AWS Identity uye Access Management

Chikamu 1 chechitatu

Muna 2011, Amazon yakaratidza kuwanikwa kweAWS Identity & Access Management (IAM) kutsigira CloudFront. IAM yakatanga muna 2010 uye yakasanganisira S3 kutsigirwa. AWS Identity & Access Management (IAM) inoita kuti uve nevashandisi vakawanda mukati meAAS account. Kana wakashandisa Amazon Web Services (AWS), iwe unoziva kuti nzira chete yekugadzirisa zvinyorwa muAWS zvinosanganisira kupa zita rako rekushandisa uye password kana kuwana zvigetsi.

Uku ndiko kuchengeteka kwechokwadi kune vakawanda vedu. IAM inopedza kukosha kwekugovana mapepaji uye kuwanika maiyi.

Kushandura nguva yedu yepamusoro yeAWS password kana kugadzira zvigadzirwa zvitsva inongova sarudzo inonyangadza apo mushandi anogona kusiya boka redu. IWS Identity & Access Management (IAM) yakanga iri kutanga kutanga kubvumira mumwe munhu wekombikiti nemunhu mumwe nomumwe. Zvisinei, isu tiri S3 / CloudFront user kuitira kuti tave tichitarisira CloudFront kuwedzerwa kune IAM iyo yakazoitika pakupedzisira.

Ndakawana magwaro ebasa iri kuti ave akapararira. Kune zvikwata zvishomanana zvepakati pechitatu izvo zvinopa huwandu hweshumiro yeIvaIri & Access Management (IAM). Asi vashandi vanowanzotadza saka ndakatsvaga sarudzo yakasununguka yekugadzirisa IAM nebasa redu Amazon S3.

Nyaya iyi inofamba nenzira yekugadzira Mutambo weMirayiridzo weMirairo unotsigira IAM nekugadzira boka / user neS3 access. Iwe unofanirwa kuva neAngs AWS S3 sekugadzirisa account usati watanga kugadzira Identity & Access Management (IAM).

Nyaya yangu, Kushandisa Amazon Simple Storage Service (S3), ichakutungamirira kuburikidza nekugadzirisa iyo AWS S3 account.

Heano matanho anobatanidzwa mukugadza nekushandisa mushumiri muIAM. Izvi zvakanyorwa zveWindows asi unokwanisa tweak kuti ushandiswe muLuxux, UNIX uye / kana Mac OSX.

1. Isa nekugadzirisa Interface yeMirayiridzo (CLI)

1. Gadzira Gulu
2. Ipai Gwara Kuwana S3 Bucket uye CloudFront
3. Gadzira User uye Wedzera Kuboka
4. Gadzira Login Profile uye Gadzira Keys
5. Test Access

Isa nekugadzirisa Interface yeMirayiridzo (CLI)

IAM Command Line Toolkit chirongwa cheJava chiripo muAwS Developers Tools yeAmazambique. Icho chibvumirano chinokubvumira kuti uite mirairo yeIAM API kubva pane shell utility (DOS yeWindows).

