AWS角色:权限如何从EC2实例过渡到实例中运行的应用程序?
[英]AWS Roles: How does permissions transition from an EC2 instance to applications running in the instance?
问题描述
TLDR; 
TLDR; How to move a java app using AWS services from dev to prod (on AWS Cloud.) 如何使用AWS服务将Java应用程序从开发人员迁移到产品(在AWS Cloud上)
Having understood that AWS IAM Roles are for AWS Services like EC2 etc so that's applications running under these service will assume the permissions assigned to the role. 了解了AWS IAM角色适用于EC2等AWS服务,因此在这些服务下运行的应用程序将采用分配给角色的权限。
IAM roles are meant to be assumed by authorized entities, such as IAM users, applications, or an AWS service such as EC2.
I am not clear with how permissions transition from an EC2 instance with some role,say S3RWRole , to (a java ) application running in the instance? 我不清楚权限如何从具有某种角色的EC2实例转换为S3RWRole ,然后转换为在实例中运行的(java)应用程序?
During application development, this is what we do - Say, I have a simple S3 application that's working with files in some S3 bucket. 在应用程序开发过程中,这就是我们要做的-说,我有一个简单的S3应用程序,该应用程序正在处理某些S3存储桶中的文件。 I ensure that during development, the java code/app has necessary permissions by configuring the AWS client. 我确保在开发期间,通过配置AWS客户端,java代码/应用程序具有必要的权限。
AWSCredentials credentials = new BasicAWSCredentials(
"<AWS accesskey>",
"<AWS secretkey>"
);
Then configure/obtain the S3 client, 然后配置/获取S3客户端,
AmazonS3 s3client = AmazonS3ClientBuilder
.standard()
.withCredentials(new AWSStaticCredentialsProvider(credentials))
.withRegion(Regions.US_EAST_2)
.build();
Then perform some S3 operations, 然后执行一些S3操作,
s3client.putObject(
bucketName,
"Docs/file.txt",
new File("/home/me/file.txt")
);
Now, how does it look in production. 现在,它在生产中的外观如何。
The AwSCredential I think are still required. 我认为仍然需要AwSCredential 。 Are not they??? 他们不是吗??? Ok, let me assume that they are required (as to avoid a runtime error). 好的,让我假设它们是必需的(以避免运行时错误)。 So, I have created an IAM user ProdJavaUserApp and now the java app is running with ProdJavaUserApp credentials/permissions. 因此,我创建了一个IAM用户ProdJavaUserApp ,现在Java应用程序正在使用ProdJavaUserApp凭据/权限运行。
But now say, the EC2 instance this application is running on has S3RWRole , will the permissions of S3RWRole takeover/replace the ProdJavaUserApp . 但现在说,这个应用程序运行在EC2实例有S3RWRole ,将在权限S3RWRole收购/更换ProdJavaUserApp 。
What further do I need to understand, could someone shed some light. 我还需要进一步了解什么,否则有人会有所启发。
1 个解决方案
解决方案1
1 2019-08-10 16:58:56
When AWS role is attached to the instance those default "credentials" are used for all operations unless you specifically mention some other aws access and secret key. 将AWS角色附加到实例后,这些默认的“凭证”将用于所有操作,除非您特别提到其他一些aws访问和密钥。 If you don't mention any access/secret key the default role credentials are applied. 如果您未提及任何访问/秘密密钥,则将应用默认角色凭据。 It's like when you install aws cli on your machine and configure it with aws credentials. 就像在计算机上安装aws cli并使用aws凭证对其进行配置时一样。
So you can simply skip the .withCredentials parameter in your s3 call. 因此,您只需在s3调用中跳过.withCredentials参数即可。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.