Warning: file_get_contents(/data/phpspider/zhask/data//catemap/1/amazon-web-services/12.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181

Warning: file_get_contents(/data/phpspider/zhask/data//catemap/6/xamarin/3.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Amazon web services AWS Web身份联合,为不同用户使用动态角色_Amazon Web Services_Amazon Iam - Fatal编程技术网
Fatal编程技术网
  • amazon-web-services/
  • Amazon web services AWS Web身份联合,为不同用户使用动态角色

Amazon web services AWS Web身份联合,为不同用户使用动态角色

amazon-web-services

Amazon web services AWS Web身份联合,为不同用户使用动态角色,amazon-web-services,amazon-iam,Amazon Web Services,Amazon Iam,在关于AWS Web Identity Federation的以下文章中,我有点困惑,如何确保执行AssumeRoleWithWebIdentity调用的每个用户都可以担任不同的角色?这可能吗 以下是步骤(): 因此,从上面的步骤11中,我可以向资源添加动态,以允许特定于用户的访问,例如S3。虽然不支持资源策略的资源会发生什么情况 例如,我如何确保一个使用Google登录的用户获得对DynamoDB的写访问权(WriteRole),而另一个使用相同Google IdP登录的用户只获得对Dynam

在关于AWS Web Identity Federation的以下文章中,我有点困惑,如何确保执行AssumeRoleWithWebIdentity调用的每个用户都可以担任不同的角色?这可能吗

以下是步骤():

因此,从上面的步骤11中,我可以向资源添加动态,以允许特定于用户的访问,例如S3。虽然不支持资源策略的资源会发生什么情况

例如,我如何确保一个使用Google登录的用户获得对DynamoDB的写访问权(WriteRole),而另一个使用相同Google IdP登录的用户只获得对DynamoDB的读访问权(ReadRole)

任何帮助都将不胜感激

1. Mobile or Web Application needs to be configured with the IdP which gives each application a unique ID or client ID (also called audience)
2. Create an Identity Provider entity for OIDC compatible IdP in IAM.
3. Create IAM role and define the
    1. Trust policy –  specify the IdP (like Amazon) as the Principal (the trusted entity), and include a Condition that matches the IdP assigned app ID
    2. Permission policy – specify the permissions the application can assume
4. Application calls the sign-in interface for the IdP to login
5. IdP authenticates the user and returns an authentication token (OAuth access token or OIDC ID token) with information about the user to the application
6. Application then makes an unsigned call to the STS service with the **AssumeRoleWithWebIdentity** action to request temporary security credentials.
7. Application passes the IdP’s authentication token along with the Amazon Resource Name (ARN) for the IAM role created for that IdP.
8. AWS verifies that the token is trusted and valid and if so, returns temporary security credentials (access key, secret access key, session token, expiry time) to the application that have the permissions for the role that you name in the request.
9. STS response also includes metadata about the user from the IdP, such as the unique user ID that the IdP associates with the user.
10. Using the Temporary credentials, the application makes signed requests to AWS
11. User ID information from the identity provider can distinguish users in the app for e.g., objects can be put into S3 folders that include the user ID as prefixes or suffixes. This lets you create access control policies that lock the folder so only the user with that ID can access it.
12. Application can cache the temporary security credentials and refresh them before their expiry accordingly. Temporary credentials, by default, are good for an hour.