• Iwe unofanirwa kunge uri kushandisa Java 1.6 kana kupfuura. Iwe unogona kukopa iyo yemazuva ekupedzisira kubva kuJava.com. Kuti uone kuti shanduro ipi inowanikwa paWindows system, svinura Command Prompt uye funga mu java -version. Izvi zvinotora kuti java.exe iri muPATH yako.
• Dharirai yeIAM CLI toolkit uye usunungure pane imwe nzvimbo yekutengesa kwako.
• Pane mafaira maviri mumudziyo weCI toolkit iwe unoda kudzokorora.
  • aws-credential.template: Iyi faira inobata zvidzidzo zveAWS. Wedzera AWSAccessKeyId yako neAWSSecretKey yako, chengeta uye yevhara faira.
  • client-config.template : Iwe unongoda kudzokorora iyi faira kana iwe unoda proxy server. Bvisa # zviratidzo uye uvandudze ClientProxyHost, ClientProxyPort, ClientProxyUsername uye ClientProxyPassword. Chengeta uye yevhara faira.
• Danho rinotevera rinosanganisira kuwedzera Zvimwe Zvakatipoteredza. Enda kuDare Rinodzora | System Properties | Mafambisirwo ezvakagadziriswa maitiro | Environment Variables. Wedzera zvinotevera zvinoshandiswa:
  • AWS_IAM_HOME : Isa iri shanduko kune zvinyorwa uko iwe usina kubvisa chikwata cheKCI. Kana uri kutamba maWindows uye ukaiisa pasi pamudzi weC yako drive, shanduko ichava C: \ IAMCli-1.2.0.
  • JAVA_HOME : Isa iri shanduko pane iyo nzvimbo Java inowanikwa. Iyi inenge iri nzvimbo ye java.exe faira. Muchidimbu cheWindows 7 Java yekugadzira, izvi zvingava chinhu chakafanana neC: \ Program Files (x86) \ Java \ jre6.
  • AWS_CREDENTIAL_FILE : Isa iri shanduko kunzira uye zita refaira ye aws-credential.template yawakaronga pamusoro apa. Kana uri kutamba maWindows uye ukaiisa pasi pamudzi weC yako motokari, shanduko ichava C: \ IAMCli-1.2.0 \ aws-credential.template.
  • CLIENT_CONFIG_FILE : Iwe unongoda kuwedzera huwandu hwemamiriro ezvinhu kana iwe unoda proxy server. Kana iwe uri kutamba Windows uye ukaiisa pasi pamudzi weC C yako, iyo inogona kunge iri C: \ IAMCli-1.2.0 \ client-config.template. Usawedzera shanduko iyi kunze kwekunge iwe uchida.

• Edza kupinza nokuenda kuMutevedzeri wekuraira uye uende iam-userlistbypath. Chero bedzi iwe usingagamuchiri kukanganisa, unofanira kuva wakanaka kuenda.

Zvose zvemirayiridzo yeIAM inogona kumhanya kubva kuRovera Prompt. Yese yemirairo inotanga ne "iam-".

Gadzira Gulu

Pano pane mazana emapoka makumi mapfumbamwe anogona kuumbwa pane imwe nhoroondo yeAWS. Kunyange zvazvo iwe unogona kuisa mvumo muIAM kumusangano wevashandisi, kushandisa mapoka kungava tsika yakanakisisa. Heino nzira yekuumba boka muIAM.

• Mutsara wekusika boka iam-groupcreate -g GROUPNAME [-p PATH] [-v] apo -p uye -v ndiyo zvasarudzo. Zvinyorwa zvakakwana paIndaneti Inonzi Line Line inowanika paAWS Docs.

• Kana iwe uchida kugadzira boka rainzi "awesomeusers", iwe unopinda, i--kugadzirisa -g awesomeusers pa Command Prompt.
• Unogona kutarisa kuti boka racho rakasikwa zvakanaka nekupinda iam-grouplistbypath paMutevedzeri Wemutemo. Kudai iwe wakanga uchangobva kusika boka iri, chiitiko chacho chaizova chinhu chakadai se "arn: aws: iam :: 123456789012: boka / awesomeusers", uko nhamba iyi nhamba yako yeAWS nhamba.

Ipai Gwara Kuwana S3 Bucket uye CloudFront

Zvitemo zvinodzora izvo boka rako rinokwanisa kuita muS3 kana CloudFront. Nokutadza, boka rako haringakwanisi kuwana chero chinhu muAWS. Ndakawana zvinyorwa zvemitemo kuti ive yakanaka asi pakuumba mazana emitemo, ndakaita zvishoma zvekuedza uye kukanganisa kuti zvinhu zvishandise nenzira yandida kuti vashande.

Iwe une zvingasarudzwa zvekugadzira mitemo.

Rimwe sarudzo iwe unogona kuvanyorera zvakananga muMutevere Prompt. Sezvo iwe ungangodaro uri kugadzira chirongwa uye uchichigadzirisa, kwandiri zvakaratidzika zviri nyore kuwedzera purogiramu yacho mumutauro wefaira uye wobva waisa iyo faira faira separameter ine murairo iam-groupup loadpolicy. Heino nzira yekushandisa text file uye kuisa kuIAM.

