": "Allow"
      		}
      	]
      }
      GovCloud(美國)地區
      {
          "Version": "2012-10-17",
          "Statement": [{
              "Action": "s3:ListAllMyBuckets",
              "Resource": "arn:aws-us-gov:s3:::*",
              "Effect": "Allow"
          }, {
              "Action": [
                  "s3:ListBucket",
                  "s3:GetBucketLocation"
              ],
              "Resource": "arn:aws-us-gov:s3:::fabric-pool-*",
              "Effect": "Allow"
          }, {
              "Action": [
                  "s3:GetObject",
                  "s3:PutObject",
                  "s3:DeleteObject"
              ],
              "Resource": "arn:aws-us-gov:s3:::fabric-pool-*",
              "Effect": "Allow"
          }]
      }
      C2S環境
      {
          "Version": "2012-10-17",
          "Statement": [{
              "Action": "s3:ListAllMyBuckets",
              "Resource": "arn:aws-iso:s3:::*",
              "Effect": "Allow"
          }, {
              "Action": [
                  "s3:ListBucket",
                  "s3:GetBucketLocation"
              ],
              "Resource": "arn:aws-iso:s3:::fabric-pool-*",
              "Effect": "Allow"
          }, {
              "Action": [
                  "s3:GetObject",
                  "s3:PutObject",
                  "s3:DeleteObject"
              ],
              "Resource": "arn:aws-iso:s3:::fabric-pool-*",
              "Effect": "Allow"
          }]
      }
    • HA 中介

      {
      	"Version": "2012-10-17",
      	"Statement": [{
      			"Effect": "Allow",
      			"Action": [
      				"ec2:AssignPrivateIpAddresses",
      				"ec2:CreateRoute",
      				"ec2:DeleteRoute",
      				"ec2:DescribeNetworkInterfaces",
      				"ec2:DescribeRouteTables",
      				"ec2:DescribeVpcs",
      				"ec2:ReplaceRoute",
      				"ec2:UnassignPrivateIpAddresses"
      			],
      			"Resource": "*"
      		}
      	]
      }
  3. 建立IAM角色、並將您在上一個步驟中建立的原則附加至角色。

現在您可以在建立新Cloud Volumes ONTAP 的運作環境時選擇IAM角色。