stackoom
  简体   繁体   中英

Best practice AWS access key and secret for applications

 原文  2023-01-01 16:21:11       amazon-web-services/ identity-management

Question

What is the best practice for using the AWS and secret access keys when setting up the AWS application?

To get the access key and access secret, create an IAM account, but the IAM account is associated with a user, not with an application. What is the best to get an access key and access secret that is specific to an application (or different application environments, production, staging, etc.?) if the IAM users are meant to be for actual users and not for applications?

1 answers

solution1
 2 ACCPTED  2023-01-01 16:30:51

You wouldn't assign an IAM user to an application, typically you use an IAM Role.

To understand the difference, let us go through IAM basic knowledge

IAM controls: Who (authentication) can do What (authorization) in your AWS account . Authentication(who) with IAM is done with users/groups and roles whereas authorization(what) is done by policies.

Here the term

  • User - End user think about people

  • Groups- a set of users under one set of permission(policies)

  • Roles - are used to grant specific permission to specific actors for a set of duration of time. These actors can be authenticated by AWS or some trusted external system.

User and roles use policies for authorization. Keep in mind that user and role can't do anything until you allow certain actions with a policy.

Answer the following questions and you will differentiate between a user and a role:

  • Can have a password? Yes-> user, No-> role
  • Can have an access key? Yes-> user, No-> role
  • Can belong to a group? Yes-> user, No -> role
  • Can be associated with AWS resources (for example EC2 instances)? No-> user, Yes->role

AWS supports 3 Role Types for different scenarios

  • AWS service roles (for example: EC2, Lambda, Redshift,...)
  • Cross-Account Access: granting permissions to users from other AWS account, whether you control those account or not.
  • Identity Provider Access: granting permissions to users authenticated by a trusted external system. AWS supports two kinds of identity federation: - Web-based identity such as Facebook, Goolge- IAM support ingeration via OpenID Connect - SAML 2.0 identity such as Active Directory, LDAP.

To understand what role is, you need to read its use case, I don't want to reinvent the wheel so please read the following AWS documents: https://aws.amazon.com/blogs/security/how-to-use-a-single-iam-user-to-easily-access-all-your-accounts-by-using-the-aws-cli/

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html

Hope it helps.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Best practice to manage API key/secret for AWS based multi-tenancy SaaS? Unable to load AWS credentials from environment variables (AWS_ACCESS_KEY_ID (or AWS_ACCESS_KEY) and AWS_SECRET_KEY (or AWS_SECRET_ACCESS_KEY)) Partial credentials found in env, missing: AWS_SECRET_ACCESS_KEY I need aws_access_key_id and aws_secret_access_key for Amazon How to get ECR_AWS_ACCESS_KEY and ECR_AWS_SECRET_ACCESS_KEY How to access s3 bucket with key and secret? Cloudwatch agent with role instead access and secret key How can I supply federated users with an aws access key id/secret? Store AWS or Facebook secret key into bash**file for security reason? Recursive AWS Lambda function calls - Best Practice
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM