AWS Identity and Access Management (IAM) 是一種 Web 服務(wù),可以幫助您安全地控制對(duì) AWS 資源的訪問(wèn)。您可以使用 IAM 控制對(duì)哪個(gè)用戶(hù)進(jìn)行身份驗(yàn)證 (登錄) 和授權(quán) (具有權(quán)限) 以使用資源。
呂梁ssl適用于網(wǎng)站、小程序/APP、API接口等需要進(jìn)行數(shù)據(jù)傳輸應(yīng)用場(chǎng)景,ssl證書(shū)未來(lái)市場(chǎng)廣闊!成為成都創(chuàng)新互聯(lián)公司的ssl證書(shū)銷(xiāo)售渠道,可以享受市場(chǎng)價(jià)格4-6折優(yōu)惠!如果有意向歡迎電話(huà)聯(lián)系或者加微信:18982081108(備注:SSL證書(shū)合作)期待與您的合作!
AWS上有IAM的概念,IAM角色可以更加精準(zhǔn)的控制權(quán)限,方便擴(kuò)展。
針對(duì) EC2 上面的應(yīng)用程序,不要分配 User Credentials,使用 IAM Role Attachment。
可以訪問(wèn) EC2 的 meatdata 查看賦予的 Role 權(quán)限
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
針對(duì)在自己電腦上面開(kāi)發(fā)測(cè)試的用戶(hù),用戶(hù)需要 S3 的訪問(wèn)權(quán)限,不給用戶(hù)分配權(quán)限,這樣可以避免 AK/SK 丟失造成的損失,我們可以給 User 分配一個(gè) Cross accunt role,讓用戶(hù)使用接口 assume-role 獲取臨時(shí)的 AK/SK,然后去訪問(wèn)AWS 資源。
不給用戶(hù)分配任何權(quán)限。
最后得到用戶(hù)的 AK/SK
Access key ID :AKIA5NAGHF6N2WFTQZP6
Secret access key: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
給角色增加權(quán)限。
生成的 Role ARN:arn:aws:iam::921283538843:role/alice-sts
把生成的 Role 的 trust relationships policy 修改為如下,試 alice 這個(gè)用戶(hù)可以 assumerole 這個(gè)角色,
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::921283538843:user/alice"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
直接使用 AK/SK,查看用戶(hù)是否有相應(yīng)的權(quán)限。
使用 aws configure
配置。
wangzan:~/.aws $ aws configure --profile alice
AWS Access Key ID [****************H6YU]: AKIA5NAGHF6N2WFTQZP6
AWS Secret Access Key [****************bVA/]: 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
Default region name [us-east-1]:
Default output format [json]:
wangzan:~/.aws $ aws sts get-caller-identity --profile alice
{
"Account": "921283538843",
"UserId": "AIDA5NAGHF6NZASTSA7Y6",
"Arn": "arn:aws:iam::921283538843:user/alice"
}
wangzan:~/.aws $ aws s3 ls --profile alice
An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied
直接使用是獲取不到權(quán)限的,那我們使用 assume-role。
wangzan:~ $ aws sts assume-role --role-arn arn:aws:iam::921283538843:role/alice-sts --role-session-name alice1233 --profile alice
{
"AssumedRoleUser": {
"AssumedRoleId": "AROA5NAGHF6N7DOEADJSU:alice1233",
"Arn": "arn:aws:sts::921283538843:assumed-role/alice-sts/alice1233"
},
"Credentials": {
"SecretAccessKey": "bmP9j6fuZ03MgrQCzrix6YLRcHzLojrThII6I5k7",