• Shandisa chimwe chinhu chakafanana neNepepad uye ugoisa magwaro anotevera uye chengeta faira:
  
  {
  "Statement": [{
  "Mhinduro": "Rega",
  "Action": "s3: *",
  "Ruzivo": [
  "arn: aws: s3 ::: BUCKETNAME",
  "arn: aws: s3 ::: BUCKETNAME / *"]
  },
  {
  "Mhinduro": "Rega",
  "Action": "s3: ListAllMyBuckets",
  "Nhare": "arn: aws: s3 ::: *"
  },
  {
  "Mhinduro": "Rega",
  "Action": ["cloudfront: *"],
  "Nhare": "*"
  }
  ]
  }
  
• Kune zvikamu zvitatu kune iyi purogiramu. Iyo Migumisiro inoshandiswa Kurega kana Dzorera rumwe rudzi rwekuwana. Chiito ndechezvinhu zvakananga boka rinogona kuita. Nhare iyo inogona kushandiswa kupa ruzivo rwehumwe bhakiti.

• Iwe unogona kuderedza Zviito pane mumwe nomumwe. Mumuenzaniso uyu, "Action": ["s3: GetObject", "s3: ListBucket", "s3: GetObjectVersion"], boka racho raizokwanisa kunyora zviri mukati mubhakiti nekudzivirira zvinhu.
• Chikamu chekutanga "Chinobvumira" boka kuti riite zviito zvose zveS3 zvebhakiti "BUCKETNAME".
• Chikamu chechipiri "Chinobvumira" boka kuti rongorore mabhaketheni ose muS3. Iwe unoda izvi kuitira kuti iwe unogona chaizvo kuona mhando yemabhakede kana ukashandisa chimwe chinhu chakafanana neAWS Console.

• Chikamu chechitatu chinopa boka kuzere kusvika kune CloudFront.

Pane zvakawanda zvingasarudzwa kana zvasvika pamitemo yeIAM. Amazon ine chitubu chaicho chiripo chiripo chinonzi AWS Policy Generator. Iri shanduro inopa GUI apo iwe unogona kugadzira mazano ako uye kuunza kode chaiyo iwe unoda kutevedzera mutemo. Iwe unogonawo kuongorora chikamu chePamusoro Purogiramu yeMutauro weKushandisa AWS Identity uye Access Access zvinyorwa zvepaIndaneti.

Gadzira User uye Wedzera Kuboka

Iyo nzira yekusika musikana mutsva uye kuwedzera kune boka kuti igovapa kuwanika kunosanganisira matanho maviri.

• Izwi rekugadzira mushumiri iam-usercreate -u USERNAME [-p PATH] [-g GROUPS ...] [-k] [-v] apo -p, -g, -k uye -v ndezvasarudzo. Zvinyorwa zvakakwana paIndaneti Inonzi Line Line inowanika paAWS Docs.
• Kana iwe uchida kugadzira musikana "bob", iwe ungapinda, iam-usercreate -u bob -g awesomeusers pa Command Prompt.
• Iwe unogona kutarisa kuti mushandisi akasika zvakakodzera nokupinda mu-grouplistusers -g vanotyisa paMutevedzeri Wekuita. Kudai iwe wakanga uchangobva kugadzira uyu mushandisi, chiitiko chaizova chinhu chakadai se "arn: aws: iam :: 123456789012: user / bob", uko nhamba iyo nhamba yako yeAWS nhamba.

Gadzira Logon Profile uye Ita Keys

Panguva ino, iwe wakasika mushumiri asi unofanirwa kuvapa nenzira yekuwedzera uye kubvisa zvinhu kubva kuS3.

Pane zvipo zviviri zvinowanikwa kupa vashandi vako nekusvika kuS3 vachishandisa IAM. Iwe unogona kuisa Purogiramu yeNyore uye kupa vashandi vako ne password. Vanogona kushandisa zvigwaro zvavo kuti vapinde muAmazoni AWS Console. Icho chakanaka ndechokupa vashandi vako ruzivo rwekugona uye kiyi yekuvanzika. Vanogona kushandisa zvishandiso izvi muzvikwata zvepakati pechitatu seS3 Fox, CloudBerry S3 Explorer kana S3 Browser.

Gadzira Login Profile

Kugadzira Purogiramu yeNyoresa yevashandisi vako S3 inovapa zita rekushandisa uye password ravanogona kushandisa kuti vauye kuAmazone AWS Console.

