如何手动更改IAM角色凭据?
[英]How to manually change IAM Roles credentials?
问题描述
I'm just starting exploring IAM Roles. 
我刚开始探索IAM角色。 So far I launched an instance, created an IAM Role. 到目前为止,我启动了一个实例,创建了一个IAM角色。 Everything seems to work as expected. 一切似乎都按预期工作。 Currently I'm using boto (Python sdk). 目前我正在使用boto (Python sdk)。
What I don't understand : 我不明白的是:
- Does the
bototakes care of credential rotation?boto是否负责凭据轮换? (For example, imagine I have an instance that should be up for a long time, and it constantly have to upload keys to s3 bucket. In case if credentials are expired, do I need to 'catch' an exception and reconnect? orbotowill silently do this for me?)(例如,假设我有一个应该长时间运行的实例,并且它经常必须将密钥上传到s3桶。如果凭据已过期,我是否需要'捕获'异常并重新连接?或者boto会默默地为我做这件事吗?) - Is it possible to manually trigger IAM to change credentials on the Role? 是否可以手动触发IAM来更改角色的凭据? (I want to do this, because I want to test above example. Or if there is there an alternative to this testcase? ) (我想这样做,因为我想测试上面的例子。或者如果有替代这个测试用例?)
1 个解决方案
解决方案1
2 已采纳 2014-01-28 15:08:58
The boto library does handle credential rotation. boto库确实处理凭据轮换。 Or, rather, AWS rotates the credentials and boto automatically picks up the new credentials. 或者,AWS会轮换凭据,而boto会自动获取新凭据。 Currently, boto does this by checking the expiration timestamp of the temporary credentials. 目前,boto通过检查临时凭证的到期时间戳来完成此操作。 If the expiration is within 5 minutes of the current time, it will query the metadata service on the instance for the IAM role credentials. 如果到期时间在当前时间的5分钟内,则它将在实例上查询IAM角色凭证的元数据服务。 The service is responsible for rotating the credentials. 该服务负责轮换凭据。
I'm not aware of a way to force the service to rotate the credentials but you could probably force boto to look for updated credentials by manually adjusting the expiration timestamp of the current credentials. 我不知道强制服务轮换凭据的方法,但您可以通过手动调整当前凭据的到期时间戳来强制boto查找更新的凭据。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.