假设多个AWS IAM角色是一次 [英] Assume multiple AWS IAM roles are a single time

问题描述

有时，我需要使用单独的IAM角色访问我可以单独访问的多个AWS资源.如果我需要将这些资源一起使用，那么我现在必须找出一个非本地的连接器.

On occasion, I need to access multiple AWS resources that I have individual access for with separate IAM roles. If I need these resources to be used together, I currently have to figure out a non-native connector piece.

如果我可以同时访问这些资源，有时可以使用AWS连接器一次与这两个资源进行接口(

If I could access the resources together at the same time, I can sometimes use an AWS connector to interface with both resources at once (for example).

是否可以同时承担多个IAM角色?

Is there a way to assume multiple IAM roles at the same time?

推荐答案

从技术上讲，是的，有一种方法可以同时承担多个IAM角色.

Technically, yes, there is a way to assume multiple IAM roles at the same time.

但这并不意味着您打算做什么.

But it doesn't mean what you intend.

假设IAM角色不会更改您的身份，也不会更改您拥有的权限，这与对采用不同身份的含义的直观解释相反.取而代之的是，当您担任角色时，会为您提供一组新的临时凭据供您使用，而不是您的"凭据-您用于承担角色的凭据.

Assuming an IAM role doesn't modify who you are and doesn't modify what permissions you have -- contrary to the intuitive interpretation of what it might mean to assume a different identity. Instead, when you assume a role, you are given a new set of temporary credentials to use, instead of "your" credentials -- the credentials you used to assume the role.

使用这些临时凭据发出的请求将根据授予该角色的权限进行授权.

Requests made with these temporary credentials are authorized against the permissions granted to the role.

因此，尽管您可以同时担任多个角色，但是这些操作中的每个操作都有一组单独的关联凭据，因此，它不允许您发出要求您拥有多个角色权限的请求对于任何给定的请求.

Thus, while you can assume multiple roles at the same time, each of those actions has a separate set of associated credentials, so it won't allow you to make requests that require you to have the permissions of more than one role for any given request.

每个请求都是由一个委托人执行的，因此，如果您尝试执行一个需要多个角色的权限并集的单个操作，则是不可能的.

Every request is performed by a single principal, so if you are trying to perform a single action that requires the union of the permissions of multiple roles, that's a not possible.

这篇关于假设多个AWS IAM角色是一次的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！