amazon-iam

问题 I know that with Amazon Aurora MySQL, we can authenticate to the DB instance or DB cluster using AWS IAM database authentication. I followed the instructions here and It is working as instructed. However, this solution still needs the AWS credentials to be stored on the EC2 instance. I thought the whole purpose of this is to use the IAM roles to manage temporary credentials for applications running on an EC2 instance, so that we do not have to distribute long-term credentials (such as a user

问题 I'm working on an application and I'm struggling about an issue. My application has Lambdas and DynamoDBs services in which the former needs permissions to call the latter. I solve this creating a role with Principal equals Service: lambda.amazonaws.com . I'd like to give access to other developers to create roles too in a way which allows developers to create only roles whose principal is a service or federated and deny if it is user or account. For example, this role would be allowed: Type:

问题 Policy definition of AWS managed policy ( AWSLambdaExecute ) is: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:*" ], "Resource": "arn:aws:logs:*:*:*" }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": "arn:aws:s3:::*" } ] } But the AWS_documentation gives a sample serverless function using the same policy name AWSLambdaExecute , as shown below: Type: AWS::Serverless::Function Properties: Handler: index.js Runtime: nodejs8.10

问题 This link says To create the IAM role Open the IAM console. In the navigation pane, select Roles, then Create New Role. Enter a name for the role, then select Next Step. Remember this name, since you'll need it when you launch your Amazon EC2 instance. On the Select Role Type page, under AWS Service Roles, select Amazon EC2. On the Set Permissions page, under Select Policy Template, select Amazon S3 Read Only Access, then Next Step. On the Review page, select Create Role. But when you click

问题 Scenario : A web app is hosted on EC2 with a role having full S3 access. Now on the webapp, say the S3 resource is an image embedded as a link in some webpage. So here CORS comes in to action. So if CORS and Public access for the resource are enabled (for the Bucket I mean), that should do. And when public access is already granted, what's the point in adding a role to EC2 instance, the resource is already public. So, is not the role for EC2 instance redundant and not necessary. Could someone

问题 Would like to inform upfront that I am new to AWS in general. For my project I am trying to use AWS RDS MySQL using IAM Authentication (IAM Role) from a Java application deployed on Tomcat on an EC2 instance. Before trying it from Java I am trying it from the command prompt on the EC2 instance. I am following this link to do it: https://aws.amazon.com/premiumsupport/knowledge-center/users-connect-rds-iam/ I have done the following so far (please pardon if I am not using correct terminologies)

问题 I'm trying to set up an app that configures my instances upon launch and I want to close down that app's API access as much as possible. My current policy is as follows: { "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1388183890000", "Effect": "Allow", "Action": [ "ec2:AssociateAddress", "ec2:CreateTags", "ec2:DescribeInstances", "ec2:RebootInstances" ], "Resource":"*" } ] } However, this allows the app to perform any of these actions on anything in EC2. Is there a way I can lock down

问题 I came across Get Username from Amazon Access Key in Java when searching for a solution for a problem I have. But the only difference is I want to achieve the exact opposite: Is it possible to get the access key & secret key to perform Java SDK operations by using the username created in IAM? I want to build an application when the user logs in with his IAM credentials he can start and stop instances in the application. But to do that I need the access & secret key of that user. I hope

问题 I am creating an android application which connects to AWS IoT using Amazon Cognito authentication. I am able to authenticate user successfully and I am able get the credentials. While updating the thing shadow using these credentials always return 403 Forbidden Exception. I have tried all my ways to troubleshoot the issue but I found no solutions. My IAM Policy is: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iot:GetThingShadow", "iot:UpdateThingShadow", ],

问题 I'm trying to attach an IAM roles to EC2 instances (not ECS) so they can pull images from ECR. 回答1: Do something like this. Note you may want to limit which ECR repos are accessible. resource "aws_instance" "test" { ... } resource "aws_launch_configuration" "ecs_cluster" { ... iam_instance_profile = "${aws_iam_instance_profile.test.id}" } resource "aws_iam_role" "test" { name = "test_role" assume_role_policy = "..." } resource "aws_iam_instance_profile" "test" { name = "ec2-instance-profile"