- Users (think people)
- Groups (collection of users)
- Roles (list of permissions)
- Policy (defines one or more permissions)
- Action
- Resource
- Principle
- Environment Data
- Resource Data
- authenticate via identity providers like Amazon, Facebook, Google
- web id token exchanged for IAM role
- uses Cognito, great for mobile apps
- user pools
- user logs into pool
- pool access Id provider to get JWT
- JWT is exchanged for AWS credentials
- identity pool
- unique identities
- uses push notification for user data changes to all devices
- managed policies
- create and administrated by AWS
- normal common use cases
- cannot be changed by users
- customer managed policies
- created by users
- can only be used in the account it was created in
- inline policies
- associated with a user, group or role
- used to make sure the policy is not assigned to more than user, group or role
- AssumeRoleWithWebIdentity
- used with id providers (Facebook, Google, GitHub, etc...)
- returns temp security credentials for mobile or web apps
- JWT from id provider => assumerole-with-web-identity to STS returns temp credentials => access AWS resoure with temp credentials
- temp credentials last for 1 hour
-
multiple AWS accounts (dev and test vs production)
-
use same ID, but allow selection of account to log into
-
Account A
- Create policy, create own. Policy allows access to shared resources.
- Create cross account access role "MyDevelopersAccess" to give access to resources in A, attach policy created above.
-
Account B
- Create Group GroupA
- Create inline custom policy
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::PRODUCTION-ACCOUNT-ID:role/MyDevelopersAccess" } }
- This gives members of GroupA access to the resources in Account A, MyDevelopersAccess
-
Account "Switch Roles" to MyDeveloperAccess to access those resources.