SQL server Engines Enable Log Exports to S3

来自linuxsa wiki
跳转到导航 跳转到搜索

s3 bucket

role

如果角色已经存在,只需两步就能把现有角色改成“RDS 可用”:

    改信任关系(Trust relationship)

IAM → Roles → 选中你的角色 → Trust relationships 标签 → Edit trust policy
把内容替换成下面这段(只保留一条 Statement,Principal 写死 rds.amazonaws.com):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "rds.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

→ Update policy
(这一步就让 RDS 有权限代入该角色)

2.    挂 S3 写权限(如果还没挂)

还是在同一个角色页面 → Permissions 标签 → Add permissions → Create inline policy → JSON 模式:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:PutObjectAcl",
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::mslog",
        "arn:aws:s3:::mslog/*"
      ]
    }
  ]
}
→ Review → 名字随便起(如 mslog-rds-s3)→ Create policy
完事
角色 ARN 不变,直接拿它填到 SQLSERVER_AUDIT 选项的 IAM_ROLE_ARN 即可,无需重新建角色。
检索自“https://wiki.linuxsa.org/index.php?title=SQL_server_Engines_Enable_Log_Exports_to_S3&oldid=1652