如何使用 IAM 用户帐户下载 EC2 X.509 证书? [英] How to download an EC2 X.509 certificate with an IAM User account?

问题描述

通过 AWS Identity and Access Management，我有一个用户账户到我的 CTO 的 AWS 账户(他被记入了一些钱).

Through the AWS Identity and Access Management, I have a user account to the AWS account of my CTO (who is credited with some money).

我想使用这个 IAM 用户帐户来设置我自己的实例以通过 ssh 连接到它并运行一些 BeautifulSoup python 脚本.

I wanted to use this IAM user account to set up my own instances to ssh to it and run some BeautifulSoup python scripts.

但是，按照本教程，当到达我需要继续Security Credentials 页面，我无法访问此页面，我是告诉我没有权限查看它.

However, following this tutorial, when arriving to the part where I need to go on the Security Credentials page, I can't access this page and I'm told I do not have the authorization to view it.

我通过 IAM 经理检查了我的权限，并且我拥有管理权限，最高权限(在我看来).

I checked my permissions with the IAM Manager, and I have administration rights, the highest possible clearance (so it seems to me).

我该怎么做才能获得此 X.509 证书?

What can I do to get this X.509 certificate ?

推荐答案

前言

首先，您可能需要重新考虑您是否真的需要这些 X.509 证书 - 本教程原则上是正确的:

Preface

First and foremost, you might want to reconsider whether you actually need these X.509 certificates - the tutorial is correct in principle:

共有三种类型:访问密钥、X.509 证书和密钥对.第一种和第二种类型允许您连接到 Amazon API.哪种类型的凭证取决于您使用的 API 和工具.一些 API 和工具支持这两种选项，而另一些只支持一个.

There are three types: access keys, X.509 certificates and key pairs. The first and second type allow you to connect to the Amazon APIs. Which type of credential depends on which API and tool you are using. Some APIs and tools support both options, whereas others support just one.

但是，如今大多数现代 API 和工具仅通过访问密钥而不是 X.509 证书与 AWS 交互.

However, nowadays most modern APIs and tools are interacting with AWS by means of access keys only rather than X.509 certificates.

不幸的是，本教程所基于的 EC2 API 工具并非如此，它确实需要使用 X.509 证书，因为(大部分)仍然基于较旧的 EC2 SOAP API.

更新:EC2 API 工具同时也支持 AWS 访问密钥和 相应地弃用 X.509 证书:

Update: The EC2 API Tools meanwhile support AWS access keys as well and deprecated using X.509 certificates accordingly:

虽然我们不鼓励它，但在有限的时间内你仍然可以使用EC2_PRIVATE_KEY 和 EC2_CERT 而不是 AWS_ACCESS_KEY 和AWS_SECRET_KEY.有关更多信息，请参阅常用选项中的弃用选项用于 Amazon Elastic Compute Cloud CLI 中的 API 工具参考.如果您指定两组凭据，命令行工具使用访问密钥 ID 和秘密访问密钥.

Although we don’t encourage it, for a limited time you can still use EC2_PRIVATE_KEY and EC2_CERT instead of AWS_ACCESS_KEY and AWS_SECRET_KEY. For more information, see Deprecated Options in Common Options for API Tools in the Amazon Elastic Compute Cloud CLI Reference. If you specify both sets of credentials, the command line tools use the access key ID and secret access key.

替代方案

不过，您可能想先查看替代方案:如果您熟悉 Python，我强烈推荐出色的 boto(Amazon Web Services 提供的当前和未来基础设施服务的集成接口)，可以很好地与访问密钥配合使用，提供与 EC2 API 工具几乎相同的功能集(以及大多数其他 AWS API)，并且由于仅针对较新的 AWS REST API，因此执行速度明显更快.

Alternative

You might want to check out an alternative first though: If you are comfortable in Python, I'd highly recommend the excellent boto (An integrated interface to current and future infrastructural services offered by Amazon Web Services), which works just fine with access keys, offers almost the same feature set as the EC2 API tools (plus most other AWS APIs) and performs significantly faster due to targeting the newer AWS REST APIs only.

AWS Identity and Access Management (IAM) 不支持访问实际的 AWS 账户，它仅涵盖 AWS 管理控制台，当然还有大多数 AWS API.您需要使用 AWS 账户的登录名和密码(即账户所有者的)登录才能访问 安全凭证 页面.

AWS Identity and Access Management (IAM) does not support accessing the actual AWS account, it only covers the AWS Management Console, and most AWS APIs of course. You'll need to sign in with the AWS account's login and password (i.e. those of the account owner) to access the Security Credentials page.

虽然不再推荐这样做(请参阅中的安全凭证部分)IAM 概念):

This is not recommended anymore though (see section Security Credentials within IAM Concepts):

[...] 当您创建 AWS 账户时，AWS 会提供默认情况下，AWS 帐户拥有自己的秘密访问密钥和访问密钥 ID.AWS 账户可以使用它们对 AWS 进行 API 调用.我们预计您不会定期使用这些凭据，但会使用它们只是为了最初为您的管理员组设置组织.我们建议所有进一步的 API 交互您的 AWS 账户和您的 AWS 资源处于用户级别(对于例如，使用用户的安全凭证).[强调我的]

[...] when you create an AWS account, AWS gives the AWS account its own Secret Access Key and Access Key ID by default. The AWS account can make API calls to AWS with them. We expect that you won't use those credentials on a regular basis, but will use them only to initially set up an administrators group for your organization. We recommend that all further API interaction between your AWS account and your AWS resources be at the user level (for example, using users' security credentials). [emphasis mine]

但是，您仍然可以通过使用自己的证书来实现您的目标，如X.509 证书部分所述:

虽然您可以使用 IAM 创建访问密钥，但您不能使用 IAM创建签名证书.但是，您可以使用免费的第三方OpenSSL 等工具来创建证书.[...] 在您拥有签名证书，您必须将其上传到 IAM；[...]

Although you can use IAM to create an access key, you can't use IAM to create a signing certificate. However, you can use free third-party tools such as OpenSSL to create the certificate. [...] After you have the signing certificate, you must upload it to IAM; [...]

如何实际执行后者在上传签名证书中说明.

How to actually do the latter is illustrated in Uploading a Signing Certificate.

这篇关于如何使用 IAM 用户帐户下载 EC2 X.509 证书?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！