Shulou(Shulou.com)06/03 Report--

Preface

AWS Identity and Access Management (IAM) is a Web service that helps you securely control access to AWS resources. You can use IAM to control which users are authenticated (logged in) and authorized (with permissions) to use resources.

There is the concept of IAM on AWS, and the IAM role can control permissions more precisely and facilitate expansion.

1. EC2

For applications above EC2, don't assign User Credentials, use IAM Role Attachment.

You can visit EC2's meatdata to view the granted Role permissions.

Curl http://169.254.169.254/latest/meta-data/iam/security-credentials/ II, Software on local laptop

For users who develop tests on their computers, users need access to S3 and do not assign permissions to users, so as to avoid the loss caused by the loss of AK/SK. We can assign a Cross accunt role to User so that users can use the interface assume-role to obtain temporary AK/SK and then access AWS resources.

2.1.Create user alice

No permissions are assigned to the user.

Finally get the user's AK/SK

Access key ID: AKIA5NAGHF6N2WFTQZP6Secret access key:TqJ/9Hg450x204r1lai+C3w0+3kvVOeTckPZhvau2.2, create a cross-account Role (under the same account)

Add permissions to the role.

Generated Role ARN:arn:aws:iam::921283538843:role/alice-sts

Modify the trust relationships policy of the generated Role to the following. Try alice and the user can assumerole this role.

{"Version": "2012-10-17", "Statement": [{"Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::921283538843:user/alice"}, "Action": "sts:AssumeRole", "Condition": {}}]} 2.3.Test user permissions

Use AK/SK directly to see if the user has the appropriate permissions.

Use aws configure configuration.

Wangzan:~/.aws $aws configure-profile aliceAWS Access Key ID [* H6YU]: AKIA5NAGHF6N2WFTQZP6AWS Secret Access Key [* bVA/]: TqJ/9Hg450x204r1lai+C3w0+3kvVOeTckPZhvauDefault region name [us-east-1]: Default output format [json]: wangzan:~/.aws $aws sts get-caller-identity-profile alice {"Account": "921283538843", "UserId": "AIDA5NAGHF6NZASTSA7Y6" "Arn": "arn:aws:iam::921283538843:user/alice"} wangzan:~/.aws $aws S3 ls-- profile aliceAn error occurred (AccessDenied) when calling the ListBuckets operation: AccessDenied

You can't get permission to use it directly, so we use assume-role.

Wangzan:~ $aws sts assume-role-role-arn arn:aws:iam::921283538843:role/alice-sts-role-session-name alice1233-profile alice {"AssumedRoleUser": {"AssumedRoleId": "AROA5NAGHF6N7DOEADJSU:alice1233" "Arn": "arn:aws:sts::921283538843:assumed-role/alice-sts/alice1233"}, "Credentials": {"SecretAccessKey": "bmP9j6fuZ03MgrQCzrix6YLRcHzLojrThII6I5k7", "SessionToken": "IQoJb3JpZ2luX2VjEIH/wEaCXVzLWVhc3QtMSJHMEUCICUEnSV87qoGrBDliGHwPTc0EPSqbzjLMX/8F2QUmejdAiEAxfX3L+MipZOTGKYLxH2qeTlnkvNtY3laE1hlEmcgaEMq2QEI6f/ARAAGgw5MjEyODM1Mzg4NDMiDIz9v0YIqXkeT4/YjSqtAc4g0fFXYua7fvzVveDq9twCc0jtHoz+k8425aL2qcpOTyGxDyWEIpt5Qp3DlZkCEMOgz8VPw/VhXQOuvTBF2nfEPDVsjk0J1rL/xP/8VDe1/Op13qu7QGtvOog00/0qAr2GTsSOkrQnHcOfcXpirz+Ll+rlVEp5WGjke4NTQjYlcKuGud2totcdWuvd39o6RugOOuTEf/UanuPmgvwlNVG6qfSZK6MAl0yJ2NNgMPSCrPAFOuMBw/R25StiLs+ZoGj7nhmL17I7ggW33DdH12FwXwqrOb3nBJxXFyaS3N7U/VJRCWPYQ95RuatJRWiBOvWoBB1KI5tdb0xKStW0VCRUpB2iipJcVFFikJyphf/HzK03AHQ4N4DiPFz30RlFyZVXyV4E/O9CqzKtp09MD+Chuq298Yjq4NDk1Wi5s75JpfuVvtU7FUGb3Li2OfE68GHBybfKR3Gvg1oDJy1QZGqLrUCJp/oZ8Wjg9xOg/2Vg3PUjlgCnlE+rrkZVuF+aAJfB1mVrMBF8XFGtfZQF9QMgzugrJAbZ4Uk=" "Expiration": "2019-12-31T09:06:12Z", "AccessKeyId": "ASIA5NAGHF6NZZ5HBX7R"}

