从另一个集群的快照创建新的Redshift集群的IAM权限

Question

我希望创建一个用户，以便：

<old-cluster>

• Create上的

1. 创建一个红移快照，这是一个新的红移集群，该快照可以在<new-cluster>
2. Be上恢复/暂停<new-cluster>
3. Delete the <new-cluster>

对于我创建的用户，我创建了一个新策略，并列出了以下IAM权限：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "redshift:RestoreFromClusterSnapshot",
                "redshift:DeleteCluster",
                "redshift:CreateCluster",
                "redshift:PauseCluster",
                "redshift:ResumeCluster"
            ],
            "Resource": [
                "arn:aws:redshift:<region>:<account>:snapshot:*/*",
                "arn:aws:redshift:<region>:<account>:cluster:<new-cluster>"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "redshift:DescribeClusters",
                "redshift:ExecuteQuery"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": "redshift:CreateClusterSnapshot",
            "Resource": "arn:aws:redshift:<region>:<account>:snapshot:<old-cluster>/*"
        }
    ]
}

这允许用户创建快照。但是，当我尝试使用CLI从快照创建一个新集群时，我会得到一个(UnauthorizedOperation)错误。

命令(使用set $WAREHOUSE_NAME和$SNAPSHOT_IDENTIFIER，<user>引用我创建的用户)：

aws redshift restore-from-cluster-snapshot \
    --cluster-identifier $WAREHOUSE_NAME \
    --snapshot-identifier $SNAPSHOT_IDENTIFIER \
    --port 5439 \
    --availability-zone <region> \
    --cluster-subnet-group-name <subnet-group> \
    --no-publicly-accessible \
    --cluster-parameter-group <param-group> \
    --vpc-security-group-ids <security-group> \
    --automated-snapshot-retention-period 1 \
    --manual-snapshot-retention-period 1 \
    --number-of-nodes 2 \
    --aqua-configuration-status disabled \
    --no-availability-zone-relocation \
    --profile <user>

我得到以下错误：

An error occurred (UnauthorizedOperation) when calling the RestoreFromClusterSnapshot operation: Access Denied. Please ensure that your IAM Permissions allow this operation.

以前有人遇到过这种情况吗？

更新

我找到了关于Redshift权限的this post，其中包含了一组所需的EC2权限。我现在更新了上述策略的权限如下：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "redshift:RestoreFromClusterSnapshot",
                "redshift:DeleteCluster",
                "redshift:CopyClusterSnapshot",
                "redshift:CreateCluster",
                "redshift:AuthorizeSnapshotAccess",
                "redshift:PauseCluster",
                "redshift:RevokeSnapshotAccess",
                "redshift:ResumeCluster"
            ],
            "Resource": [
                "arn:aws:redshift:<region>:<account>:cluster:<new-cluster>",
                "arn:aws:redshift:<region>:<account>:snapshot:*/<new-cluster>"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInternetGateways",
                "ec2:DescribeAddresses",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeVpcs",
                "redshift:DescribeClusterSnapshots",
                "redshift:DescribeClusters",
                "ec2:DescribeAccountAttributes",
                "redshift:DescribeClusterParameterGroups",
                "redshift:ExecuteQuery",
                "ec2:DescribeSubnets",
                "ec2:DescribeSecurityGroups",
                "redshift:DescribeClusterSubnetGroups"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": "redshift:CreateClusterSnapshot",
            "Resource": "arn:aws:redshift:<region>:<account>:snapshot:<old-cluster>/*"
        }
    ]
}

现在，当我尝试与前面相同的命令时，我会遇到以下错误代码：

An error occurred (InvalidParameterValue) when calling the RestoreFromClusterSnapshot operation: Unable to restore cluster. The key 'arn:aws:kms:<region>:<account>:key/<key-id>' is inaccessible.

该密钥ID引用用于<old-cluster>加密的原始KMS密钥。

我认为这与--kms-key-id有关，它是restore-from-cluster-snapshot CLI命令的参数？

Answer 1

我自己解决了这个问题。

我丢失了配置的两个关键部分：

1. IAM策略中用于创建
2. 的用户的EC2权限，将用户添加到<old-cluster>用于加密

的KMS密钥中。

解决1是通过将EC2权限添加到我创建的策略来完成的。JSON的最终权限如下所示：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "redshift:RestoreFromClusterSnapshot",
                "redshift:DeleteCluster",
                "kms:GetPublicKey",
                "redshift:CopyClusterSnapshot",
                "redshift:CreateCluster",
                "redshift:AuthorizeSnapshotAccess",
                "redshift:PauseCluster",
                "redshift:RevokeSnapshotAccess",
                "redshift:ResumeCluster"
            ],
            "Resource": [
                "arn:aws:redshift:<region>:<account>:cluster:<new-cluster>",
                "arn:aws:redshift:<region>:<account>:snapshot:*/<new-cluster>",
                "arn:aws:kms:<region>:<account>:key/<key-id>"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInternetGateways",
                "ec2:DescribeAddresses",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeVpcs",
                "redshift:DescribeClusterSnapshots",
                "redshift:DescribeClusters",
                "ec2:DescribeAccountAttributes",
                "redshift:DescribeClusterParameterGroups",
                "redshift:ExecuteQuery",
                "ec2:DescribeSubnets",
                "ec2:DescribeSecurityGroups",
                "redshift:DescribeClusterSubnetGroups"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": "redshift:CreateClusterSnapshot",
            "Resource": "arn:aws:redshift:<region>:<account>:snapshot:<old-cluster>/*"
        }
    ]
}

解决2是通过将我创建的用户添加到用于加密<old-cluster>的KMS密钥中来完成的。KMS密钥权限文件现在看起来如下(其中<user>是我创建的用户)：

{
    "Version": "2012-10-17",
    "Id": "redshift-default-key-1",
    "Statement": [
        {
            "Sid": "Allow administration of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::<account>:user/<user>",
                    "arn:aws:iam::<account>:root"
                ]
            },
            "Action": [
                "kms:Create*",
                "kms:Describe*",
                "kms:Enable*",
                "kms:List*",
                "kms:Put*",
                "kms:Update*",
                "kms:Revoke*",
                "kms:Disable*",
                "kms:Get*",
                "kms:Delete*",
                "kms:ScheduleKeyDeletion",
                "kms:CancelKeyDeletion",
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        }
    ]
}

最后，我用来从集群快照还原的命令如下：

aws redshift restore-from-cluster-snapshot \
                --cluster-identifier $WAREHOUSE_NAME \
                --snapshot-identifier $SNAPSHOT_IDENTIFIER \
                --snapshot-cluster-identifier <old-cluster> \
                --port 5439 \
                --availability-zone <region> \
                --cluster-subnet-group-name <subnet-group> \
                --no-publicly-accessible \
                --cluster-parameter-group <param-group> \
                --vpc-security-group-ids <security-group> \
                --automated-snapshot-retention-period 1 \
                --manual-snapshot-retention-period 1 \
                --number-of-nodes 2 \
                --aqua-configuration-status disabled \
                --no-availability-zone-relocation \
                --profile <user>

而且起作用了！如果你遇到类似的问题，希望这会有所帮助:)