AWS IAM 角色与组 [英] AWS IAM Role vs Group

问题描述

AWS 官方网站将角色视为权限集合，将组视为用户集合.但在我看来，它们仍然是一样的.您将策略附加到组或角色，然后将组或角色分配给用户.角色和组之间究竟有什么区别?

The AWS official site reads role as a collection of permissions and group as a collection of users. But still they look the same to me. You attach policies to groups or roles, and then assign groups or roles to a user. What exactly are the differences between role and group?

推荐答案

AWS Groups 是标准组，您可以将其视为多个用户的集合，一个用户可以属于多个组.

AWS Groups are the standard groups which you can consider as collection of several users and a user can belong to multiple groups.

AWS IAM 角色都是不同的种类；他们像个人用户一样操作，只是他们主要采用模拟风格，并在不指定凭据的情况下与 AWS API 调用进行通信.

AWS IAM Roles are all together different species; they operate like individual users except that they work mostly towards the impersonation style and perform communication with AWS API calls without specifying the credentials.

鉴于 IAM 角色几乎没有什么不同，我只强调这一点.有多种类型的 IAM 角色，如 EC2 IAM 角色、Lambda 等.如果您考虑，您可以使用 EC2 IAM 角色启动 EC2 实例；因此，任何与 AWS API 相关的通信都不需要任何 AWS 访问密钥或秘密密钥进行身份验证，而是可以直接调用 API(但答案很长——它使用 STS 并在幕后不断回收凭证)；它可以做什么的特权或权限由附加到 IAM 角色的 IAM 策略决定.

Given that IAM Roles are little different, I am emphasizing only that. There are several types of IAM Roles like EC2 IAM Roles, Lambda etc. If you consider, you can launch an EC2 instance with an EC2 IAM Role; hence forth any AWS API related communication wouldn't require any AWS Access Key or Secret key for authentication rather can call the APIs directly (however the long answer is - it uses STS and continuously recycles the credentials behind the scenes); the privileges or permissions of what it can do is determined by the IAM Policies attached to the IAM Role.

Lambda IAM 角色的工作原理完全相同，只是只有 Lambda 函数可以使用 Lambda IAM 角色等.

Lambda IAM Role works exactly the same, except that only Lambda function can use the Lambda IAM Role etc.

这篇关于AWS IAM 角色与组的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！