AWS - IAM 角色和信任关系 [英] AWS - IAM Roles and Trust Relationships

问题描述

我是 AWS 和 IAM 的新手，并试图了解角色和信任关系.

I an new to AWS and IAM and trying to understand roles and trust relationship.

我完全理解为什么要使用角色、如何创建角色及其用例.

I fully understand why roles are used, how to create them and their use case.

我不明白的是信任关系步骤.在我见过的几乎所有情况下，它都是一对一的关系.EC2 需要对 EC2 的信任.为什么会有额外的步骤?

What I don't get is the trust relationship step. In almost all the cases I have seen it is a one to one relationship. EC2 needs a trust with EC2. Why is there the extra step?

如果我创建一个 EC2 实例和一个具有 S3 权限的角色，为什么这还不够?

If I create an EC2 instance and a role that has S3 permissions why isn't that enough?

推荐答案

角色用于在设定的时间段内向特定参与者授予特定权限.因此，角色需要两件事:权限策略(可以访问哪些资源以及可以采取哪些操作)和信任策略(哪些实体可以承担该角色).

Roles are used to grant specific privileges to specific actors for a set duration of time. So, a role needs two things: permission policies (what resources can be accessed and what actions can be taken) and a trust policy (what entities can assume the role).

例如，以下 CloudFormation 片段创建了一个角色 (MyInstanceRole)，其策略 (MyWritePolicy) 允许访问 S3 存储桶并允许 EC2 实例(MyInstanceRole)>Principal，或信任部分)来承担角色:

For example, the following CloudFormation snippet creates a role (MyInstanceRole) with a policy (MyWritePolicy) giving access to an S3 bucket and allows EC2 instances (the Principal, or the trust part) to assume the role:

MyInstanceRole:
Type: AWS::IAM::Role
Properties:
  AssumeRolePolicyDocument:
    Version: 2012-10-17
    Statement:
    - Effect: Allow
      Action: sts:AssumeRole
      Principal:
        Service: ec2.amazonaws.com
  Path: '/' 
  RoleName: MyInstanceRole
  Policies:
  - PolicyName: MyWritePolicy
    PolicyDocument:
      Version: 2012-10-17
      Statement:
      - Sid: WriteBackups
        Action: 
        - s3:PutObject
        Effect: Allow
        Resource: !Join ['', ['arn:aws:s3:::', !Join [ '-', [ 'bucketName', !Ref Environment ] ], '/*' ] ]

在许多情况下，只有一个 Principal，但如果需要，可以有多个(AWS 账户、IAM 用户、IAM 角色、联合用户或代入角色用户).

In many cases there will be just a single Principal, but there can be more than one (AWS account, IAM user, IAM role, federated user, or assumed-role user) if required.

现在可以使用提供更多详细信息的更新的 IAM 控制台更轻松地创建和管理 AWS IAM 角色.

这篇关于AWS - IAM 角色和信任关系的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！