您的位置: 首页  >  技术问答  >  与IAM组不能做什么的IAM角色可以做什么?

与IAM组不能做什么的IAM角色可以做什么?

分类: 技术问答 2022-03-31 22:27:54

与IAM组不能做什么的IAM角色可以做什么?

问题描述:

我已经阅读了有关IAM角色和IAM组的文档,但是我缺少一些简单的信息:我不知道您可以使用IAM角色做什么,而不能使用IAM组.

I have read the documentation about IAM roles and IAM groups but I am missing something simple: I don't understand what you can do with IAM roles that you cannot do with IAM groups.

换句话说,考虑以下替代方案:

In other words, considering these alternatives:

  • 使用IAM组,我授予组执行某些操作的权限,然后,当我希望用户能够执行那些操作时,我授予他们该组的成员资格
  • 使用IAM角色,我授予角色执行某些操作的权限,然后当我希望用户能够执行那些操作时,我授予他们承担该角色的权限

第二种方法可以实现什么,而第一种方法不能实现?

What specifically is it that you can achieve with the second method, that you cannot achieve with the first method?

  • IAM用户提供了一组用于身份验证的凭据.可以为其分配权限.人们或应用程序都可以使用它来调用AWS服务.
  • IAM组是IAM用户的集合.分配给IAM组的权限将应用于该组内 的所有IAM用户.
  • IAM角色具有一组权限,但没有凭据.通过让IAM用户具有承担角色来使用该角色,然后该角色将提供一组可用于访问服务的临时凭据.

    • An IAM User is given a set of credentials for authentication. It can be assigned permissions. It is used either by people or by applications to call AWS services.
    • An IAM Group is a collection of IAM Users. Permissions allocated to the IAM Group will apply to all IAM Users within the group.
    • An IAM Role has a set of permissions, but no credentials. It is used by having an IAM User assume the role, which then provides a set of temporary credentials that can be used to access a service.

      • 例如:

      • User1 是具有启动Amazon E2实例权限的IAM用户.他们可以使用其凭证对AWS进行身份验证并请求启动实例.但是,他们无权终止EC2实例.
      • 管理角色是具有终止EC2实例权限的IAM角色.
      • User1 Admin-Role 上调用 AssumeRole().如果他们有权这样做,他们将收到一组临时凭据.
        • 然后,
      • User1 使用这些凭据来调用 TerminateInstances().为此,他们使用临时凭据发送请求,而不是使用自己的凭据.
      • User1 is an IAM User with permission to launch an Amazon E2 instance. They can use their credentials to authenticate to AWS and request that an instance is launched. However, they do not have permission to Terminate the EC2 instance.
      • Admin-Role is an IAM Role that has permission to Terminate EC2 instances.
      • User1 calls AssumeRole() on Admin-Role. If they have permission to do this, they will receive back a set of temporary credentials.
      • User1 then uses these credentials to call TerminateInstances(). In doing so, they use the temporary credentials to send the request, rather than their own credentials.

      类似地:

      • Lambda1 是一个AWS Lambda函数
      • Lambda-Role 是与 Lambda1 函数关联的IAM角色.该角色已被授予访问Amazon S3的权限.
      • 使用 Lambda1 函数时,Lambda服务会自动假定 Lambda-Role 并将这些凭据提供给Lambda函数,以便它可以调用S3.
      • Lambda1 is an AWS Lambda function
      • Lambda-Role is an IAM Role that is associated with the Lambda1 function. The role has been granted permission to access Amazon S3.
      • When the Lambda1 function, the Lambda service automatically Assumes Lambda-Role and provides those credentials to the Lambda function so that it can call S3.

      请注意,在第二个示例中,Lambda函数本身没有凭据.相反,AWS服务代表其承担角色并提供凭证.这与将IAM角色分配给Amazon EC2实例的方式相同.

      Notice that in this second example, the Lambda function does not have credentials itself. Rather, the AWS service assumes the Role on its behalf and provides the credentials. This is identical to the way that IAM Roles are assigned to Amazon EC2 instances.

      此外,请注意,假设IAM角色实际上可以提供最初可用的更多权限. User1 可以扮演一个角色,以获取终止实例的权限,不允许他们自己做.因此,控制允许调用 AssumeRole 或使用 PassRole (用于将IAM角色分配给EC2和Lambda),否则他们可能会获得您希望他们拥有的更多权限.

      Also, note that assuming an IAM Role can actually provide more permissions that originally available. User1 could assume a role to obtain permission to Terminate an instance, which they are not permitted to do themselves. Therefore, it is important to control who is allowed to call AssumeRole or use PassRole (which is used to assign IAM Roles to services like EC2 and Lambda), otherwise they might gain more permissions that you want them to have.

相关推荐