關於 AWS IAM Role 的最佳實踐

1、EC2

針對 EC2 上面的應用程序，不要分配 User Credentials，使用 IAM Role Attachment。
能夠訪問 EC2 的 meatdata 查看賦予的 Role 權限

curl http://169.254.169.254/latest/meta-data/iam/security-credentials/

2、Software on local laptop

針對在本身電腦上面開發測試的用戶，用戶須要 S3 的訪問權限，不給用戶分配權限，這樣能夠避免 AK/SK 丟失形成的損失，咱們能夠給 User 分配一個 Cross accunt role，讓用戶使用接口 assume-role 獲取臨時的 AK/SK，而後去訪問AWS 資源。

2.一、建立用戶 alice

不給用戶分配任何權限。

最後獲得用戶的 AK/SK

Access key ID ：AKIA5NAGHF6N2WFTQZP6
Secret access key：TqJ/9Hg450x204r1lai+C3w0+3kvVOeTckPZhvau

2.二、建立一個跨帳戶 Role（同帳戶下）

給角色增長權限。

生成的 Role ARN：arn:aws:iam::921283538843:role/alice-sts

把生成的 Role 的 trust relationships policy 修改成以下，試 alice 這個用戶能夠 assumerole 這個角色，

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::921283538843:user/alice"
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
    }
  ]
}

2.三、測試用戶權限

直接使用 AK/SK，查看用戶是否有相應的權限。
使用 aws configure 配置。

wangzan:~/.aws $ aws configure --profile alice
AWS Access Key ID [****************H6YU]: AKIA5NAGHF6N2WFTQZP6
AWS Secret Access Key [****************bVA/]: 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
Default region name [us-east-1]: 
Default output format [json]: 
wangzan:~/.aws $ aws sts get-caller-identity --profile alice
{
    "Account": "921283538843", 
    "UserId": "AIDA5NAGHF6NZASTSA7Y6", 
    "Arn": "arn:aws:iam::921283538843:user/alice"
}
wangzan:~/.aws $ aws s3 ls --profile alice
An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied

直接使用是獲取不到權限的，那咱們使用 assume-role。

wangzan:~ $ aws sts assume-role --role-arn arn:aws:iam::921283538843:role/alice-sts --role-session-name alice1233 --profile alice                                                                                                                  
{
    "AssumedRoleUser": {
        "AssumedRoleId": "AROA5NAGHF6N7DOEADJSU:alice1233", 
        "Arn": "arn:aws:sts::921283538843:assumed-role/alice-sts/alice1233"
    }, 
    "Credentials": {
        "SecretAccessKey": "bmP9j6fuZ03MgrQCzrix6YLRcHzLojrThII6I5k7", 
        "SessionToken": "IQoJb3JpZ2luX2VjEIH//////////wEaCXVzLWVhc3QtMSJHMEUCICUEnSV87qoGrBDliGHwPTc0EPSqbzjLMX/8F2QUmejdAiEAxfX3L+MipZOTGKYLxH2qeTlnkvNtY3laE1hlEmcgaEMq2QEI6f//////////ARAAGgw5MjEyODM1Mzg4NDMiDIz9v0YIqXkeT4/YjSqtAc4g0fFXYua7fvzVveDq9twCc0jtHoz+k8425aL2qcpOTyGxDyWEIpt5Qp3DlZkCEMOgz8VPw/VhXQOuvTBF2nfEPDVsjk0J1rL/xP/8VDe1/Op13qu7QGtvOog00/0qAr2GTsSOkrQnHcOfcXpirz+Ll+rlVEp5WGjke4NTQjYlcKuGud2totcdWuvd39o6RugOOuTEf/UanuPmgvwlNVG6qfSZK6MAl0yJ2NNgMPSCrPAFOuMBw/R25StiLs+ZoGj7nhmL17I7ggW33DdH12FwXwqrOb3nBJxXFyaS3N7U/VJRCWPYQ95RuatJRWiBOvWoBB1KI5tdb0xKStW0VCRUpB2iipJcVFFikJyphf/HzK03AHQ4N4DiPFz30RlFyZVXyV4E/O9CqzKtp09MD+Chuq298Yjq4NDk1Wi5s75JpfuVvtU7FUGb3Li2OfE68GHBybfKR3Gvg1oDJy1QZGqLrUCJp/oZ8Wjg9xOg/2Vg3PUjlgCnlE+rrkZVuF+aAJfB1mVrMBF8XFGtfZQF9QMgzugrJAbZ4Uk=", 
        "Expiration": "2019-12-31T09:06:12Z", 
        "AccessKeyId": "ASIA5NAGHF6NZZ5HBX7R"
    }
}

