在AWS IAM中，“路径"的目的/用途是什么?多变的? [英] In AWS IAM, What is the Purpose/Use of the "Path" Variable?

问题描述

在IAM中，通过CLI或API创建IAM用户时，"Path"变量的用途是什么?

In IAM, what is the purpose/use of the "Path" variable when creating an IAM User via the CLI or API?

推荐答案

IAM中的path变量用于在唯一的命名空间中对相关用户和组进行分组，通常是出于组织目的.

The path variable in IAM is used for grouping related users and groups in a unique namespace, usually for organizational purposes.

来自友好的名称和路径:

如果您使用IAM API或AWS命令行界面(AWS CLI)创建IAM实体，则还可以为该实体提供可选路径.您可以使用单个路径，也可以嵌套多个路径，就好像它们是文件夹结构一样.例如，您可以使用嵌套路径/division_abc/subdivision_xyz/product_1234/engineering/来匹配公司的组织结构.然后，您可以创建一个策略，以允许该路径中的所有用户访问策略模拟器API.要查看此策略，请参阅IAM:访问基于用户路径的Policy Simulator API.有关如何使用路径的其他示例，请参阅IAM ARN.

If you are using the IAM API or AWS Command Line Interface (AWS CLI) to create IAM entities, you can also give the entity an optional path. You can use a single path, or nest multiple paths as if they were a folder structure. For example, you could use the nested path /division_abc/subdivision_xyz/product_1234/engineering/ to match your company's organizational structure. You could then create a policy to allow all users in that path to access the policy simulator API. To view this policy, see IAM: Access the Policy Simulator API Based on User Path. For additional examples of how you might use paths, see IAM ARNs.

例如，一个大型组织可能在/WestRegion/AZ和/EastRegion/NY路径中拥有用户.这将对应于组织的内部部门.

For example, a large organization may have users in paths /WestRegion/AZ and /EastRegion/NY. This would correspond to internal divisions of the organization.

以下是上述文档中的一些示例:

Here are some examples from the above document:

一个给定帐户中名为Bob的IAM用户:

An IAM user called Bob in a given account:

arn:aws:iam::123456789012:user/Bob

另一个用户Bob的路径反映了组织结构图:

Another different user Bob with a path reflecting an organization chart:

arn:aws:iam::123456789012:user/division_abc/subdivision_xyz/Bob

IAM组:

arn:aws:iam::123456789012:group/Developers

具有路径的IAM组:

arn:aws:iam :: 123456789012:group/division_abc/subdivision_xyz/product_A/Developer

请注意，此元数据未在控制台中公开.我的猜测是，用户 path 的用法更适合通常依赖于CloudFormation和/或AWS CLI来管理其AWS资源的大型组织或高级用户.例如，-path-prefix 是 aws iam list-users 的参数.

Note that this metadata is not exposed in the Console. My guess is that usage of a user path is more suited for large organizations, or advanced users, that would normally rely on CloudFormation and/or the AWS CLI for managing their AWS resources. For example, the --path-prefix is a parameter to aws iam list-users.

请参见 http://docs.aws.amazon.com/cli/latest/reference/iam/list-users.html

这篇关于在AWS IAM中，“路径"的目的/用途是什么?多变的?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！