获取临时AWS凭证的推荐方法? AWS.config还是STS?
[英]Recommended way to get temporary AWS credentials? AWS.config or STS?
问题描述
I'm using a third-party SDK that needs temporary AWS credentials to access AWS services. 
我正在使用需要临时AWS凭证才能访问AWS服务的第三方SDK。 I'm using this SDK as part of an application that is running on EC2. 我将此SDK用作在EC2上运行的应用程序的一部分。 All SDKs in my application need access to the same role, which is attached to my the EC2 instance. 我的应用程序中的所有SDK都需要访问同一角色,该角色已附加到我的EC2实例中。 Below, I have listed two options I have found for getting temporary credentials. 在下面,我列出了为获得临时凭证而找到的两个选项。 Which one of these options is the recommended way for getting temporary credentials for my third-party SDK? 为获取我的第三方SDK的临时凭据,建议使用以下哪个选项?
AWS.config AWS.config
var AWS = require("aws-sdk");
AWS.config.getCredentials();
var creds = AWS.config.credentials
Security Token Service (STS) 安全令牌服务(STS)
var sts = new AWS.STS();
var params = {
RoleArn: "arn:aws:iam::123456789012:role/demo",
RoleSessionName: "Bob",
};
sts.assumeRole(params, function(err, data) {
var creds = data.Credentials;
});
1 个解决方案
解决方案1
4 已采纳 2018-01-29 03:25:51
Should in this case is a bit fluid, but when you launch an EC2 instance and assign it an instance profile, (somewhat) temporary credentials are made available as instance metadata . 在这种情况下应该有点流畅,但是当您启动EC2实例并为其分配实例配置文件时,(某种程度上)临时凭证可作为实例元数据使用 。 You access instance metadata via a local HTTP server bound on 169.254.169.254 您通过绑定在169.254.169.254上的本地HTTP服务器访问实例元数据
eg curl http://169.254.169.254/latest/meta-data/ami-id 例如 curl http://169.254.169.254/latest/meta-data/ami-id
returns the AMI-ID of the running instance. 返回正在运行的实例的AMI-ID。 AWS credentials associated with the instance profile assigned to the instance can be accessed in this manner. 可以通过这种方式访问与分配给实例的实例配置文件关联的AWS凭证。
Anything running on the instance can access this data, meaning that if you're trying to isolate the third-party SDK from your instance profile, you've already failed. 在实例上运行的任何内容都可以访问此数据,这意味着,如果您尝试将第三方SDK与实例配置文件隔离,则您已经失败了。
However, it doesn't sound like that's what you're trying to do. 但是,听起来这并不是您要尝试的方法。 When you execute AWS.config.getCredentials(); 执行AWS.config.getCredentials(); , it uses the instance metadata (among other things ) to look up the credentials. ,它使用实例元数据(除其他外 )来查找凭证。 This is advantageous because it allows you to supply the credentials in a variety of manners without changing the code that looks them up. 这是有利的,因为它允许您以多种方式提供凭据,而无需更改查找它们的代码。
The STS use case, however, is if you want to temporarily change a given user to a particular role. STS的使用情况,但是,如果你想给定用户暂时更改为一个特定的角色。 The user you're requesting from must have the sts:AssumeRole permission and have the same permissions as the target role. 您所请求的用户必须具有sts:AssumeRole权限,并且必须与目标角色具有相同的权限。 This can be used for auditing purposes, etc. 这可以用于审核等目的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.