从另一个集群的快照创建新的 Redshift 集群的 IAM 权限
IAM permissions to create a new Redshift cluster from another cluster's snapshot
我想创建一个用户,可以按顺序:
- 在
<old-cluster> 上创建 Redshift 快照
- 在
<new-cluster> 上从此快照创建一个新的 Redshift 集群
- 能够恢复/暂停
<new-cluster>
- 删除
<new-cluster>
对于我创建的用户,我创建了一个新策略并列出了以下 IAM 权限:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"redshift:RestoreFromClusterSnapshot",
"redshift:DeleteCluster",
"redshift:CreateCluster",
"redshift:PauseCluster",
"redshift:ResumeCluster"
],
"Resource": [
"arn:aws:redshift:<region>:<account>:snapshot:*/*",
"arn:aws:redshift:<region>:<account>:cluster:<new-cluster>"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"redshift:DescribeClusters",
"redshift:ExecuteQuery"
],
"Resource": "*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "redshift:CreateClusterSnapshot",
"Resource": "arn:aws:redshift:<region>:<account>:snapshot:<old-cluster>/*"
}
]
}
这允许用户很好地创建快照。但是,当我尝试使用 CLI 从快照创建新集群时,出现 (UnauthorizedOperation) 错误。
命令(设置$WAREHOUSE_NAME和$SNAPSHOT_IDENTIFIER,<user>指的是我创建的用户:
aws redshift restore-from-cluster-snapshot \
--cluster-identifier $WAREHOUSE_NAME \
--snapshot-identifier $SNAPSHOT_IDENTIFIER \
--port 5439 \
--availability-zone <region> \
--cluster-subnet-group-name <subnet-group> \
--no-publicly-accessible \
--cluster-parameter-group <param-group> \
--vpc-security-group-ids <security-group> \
--automated-snapshot-retention-period 1 \
--manual-snapshot-retention-period 1 \
--number-of-nodes 2 \
--aqua-configuration-status disabled \
--no-availability-zone-relocation \
--profile <user>
我收到以下错误:
An error occurred (UnauthorizedOperation) when calling the RestoreFromClusterSnapshot operation: Access Denied. Please ensure that your IAM Permissions allow this operation.
有人遇到过这个吗?
更新
我发现 this post 关于 Redshift 权限,其中包括一系列必需的 EC2 权限。我现在已将上述政策的权限更新为以下内容:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"redshift:RestoreFromClusterSnapshot",
"redshift:DeleteCluster",
"redshift:CopyClusterSnapshot",
"redshift:CreateCluster",
"redshift:AuthorizeSnapshotAccess",
"redshift:PauseCluster",
"redshift:RevokeSnapshotAccess",
"redshift:ResumeCluster"
],
"Resource": [
"arn:aws:redshift:<region>:<account>:cluster:<new-cluster>",
"arn:aws:redshift:<region>:<account>:snapshot:*/<new-cluster>"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"ec2:DescribeInternetGateways",
"ec2:DescribeAddresses",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeVpcs",
"redshift:DescribeClusterSnapshots",
"redshift:DescribeClusters",
"ec2:DescribeAccountAttributes",
"redshift:DescribeClusterParameterGroups",
"redshift:ExecuteQuery",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"redshift:DescribeClusterSubnetGroups"
],
"Resource": "*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "redshift:CreateClusterSnapshot",
"Resource": "arn:aws:redshift:<region>:<account>:snapshot:<old-cluster>/*"
}
]
}
当我尝试与以前相同的命令时,我现在 运行 进入以下错误代码:
An error occurred (InvalidParameterValue) when calling the RestoreFromClusterSnapshot operation: Unable to restore cluster. The key 'arn:aws:kms:<region>:<account>:key/<key-id>' is inaccessible.
该密钥 ID 指的是用于 <old-cluster> 加密的原始 KMS 密钥。
我认为它与 --kms-key-id 有关,它是 restore-from-cluster-snapshot CLI 命令的参数?
