给定一个AWS访问/密钥对,我如何检索其IAM权限? [英] Given an AWS Access / Secret Key Pair, how do I retrieve its IAM permissions?
问题描述
仅输入一个AWS Access Key和一个AWS Secret Key,我如何使用AWS开发工具包查找该帐户可以执行的权限类型?
Given the input of just an AWS Access Key and an AWS Secret Key, how can I use the AWS SDK to lookup what kind of permissions that the account can do?
我想为客户执行XYZ,因此客户需要将访问密钥和秘密密钥提供给我,以便以编程方式执行XYZ.但是,在尝试执行任何这些操作之前,我想验证他们提供给我的凭据是否具有某些特权,例如能够创建S3对象或能够启动EC2实例.
I want do XYZ for a customer so the customer needs to give the access key and secret key to me to perform XYZ programmatically. However, before trying to do any of those actions, I'd like to verify that the credentials they gave me have access to certain privileges, such as being able to create S3 objects or being able to launch an EC2 instance.
这样,我可以先验证访问密钥和秘密密钥是否具有执行某项操作的权限.
That way, I can validate if the access key and secret key has permission to do something before I do it on their behalf.
推荐答案
You can use the SimulatePrincipalPolicy API to simulate how a set of IAM policies attached to an IAM entity works with a list of API actions and AWS resources to determine the policies' effective permissions.
该实体可以是IAM用户,组或角色.如果指定用户,则模拟还将包括附加到该用户所属组的所有策略.
The entity can be an IAM user, group, or role. If you specify a user, then the simulation also includes all of the policies that are attached to groups that the user belongs to.
您需要为用户的ARN提供"SimulatePrincipalPolicy" API,作为 PolicySourceArn 输入参数(无需使用可选的 CallerArn 输入参数).如果您具有访问密钥ID和秘密访问密钥,则可以通过调用
You'll need to provide the "SimulatePrincipalPolicy" API with that user's ARN as the PolicySourceArn input parameter (no need to use the optional CallerArn input parameter). If you have the access key ID and secret access key, you can retrieve the user's ARN by calling the GetUser API using that user credentials, i.e., without specifying the UserName input parameter. If no user name is included, the GetUser API defaults to the user making the request.
这篇关于给定一个AWS访问/密钥对,我如何检索其IAM权限?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