而後去編輯 ~/.aws/credentials，把生成的Credentials放到裏面，以下：

[alice-sts]
aws_access_key_id = ASIA5NAGHF6NZZ5HBX7R
aws_secret_access_key = bmP9j6fuZ03MgrQCzrix6YLRcHzLojrThII6I5k7
aws_session_token = IQoJb3JpZ2luX2VjEIH//////////wEaCXVzLWVhc3QtMSJHMEUCICUEnSV87qoGrBDliGHwPTc0EPSqbzjLMX/8F2QUmejdAiEAxfX3L+MipZOTGKYLxH2qeTlnkvNtY3laE1hlEmcgaEMq2QEI6f//////////ARAAGgw5MjEyODM1Mzg4NDMiDIz9v0YIqXkeT4/YjSqtAc4g0fFXYua7fvzVveDq9twCc0jtHoz+k8425aL2qcpOTyGxDyWEIpt5Qp3DlZkCEMOgz8VPw/VhXQOuvTBF2nfEPDVsjk0J1rL/xP/8VDe1/Op13qu7QGtvOog00/0qAr2GTsSOkrQnHcOfcXpirz+Ll+rlVEp5WGjke4NTQjYlcKuGud2totcdWuvd39o6RugOOuTEf/UanuPmgvwlNVG6qfSZK6MAl0yJ2NNgMPSCrPAFOuMBw/R25StiLs+ZoGj7nhmL17I7ggW33DdH12FwXwqrOb3nBJxXFyaS3N7U/VJRCWPYQ95RuatJRWiBOvWoBB1KI5tdb0xKStW0VCRUpB2iipJcVFFikJyphf/HzK03AHQ4N4DiPFz30RlFyZVXyV4E/O9CqzKtp09MD+Chuq298Yjq4NDk1Wi5s75JpfuVvtU7FUGb3Li2OfE68GHBybfKR3Gvg1oDJy1QZGqLrUCJp/oZ8Wjg9xOg/2Vg3PUjlgCnlE+rrkZVuF+aAJfB1mVrMBF8XFGtfZQF9QMgzugrJAbZ4Uk=

而後再去請求 S3。

wangzan:~/.aws $ aws sts get-caller-identity --profile alice-sts
{
    "Account": "921283538843", 
    "UserId": "AROA5NAGHF6N7DOEADJSU:alice1233", 
    "Arn": "arn:aws:sts::921283538843:assumed-role/alice-sts/alice1233"
}

2.四、自動更換臨時權限

修改 ~/.aws/credentials，增長以下字段，

[alice-auto]
role_arn = arn:aws:iam::921283538843:role/alice-sts
source_profile = alice

能夠看下目前的 Role。

wangzan:~ $ aws sts get-caller-identity --profile alice-auto
{
    "Account": "921283538843", 
    "UserId": "AROA5NAGHF6N7DOEADJSU:botocore-session-1577780458", 
    "Arn": "arn:aws:sts::921283538843:assumed-role/alice-sts/botocore-session-1577780458"
}

參考文檔：
https://docs.aws.amazon.com/zh_cn/cli/latest/userguide/cli-configure-role.html