AWS - IAM 角色和信任关系 [英] AWS - IAM Roles and Trust Relationships
问题描述
我是 AWS 和 IAM 的新手,并试图了解角色和信任关系.
I an new to AWS and IAM and trying to understand roles and trust relationship.
我完全理解为什么要使用角色、如何创建角色及其用例.
I fully understand why roles are used, how to create them and their use case.
我不明白的是信任关系步骤.在我见过的几乎所有情况下,它都是一对一的关系.EC2 需要对 EC2 的信任.为什么会有额外的步骤?
What I don't get is the trust relationship step. In almost all the cases I have seen it is a one to one relationship. EC2 needs a trust with EC2. Why is there the extra step?
如果我创建一个 EC2 实例和一个具有 S3 权限的角色,为什么这还不够?
If I create an EC2 instance and a role that has S3 permissions why isn't that enough?
推荐答案
角色用于在设定的时间段内向特定参与者授予特定权限.因此,角色需要两件事:权限策略(可以访问哪些资源以及可以采取哪些操作)和信任策略(哪些实体可以承担该角色).
Roles are used to grant specific privileges to specific actors for a set duration of time. So, a role needs two things: permission policies (what resources can be accessed and what actions can be taken) and a trust policy (what entities can assume the role).
例如,以下 CloudFormation 片段创建了一个角色 (MyInstanceRole
),其策略 (MyWritePolicy
) 允许访问 S3 存储桶并允许 EC2 实例(MyInstanceRole
)>Principal,或信任部分)来承担角色:
For example, the following CloudFormation snippet creates a role (MyInstanceRole
) with a policy (MyWritePolicy
) giving access to an S3 bucket and allows EC2 instances (the Principal
, or the trust part) to assume the role:
MyInstanceRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: sts:AssumeRole
Principal:
Service: ec2.amazonaws.com
Path: '/'
RoleName: MyInstanceRole
Policies:
- PolicyName: MyWritePolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: WriteBackups
Action:
- s3:PutObject
Effect: Allow
Resource: !Join ['', ['arn:aws:s3:::', !Join [ '-', [ 'bucketName', !Ref Environment ] ], '/*' ] ]
在许多情况下,只有一个 Principal
,但如果需要,可以有多个(AWS 账户、IAM 用户、IAM 角色、联合用户或代入角色用户).
In many cases there will be just a single Principal
, but there can be more than one (AWS account, IAM user, IAM role, federated user, or assumed-role user) if required.
现在可以使用提供更多详细信息的更新的 IAM 控制台更轻松地创建和管理 AWS IAM 角色.
这篇关于AWS - IAM 角色和信任关系的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!