"SessionToken": "IQoJb3JpZ2luX2VjEIH//////////wEaCXVzLWVhc3QtMSJHMEUCICUEnSV87qoGrBDliGHwPTc0EPSqbzjLMX/8F2QUmejdAiEAxfX3L+MipZOTGKYLxH2qeTlnkvNtY3laE1hlEmcgaEMq2QEI6f//////////ARAAGgw5MjEyODM1Mzg4NDMiDIz9v0YIqXkeT4/YjSqtAc4g0fFXYua7fvzVveDq9twCc0jtHoz+k8425aL2qcpOTyGxDyWEIpt5Qp3DlZkCEMOgz8VPw/VhXQOuvTBF2nfEPDVsjk0J1rL/xP/8VDe1/Op13qu7QGtvOog00/0qAr2GTsSOkrQnHcOfcXpirz+Ll+rlVEp5WGjke4NTQjYlcKuGud2totcdWuvd39o6RugOOuTEf/UanuPmgvwlNVG6qfSZK6MAl0yJ2NNgMPSCrPAFOuMBw/R25StiLs+ZoGj7nhmL17I7ggW33DdH12FwXwqrOb3nBJxXFyaS3N7U/VJRCWPYQ95RuatJRWiBOvWoBB1KI5tdb0xKStW0VCRUpB2iipJcVFFikJyphf/HzK03AHQ4N4DiPFz30RlFyZVXyV4E/O9CqzKtp09MD+Chuq298Yjq4NDk1Wi5s75JpfuVvtU7FUGb3Li2OfE68GHBybfKR3Gvg1oDJy1QZGqLrUCJp/oZ8Wjg9xOg/2Vg3PUjlgCnlE+rrkZVuF+aAJfB1mVrMBF8XFGtfZQF9QMgzugrJAbZ4Uk=",
"Expiration": "2019-12-31T09:06:12Z",
"AccessKeyId": "ASIA5NAGHF6NZZ5HBX7R"
}
}
然后去編輯 ~/.aws/credentials,把生成的Credentials放到里面,如下:
[alice-sts]
aws_access_key_id = ASIA5NAGHF6NZZ5HBX7R
aws_secret_access_key = bmP9j6fuZ03MgrQCzrix6YLRcHzLojrThII6I5k7
aws_session_token = IQoJb3JpZ2luX2VjEIH//////////wEaCXVzLWVhc3QtMSJHMEUCICUEnSV87qoGrBDliGHwPTc0EPSqbzjLMX/8F2QUmejdAiEAxfX3L+MipZOTGKYLxH2qeTlnkvNtY3laE1hlEmcgaEMq2QEI6f//////////ARAAGgw5MjEyODM1Mzg4NDMiDIz9v0YIqXkeT4/YjSqtAc4g0fFXYua7fvzVveDq9twCc0jtHoz+k8425aL2qcpOTyGxDyWEIpt5Qp3DlZkCEMOgz8VPw/VhXQOuvTBF2nfEPDVsjk0J1rL/xP/8VDe1/Op13qu7QGtvOog00/0qAr2GTsSOkrQnHcOfcXpirz+Ll+rlVEp5WGjke4NTQjYlcKuGud2totcdWuvd39o6RugOOuTEf/UanuPmgvwlNVG6qfSZK6MAl0yJ2NNgMPSCrPAFOuMBw/R25StiLs+ZoGj7nhmL17I7ggW33DdH12FwXwqrOb3nBJxXFyaS3N7U/VJRCWPYQ95RuatJRWiBOvWoBB1KI5tdb0xKStW0VCRUpB2iipJcVFFikJyphf/HzK03AHQ4N4DiPFz30RlFyZVXyV4E/O9CqzKtp09MD+Chuq298Yjq4NDk1Wi5s75JpfuVvtU7FUGb3Li2OfE68GHBybfKR3Gvg1oDJy1QZGqLrUCJp/oZ8Wjg9xOg/2Vg3PUjlgCnlE+rrkZVuF+aAJfB1mVrMBF8XFGtfZQF9QMgzugrJAbZ4Uk=
然后再去請(qǐng)求 S3。
wangzan:~/.aws $ aws sts get-caller-identity --profile alice-sts
{
"Account": "921283538843",
"UserId": "AROA5NAGHF6N7DOEADJSU:alice1233",
"Arn": "arn:aws:sts::921283538843:assumed-role/alice-sts/alice1233"
}
修改 ~/.aws/credentials,增加如下字段,
[alice-auto]
role_arn = arn:aws:iam::921283538843:role/alice-sts
source_profile = alice
可以看下目前的 Role。
wangzan:~ $ aws sts get-caller-identity --profile alice-auto
{
"Account": "921283538843",
"UserId": "AROA5NAGHF6N7DOEADJSU:botocore-session-1577780458",
"Arn": "arn:aws:sts::921283538843:assumed-role/alice-sts/botocore-session-1577780458"
}