适用于S3预签名URL的AWS的哪个IAM角色 [英] AWS Which IAM Role For S3 Presigned URL
问题描述
我正在ec2实例中部署服务器程序,该程序需要能够为s3创建预签名的url.到目前为止,我已经在环境变量中使用了我的AWS凭证进行测试,但是现在我想切换到IAM角色策略.但是,我不确定角色也应该访问哪些策略.我最初的猜测是拥有AmazonS3FullAccess,但是描述显示通过AWS管理控制台提供对所有存储桶的完全访问权限",但是ec2实例将使用c ++ sdk,而不是管理控制台.还是该政策不重要,仅仅是它有一个政策,以便以某种方式获取凭据?
I am deploying a server program in an ec2 instance which needs to be able to create pre-signed urls for s3. So far I've had my AWS credentials in environment variables for testing, but I would like to switch to the IAM Role strategy now. However, I am unsure as to which policies the role should have access too. My initial guess is to have AmazonS3FullAccess, but the description says "Provides full access to all buckets via the AWS Management Console" but the ec2 instance will be using the c++ sdk, not the management console. Or is the policy not important, just that it has a policy so it gets credentials somehow?
推荐答案
您正在混淆策略和角色.
You're confusing policies and roles.
策略将权限授予用户,角色或组.
a policy grants permissions to a user or to a role or to a group.
用户和角色之间的区别是细微的,但是基本上,角色是AWS的其他服务(例如EC2实例)所假定的角色,而用户通常只是您为在AWS中使用而创建的身份.
the difference between a user and a role is subtle, but basically a role is something that's assumed by other services in AWS, like an EC2 instance, while a user is generally just an identity you've created for use in AWS.
关于完全访问权限的策略描述可能会提及管理控制台,但是它授予对所有存储桶的完全访问权限,无论是通过控制台,api还是sdk,它们在后台都是一样的.
The policy description for full access may make mention to the management console, but it grants full access to all buckets whether through the console, the api or an sdk, they're all really the same thing under the hood.
您不应使用完全访问策略.您可以将其用作构建实际策略的基础,但是IAM应该始终使用最小特权主体,在该主体中,您仅提供绝对需要的权限,在这种情况下,该角色仅需要读取权限,并可能列出特定存储段上的权限如果生成用于读取的网址,则存在疑问;如果允许上传,则应放置权限.
You should not use the fullaccess policy. You could use it as a base to build your real policy, but IAM should always use the least privilege principal, where you only give the permissions that are absolutely required, in this case the role only needs read and possibly list permissions on the specific bucket in question if generating urls for reading, or put permissions if allowing uploads.
这篇关于适用于S3预签名URL的AWS的哪个IAM角色的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