Then edit ~ / .aws / credentials and put the generated Credentials in it, as follows:

[alice-sts] aws_access_key_id = ASIA5NAGHF6NZZ5HBX7Raws_secret_access_key = bmP9j6fuZ03MgrQCzrix6YLRcHzLojrThII6I5k7aws_session_token = IQoJb3JpZ2luX2VjEIH/wEaCXVzLWVhc3QtMSJHMEUCICUEnSV87qoGrBDliGHwPTc0EPSqbzjLMX/8F2QUmejdAiEAxfX3L+MipZOTGKYLxH2qeTlnkvNtY3laE1hlEmcgaEMq2QEI6f/ARAAGgw5MjEyODM1Mzg4NDMiDIz9v0YIqXkeT4/YjSqtAc4g0fFXYua7fvzVveDq9twCc0jtHoz+k8425aL2qcpOTyGxDyWEIpt5Qp3DlZkCEMOgz8VPw/VhXQOuvTBF2nfEPDVsjk0J1rL/xP/8VDe1/Op13qu7QGtvOog00/0qAr2GTsSOkrQnHcOfcXpirz+Ll+rlVEp5WGjke4NTQjYlcKuGud2totcdWuvd39o6RugOOuTEf/UanuPmgvwlNVG6qfSZK6MAl0yJ2NNgMPSCrPAFOuMBw/R25StiLs+ZoGj7nhmL17I7ggW33DdH12FwXwqrOb3nBJxXFyaS3N7U/VJRCWPYQ95RuatJRWiBOvWoBB1KI5tdb0xKStW0VCRUpB2iipJcVFFikJyphf/HzK03AHQ4N4DiPFz30RlFyZVXyV4E/O9CqzKtp09MD+Chuq298Yjq4NDk1Wi5s75JpfuVvtU7FUGb3Li2OfE68GHBybfKR3Gvg1oDJy1QZGqLrUCJp/oZ8Wjg9xOg/2Vg3PUjlgCnlE+rrkZVuF+aAJfB1mVrMBF8XFGtfZQF9QMgzugrJAbZ4Uk=

And then ask S3.

Wangzan:~/.aws $aws sts get-caller-identity-- profile alice-sts {"Account": "921283538843", "UserId": "AROA5NAGHF6N7DOEADJSU:alice1233", "Arn": "arn:aws:sts::921283538843:assumed-role/alice-sts/alice1233"}

2.4. Automatically change temporary permissions

Modify ~ / .aws / credentials by adding the following fields

[alice-auto] role_arn = arn:aws:iam::921283538843:role/alice-stssource_profile = alice

Take a look at the current Role.

Wangzan:~ $aws sts get-caller-identity-- profile alice-auto {"Account": "921283538843", "UserId": "AROA5NAGHF6N7DOEADJSU:botocore-session-1577780458", "Arn": "arn:aws:sts::921283538843:assumed-role/alice-sts/botocore-session-1577780458"}

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.