Terraform-假定_角色_策略-与标准IAM策略相似但略有不同 [英] Terraform - assume_role_policy - similar but slightly different than standard IAM policy
问题描述
此页面 https://www.terraform.io/docs/provider/aws/r/iam_role.html 提到:
注意:这个假定的_role_policy非常相似,但略有不同 不仅是标准的IAM策略,而且不能使用aws_iam_policy 资源.但是,它可以使用aws_iam_policy_document数据源, 请参阅下面的示例以了解其工作方式.
NOTE: This assume_role_policy is very similar but slightly different than just a standard IAM policy and cannot use an aws_iam_policy resource. It can however, use an aws_iam_policy_document data source, see example below for how this could work.
assume_role_policy
与standard IAM policy
有何不同?
为什么?
推荐答案
承担角色策略是与角色相关联的特殊策略,该角色控制哪些主体(用户,其他角色,AWS服务等) )可以承担"角色.承担角色意味着要生成临时凭证,以使用与该角色相关联的访问策略所授予的特权进行操作.
An assume role policy is a special policy associated with a role that controls which principals (users, other roles, AWS services, etc) can "assume" the role. Assuming a role means generating temporary credentials to act with the privileges granted by the access policies associated with that role.
假定角色策略与常规策略在以下方面有所不同:
An assume role policy differs from a normal policy in the following ways:
- 它是角色本身的属性,而不是与角色关联的单独对象.每个角色只有一个担任角色政策.
- 在承担角色策略中唯一具有任何意义的
Action
是sts:AssumeRole
,因为这是用于获取角色临时证书的API操作.
- It is a property of the role itself, rather than a separate object associated with the role. There is only one assume role policy per role.
- The only
Action
that has any meaning in an assume role policy issts:AssumeRole
, since that is the API operation used to obtain temporary credentials for the role.
这些差异中的第一个产生了Terraform文档中提到的差异:由于角色仅具有一个IAM策略,并且直接声明为角色的一部分,因此必须提供其策略文档作为该角色的属性. aws_iam_role
资源. aws_iam_policy_document
数据源只是将其输入转换为IAM JSON策略文档格式的简单转换,因此可用于生成assume_role_policy
属性的值.
It is the first of these differences that creates the difference mentioned in the Terraform documentation: since an role has exactly one IAM policy and it is declared directly as part of the role, its policy document must be provided as an attribute of the aws_iam_role
resource. The aws_iam_policy_document
data source is just a simple transform of its input into an IAM JSON policy document format, so it can be used to generate the value of the assume_role_policy
attribute.
当AWS服务代表您调用另一个API服务时,它会在内部获取您指定角色的临时凭证,然后将其用于调用其他服务API.因此,有必要创建角色并将其分配给诸如AWS Lambda,EC2(通过实例配置文件),Kinesis Firehose等服务.
When an AWS service makes calls to another API service on your behalf, it is internally obtaining temporary credentials for the role you designate, which it can then use to make calls to other service APIs. It is for this reason that it is necessary to create roles and assign them to services such as AWS Lambda, EC2 (via instance profiles), Kinesis Firehose, etc.
I wrote a more elaborate description of this as part of an answer to another question, which gives some examples of practical IAM roles, assume role policies and regular policies.
这篇关于Terraform-假定_角色_策略-与标准IAM策略相似但略有不同的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!