• Izwi rekugadzira purogiramu yekunyoresa iam-useraddloginprofile -u USERNAME -p PASSWORD. Zvinyorwa zvakakwana paIndaneti Inonzi Line Line inowanika paAWS Docs.
• Kana iwe uchida kugadzira purogiramu yekutsvaga kwemushandisi we "bob", iwe ungapinda, iam-useraddloginprofile -u bob -p PASSWORD pa Command Prompt.

• Unogona kutarisa kuti purogiramu yekunyoresa yakasikwa zvakanaka nekupinda iam-usergetloginprofile -u bob pa Command Prompt. Kana iwe wakanga wakagadzira purogiramu yekutumira ye bob, zvabuda zvaizova chimwe chinhu se "Purogiramu yeIndaneti iripo kune user bob".

Dza Keys

Kugadzira AWS Siri Access Access Chinoenderana neAWS Access Key ID inobvumira vashandi vako kushandisa sadhi yepurogiramu yepane seye yakambotaurwa. Ramba uchiyeuka kuti sekuchengeteka, iwe unogona kuwana zvigetsi izvi panguva yekuwedzera kwehuwandu hwemashandisi. Iva nechokwadi chekukopa uye kuisa zvakabuda kubva kuRovera Prompt uye uchengetedze mune faira faira. Iwe unogona kutumira faira kumunhu wako.

• Mutsara wekuwedzera zvigetsi zvemushandisi iam-useraddkey [-u USERNAME]. Zvinyorwa zvakakwana paIndaneti Inonzi Line Line inowanika paAWS Docs.
• Kana iwe uchida kugadzira makii emushandisi "bob", iwe ungapinda iam-useraddkey -u bob pa Command Prompt.
• Murairo unozobudisa zvigetsi zvingaita chimwe chinhu chakadai:
  AKIACOOB5BQVEXAMPLE
  BvQW1IpqVzRdbwPUirD3pK6L8ngoX4PTEXAMPLE
  
  Mutsara wokutanga ndiyo Inyoyi yeKiwanika uye wechipiri ndeyeSirivha yekuKona Key. Iwe unoda zvose zvepurogiramu yechitatu.

Test Access

Iye zvino zvawakasika mapoka eIAM / vashandisi uye wakapa mapoka ekugona kushandisa mazano, unoda kuedza kuwanikwa.

Console Access

Vashandisi vako vanogona kushandisa zita ravo rekushandisa uye password kuti vapinde muAWS Console. Zvisinei, iyi haisi peji rekutsvaga peji rekushandisa iro rinoshandiswa pakutevedzera AWS account.

Pane URL yakakosha yaungashandisa iyo ichapa fomu yekunyorera yeAngs account yako yeAwS chete. Heino URL kuti uende kuS3 yevashandi vako veIAM.

https://AWS-ACCOUNT-NUMBER.signin.aws.amazon.com/console/s3

IAWS-ACCOUNT-NUMBER ndiyo nhamba yako yenguva dzose yeAWS. Iwe unogona kuwana izvi nokupinda mukati maFomu yeWebhu Web Service Sign In. Login and click on Account | Basa reAunti. Nhamba yekambani yako iri munzvimbo yepamusoro yekona. Iva nechokwadi chokuti wabvisa dashes. I URL inogona kutarisa chimwe chinhu seS https://123456789012.signin.aws.amazon.com/console/s3.

Kushandisa Access Keys

Iwe unokwanisa kutora uye kuisa chero ipi zvayo yezvikwata zvechitatu zvekare zvinotaurwa munyaya ino. Pinda muIndaneti yako yeKupindira uye ChiShona ChiShona Chikamu pane zvinyorwa zvepakati pechitatu.

Ndinokurudzira zvakasimba kuti iwe ugadzire mutengi wekutanga uye uve nemushandisi uyo aedze zvizere kuti vanogona kuita zvose zvavanofanira kuita muS3. Mushure mokunge uchitsigira mumwe wevashandisi vako, unogona kuenderera mberi nekugadzira vese vashandisi vako S3.

Resources

Hezvino zvishomanana zvidzidzo kukupa kunzwisisa kwakanakisisa kweUnoziva & Access Management (IAM).

• Kutanga neIAM
• IAM Command Line Toolkit
• Amazon AWS Console
• AWS Policy Generator
• Kushandisa AWS Identity uye Access Management

• IAM Release Notes
• IAM Kukurukura Mazano
• IAM FAQs