This is an automated email from the ASF dual-hosted git repository.
yaqian pushed a commit to branch kylin4_on_cloud
in repository https://gitbox.apache.org/repos/asf/kylin.git
The following commit(s) were added to refs/heads/kylin4_on_cloud by this push:
new 06d5c2c Add permission policy (#1839)
06d5c2c is described below
commit 06d5c2c930d4497c3d24fae823a697126db8a4a2
Author: Yaqian Zhang <[email protected]>
AuthorDate: Wed Mar 30 15:33:53 2022 +0800
Add permission policy (#1839)
---
images/add_policy_to_user.png | Bin 0 -> 170700 bytes
images/check_user_permission.png | Bin 92931 -> 210813 bytes
images/create_permission_policy.png | Bin 0 -> 176685 bytes
images/create_user.png | Bin 0 -> 265688 bytes
images/policy_json.png | Bin 0 -> 98867 bytes
images/review_create_policy.png | Bin 0 -> 308829 bytes
readme/prerequisites.md | 158 +++++++++++++++++++++++++++++++++++-
7 files changed, 154 insertions(+), 4 deletions(-)
diff --git a/images/add_policy_to_user.png b/images/add_policy_to_user.png
new file mode 100644
index 0000000..04c0a5b
Binary files /dev/null and b/images/add_policy_to_user.png differ
diff --git a/images/check_user_permission.png b/images/check_user_permission.png
index ddff924..cac2d46 100644
Binary files a/images/check_user_permission.png and
b/images/check_user_permission.png differ
diff --git a/images/create_permission_policy.png
b/images/create_permission_policy.png
new file mode 100644
index 0000000..6442c1a
Binary files /dev/null and b/images/create_permission_policy.png differ
diff --git a/images/create_user.png b/images/create_user.png
new file mode 100644
index 0000000..1d5ac49
Binary files /dev/null and b/images/create_user.png differ
diff --git a/images/policy_json.png b/images/policy_json.png
new file mode 100644
index 0000000..91c8328
Binary files /dev/null and b/images/policy_json.png differ
diff --git a/images/review_create_policy.png b/images/review_create_policy.png
new file mode 100644
index 0000000..9bb83f0
Binary files /dev/null and b/images/review_create_policy.png differ
diff --git a/readme/prerequisites.md b/readme/prerequisites.md
index 400f62d..67cb549 100644
--- a/readme/prerequisites.md
+++ b/readme/prerequisites.md
@@ -1,12 +1,14 @@
## Prerequisites
-### I. Check user permission
+### I. Create `user` and add permission
-Login AWS account and check whether the current user has sufficient
permissions in AWS IAM service:
+#### 1. Create a `user` in AWS IAM service
-
+
-If the current user lacks some permissions listed below, you need to add the
permissions to ensure that the current user can carry out subsequent operations
smoothly:
+#### 2. Add permission for user
+
+Users need the following permissions to ensure that subsequent operations can
proceed smoothly:
| Services | Access level
| Resources | Request condition |
| ------------------- | ------------------------------------------------------
| ------------- | ----------------- |
@@ -19,6 +21,154 @@ If the current user lacks some permissions listed below,
you need to add the per
| **STS** | **Limited**: Write
| All Resources | None |
| **Systems Manager** | **Limited**: Write
| All Resources | None |
+##### How to add the required permissions for user?