我自己设法解决了这个问题。
我遗漏了配置的两个关键位:
- 我创建的用户的 IAM 策略中的 EC2 权限
- 将用户添加到
<old-cluster> 用于加密的 KMS 密钥
解决 1. 是通过将 EC2 权限添加到我创建的策略来完成的。最终权限 JSON 如下所示:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"redshift:RestoreFromClusterSnapshot",
"redshift:DeleteCluster",
"kms:GetPublicKey",
"redshift:CopyClusterSnapshot",
"redshift:CreateCluster",
"redshift:AuthorizeSnapshotAccess",
"redshift:PauseCluster",
"redshift:RevokeSnapshotAccess",
"redshift:ResumeCluster"
],
"Resource": [
"arn:aws:redshift:<region>:<account>:cluster:<new-cluster>",
"arn:aws:redshift:<region>:<account>:snapshot:*/<new-cluster>",
"arn:aws:kms:<region>:<account>:key/<key-id>"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"ec2:DescribeInternetGateways",
"ec2:DescribeAddresses",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeVpcs",
"redshift:DescribeClusterSnapshots",
"redshift:DescribeClusters",
"ec2:DescribeAccountAttributes",
"redshift:DescribeClusterParameterGroups",
"redshift:ExecuteQuery",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"redshift:DescribeClusterSubnetGroups"
],
"Resource": "*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "redshift:CreateClusterSnapshot",
"Resource": "arn:aws:redshift:<region>:<account>:snapshot:<old-cluster>/*"
}
]
}
解决 2. 是通过将我创建的用户添加到用于加密 <old-cluster> 的 KMS 密钥来完成的。 KMS 密钥权限文件现在看起来像这样(其中 <user> 是我创建的用户):
{
"Version": "2012-10-17",
"Id": "redshift-default-key-1",
"Statement": [
{
"Sid": "Allow administration of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<account>:user/<user>",
"arn:aws:iam::<account>:root"
]
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion",
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}
]
}
最后,我用来从集群快照恢复的命令如下:
aws redshift restore-from-cluster-snapshot \
--cluster-identifier $WAREHOUSE_NAME \
--snapshot-identifier $SNAPSHOT_IDENTIFIER \
--snapshot-cluster-identifier <old-cluster> \
--port 5439 \
--availability-zone <region> \
--cluster-subnet-group-name <subnet-group> \
--no-publicly-accessible \
--cluster-parameter-group <param-group> \
--vpc-security-group-ids <security-group> \
--automated-snapshot-retention-period 1 \
--manual-snapshot-retention-period 1 \
--number-of-nodes 2 \
--aqua-configuration-status disabled \
--no-availability-zone-relocation \
--profile <user>
而且有效!如果您遇到类似问题,希望这对您有所帮助:)
我想创建一个用户,可以按顺序:
- 在
<old-cluster> 上创建 Redshift 快照
- 在
<new-cluster> 上从此快照创建一个新的 Redshift 集群
- 能够恢复/暂停
<new-cluster> - 删除
<new-cluster>
对于我创建的用户,我创建了一个新策略并列出了以下 IAM 权限:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"redshift:RestoreFromClusterSnapshot",
"redshift:DeleteCluster",
"redshift:CreateCluster",
"redshift:PauseCluster",
"redshift:ResumeCluster"
],
"Resource": [
"arn:aws:redshift:<region>:<account>:snapshot:*/*",
"arn:aws:redshift:<region>:<account>:cluster:<new-cluster>"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"redshift:DescribeClusters",
"redshift:ExecuteQuery"
],
"Resource": "*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "redshift:CreateClusterSnapshot",
"Resource": "arn:aws:redshift:<region>:<account>:snapshot:<old-cluster>/*"
}
]
}
这允许用户很好地创建快照。但是,当我尝试使用 CLI 从快照创建新集群时,出现 (UnauthorizedOperation) 错误。
命令(设置$WAREHOUSE_NAME和$SNAPSHOT_IDENTIFIER,<user>指的是我创建的用户:
aws redshift restore-from-cluster-snapshot \
--cluster-identifier $WAREHOUSE_NAME \
--snapshot-identifier $SNAPSHOT_IDENTIFIER \
--port 5439 \
--availability-zone <region> \
--cluster-subnet-group-name <subnet-group> \
--no-publicly-accessible \
--cluster-parameter-group <param-group> \
--vpc-security-group-ids <security-group> \
--automated-snapshot-retention-period 1 \
--manual-snapshot-retention-period 1 \
--number-of-nodes 2 \
--aqua-configuration-status disabled \
--no-availability-zone-relocation \
--profile <user>
我收到以下错误:
An error occurred (UnauthorizedOperation) when calling the RestoreFromClusterSnapshot operation: Access Denied. Please ensure that your IAM Permissions allow this operation.
有人遇到过这个吗?
更新
我发现 this post 关于 Redshift 权限,其中包括一系列必需的 EC2 权限。我现在已将上述政策的权限更新为以下内容:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"redshift:RestoreFromClusterSnapshot",
"redshift:DeleteCluster",
"redshift:CopyClusterSnapshot",
"redshift:CreateCluster",
"redshift:AuthorizeSnapshotAccess",
"redshift:PauseCluster",
"redshift:RevokeSnapshotAccess",
"redshift:ResumeCluster"
],
"Resource": [
"arn:aws:redshift:<region>:<account>:cluster:<new-cluster>",
"arn:aws:redshift:<region>:<account>:snapshot:*/<new-cluster>"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"ec2:DescribeInternetGateways",
"ec2:DescribeAddresses",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeVpcs",
"redshift:DescribeClusterSnapshots",
"redshift:DescribeClusters",
"ec2:DescribeAccountAttributes",
"redshift:DescribeClusterParameterGroups",
"redshift:ExecuteQuery",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"redshift:DescribeClusterSubnetGroups"
],
"Resource": "*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "redshift:CreateClusterSnapshot",
"Resource": "arn:aws:redshift:<region>:<account>:snapshot:<old-cluster>/*"
}
]
}
当我尝试与以前相同的命令时,我现在 运行 进入以下错误代码:
An error occurred (InvalidParameterValue) when calling the RestoreFromClusterSnapshot operation: Unable to restore cluster. The key 'arn:aws:kms:<region>:<account>:key/<key-id>' is inaccessible.
该密钥 ID 指的是用于 <old-cluster> 加密的原始 KMS 密钥。
我认为它与 --kms-key-id 有关,它是 restore-from-cluster-snapshot CLI 命令的参数?
我自己设法解决了这个问题。
我遗漏了配置的两个关键位:
- 我创建的用户的 IAM 策略中的 EC2 权限
- 将用户添加到
<old-cluster>用于加密的 KMS 密钥
解决 1. 是通过将 EC2 权限添加到我创建的策略来完成的。最终权限 JSON 如下所示:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"redshift:RestoreFromClusterSnapshot",
"redshift:DeleteCluster",
"kms:GetPublicKey",
"redshift:CopyClusterSnapshot",
"redshift:CreateCluster",
"redshift:AuthorizeSnapshotAccess",
"redshift:PauseCluster",
"redshift:RevokeSnapshotAccess",
"redshift:ResumeCluster"
],
"Resource": [
"arn:aws:redshift:<region>:<account>:cluster:<new-cluster>",
"arn:aws:redshift:<region>:<account>:snapshot:*/<new-cluster>",
"arn:aws:kms:<region>:<account>:key/<key-id>"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"ec2:DescribeInternetGateways",
"ec2:DescribeAddresses",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeVpcs",
"redshift:DescribeClusterSnapshots",
"redshift:DescribeClusters",
"ec2:DescribeAccountAttributes",
"redshift:DescribeClusterParameterGroups",
"redshift:ExecuteQuery",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"redshift:DescribeClusterSubnetGroups"
],
"Resource": "*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "redshift:CreateClusterSnapshot",
"Resource": "arn:aws:redshift:<region>:<account>:snapshot:<old-cluster>/*"
}
]
}
解决 2. 是通过将我创建的用户添加到用于加密 <old-cluster> 的 KMS 密钥来完成的。 KMS 密钥权限文件现在看起来像这样(其中 <user> 是我创建的用户):
{
"Version": "2012-10-17",
"Id": "redshift-default-key-1",
"Statement": [
{
"Sid": "Allow administration of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<account>:user/<user>",
"arn:aws:iam::<account>:root"
]
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion",
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}
]
}
最后,我用来从集群快照恢复的命令如下:
aws redshift restore-from-cluster-snapshot \
--cluster-identifier $WAREHOUSE_NAME \
--snapshot-identifier $SNAPSHOT_IDENTIFIER \
--snapshot-cluster-identifier <old-cluster> \
--port 5439 \
--availability-zone <region> \
--cluster-subnet-group-name <subnet-group> \
--no-publicly-accessible \
--cluster-parameter-group <param-group> \
--vpc-security-group-ids <security-group> \
--automated-snapshot-retention-period 1 \
--manual-snapshot-retention-period 1 \
--number-of-nodes 2 \
--aqua-configuration-status disabled \
--no-availability-zone-relocation \
--profile <user>
而且有效!如果您遇到类似问题,希望这对您有所帮助:)