+
+###### 1. Create a permission policy in AWS IAM services:
+
+
+
+###### 2. Choose `JSON`:
+
+
+
+###### 3. Paste the following content to "statement":
+
+```json
+{
+ "Sid": "VisualEditor0",
+ "Effect": "Allow",
+ "Action": [
+ "s3:ListAccessPointsForObjectLambda",
+ "ec2:AuthorizeSecurityGroupIngress",
+ "ec2:DescribeInstances",
+ "ec2:AttachInternetGateway",
+ "iam:PutRolePolicy",
+ "rds:CreateDBSubnetGroup",
+ "iam:AddRoleToInstanceProfile",
+ "rds:ModifyDBParameterGroup",
+ "cloudformation:DescribeStackEvents",
+ "ec2:CreateRoute",
+ "ec2:CreateInternetGateway",
+ "cloudformation:UpdateStack",
+ "ec2:DescribeKeyPairs",
+ "cloudformation:ListStackResources",
+ "iam:GetRole",
+ "ec2:CreateTags",
+ "ec2:ModifyNetworkInterfaceAttribute",
+ "elasticloadbalancing:CreateTargetGroup",
+ "ec2:RunInstances",
+ "cloudwatch:GetMetricStatistics",
+ "ec2:CreateVpcEndpointServiceConfiguration",
+ "ec2:CreateNetworkInterface",
+ "cloudformation:GetStackPolicy",
+ "elasticloadbalancing:AddTags",
+ "cloudformation:DeleteStack",
+ "ec2:CreateSubnet",
+ "ec2:DescribeSubnets",
+ "iam:GetRolePolicy",
+ "elasticloadbalancing:ModifyLoadBalancerAttributes",
+ "cloudformation:ValidateTemplate",
+ "iam:CreateInstanceProfile",
+ "ec2:CreateNatGateway",
+ "ec2:CreateVpc",
+ "sns:ListTopics",
+ "s3:ListBucket",
+ "cloudformation:CreateStackInstances",
+ "iam:ListInstanceProfilesForRole",
+ "iam:PassRole",
+ "ec2:DescribeAvailabilityZones",
+ "s3:PutBucketTagging",
+ "rds:CreateDBInstance",
+ "sts:DecodeAuthorizationMessage",
+ "rds:DescribeDBInstances",
+ "rds:AddTagsToResource",
+ "s3:ListBucketMultipartUploads",
+ "elasticloadbalancing:CreateLoadBalancer",
+ "ec2:AttachVpnGateway",
+ "iam:ListRoles",
+ "elasticloadbalancing:SetSubnets",
+ "ec2:DescribeSecurityGroups",
+ "iam:CreatePolicy",
+ "iam:CreateServiceLinkedRole",
+ "s3:ListAllMyBuckets",
+ "ec2:DescribeVpcs",
+ "elasticloadbalancing:DescribeTargetGroups",
+ "elasticloadbalancing:RegisterTargets",
+ "iam:CreateRole",
+ "s3:CreateBucket",
+ "rds:DescribeEngineDefaultParameters",
+ "cloudformation:DescribeStackResource",
+ "ec2:AssociateVpcCidrBlock",
+ "ec2:AssociateRouteTable",
+ "ec2:DescribeInternetGateways",
+ "elasticloadbalancing:DescribeLoadBalancers",
+ "elasticloadbalancing:CreateRule",
+ "ec2:DescribeAccountAttributes",
+ "ec2:DescribeRouteTables",
+ "rds:CreateDBParameterGroup",
+ "cloudformation:DescribeStackInstance",
+ "s3:ListJobs",
+ "ec2:CreateRouteTable",
+ "cloudformation:DescribeStackResources",
+ "rds:DescribeDBSecurityGroups",
+ "rds:StartDBInstance",
+ "cloudformation:DescribeStacks",
+ "s3:ListMultipartUploadParts",
+ "elasticloadbalancing:DescribeLoadBalancerAttributes",
+ "cloudformation:GetTemplate",
+ "ec2:AssociateSubnetCidrBlock",
+ "ec2:DescribeInstanceTypes",
+ "rds:DescribeOrderableDBInstanceOptions",
+ "ec2:DescribeVpcEndpoints",
+ "ec2:DescribeAddresses",
+ "rds:DescribeDBSubnetGroups",
+ "ec2:DescribeInstanceAttribute",
+ "s3:ListBucketVersions",
+ "rds:DescribeDBParameterGroups",
+ "elasticloadbalancing:CreateListener",
+ "ec2:DescribeNetworkInterfaces",
+ "elasticloadbalancing:DescribeListeners",
+ "ec2:CreateSecurityGroup",
+ "ec2:ModifyVpcAttribute",
+ "rds:DescribeDBParameters",
+ "ec2:AuthorizeSecurityGroupEgress",
+ "cloudformation:ListStacks",
+ "s3:PutBucketPublicAccessBlock",
+ "iam:GetInstanceProfile",
+ "s3:ListAccessPoints",
+ "ec2:DescribeNatGateways",
+ "s3:ListMultiRegionAccessPoints",
+ "ec2:AllocateAddress",
+ "cloudformation:GetTemplateSummary",
+ "s3:ListStorageLensConfigurations",
+ "cloudformation:CreateStack",
+ "ec2:CreateVpcEndpoint",
+ "elasticloadbalancing:DescribeTargetHealth",
+ "elasticloadbalancing:SetSecurityGroups",
+ "ec2:AttachNetworkInterface"
+ ],
+ "Resource": "*"
+ },
+ {
+ "Sid": "VisualEditor1",
+ "Effect": "Allow",
+ "Action": "servicequotas:GetServiceQuota",
+ "Resource": "*"
+ }
+```
+
+If there is a problem with the `JSON` here, you can manually add permissions
in `Visual editor` according to the contents of the required permission list.
+
+###### 4. Review and create policy
+
+
+
+###### 5. Add the permission policy you just created to your user:
+
+
+
+
+
### II. Create key pair and Access Key<a name="keypair"></a>
> Note:
