问题
I have read the documentation about IAM roles and IAM groups but I am missing something simple: I don't understand what you can do with IAM roles that you cannot do with IAM groups.
In other words, considering these alternatives:
- Using IAM groups, I grant a group permissions to perform certain actions, and then when I want a user to be able to perform those actions, I grant them membership in that group
- Using IAM roles, I grant a role permissions to perform certain actions, and then when I want a user to be able to perform those actions, I grant them permission to assume that role
What specifically is it that you can achieve with the second method, that you cannot achieve with the first method?
回答1:
- An IAM User is given a set of credentials for authentication. It can be assigned permissions. It is used either by people or by applications to call AWS services.
- An IAM Group is a collection of IAM Users. Permissions allocated to the IAM Group will apply to all IAM Users within the group.
- An IAM Role has a set of permissions, but no credentials. It is used by having an IAM User assume the role, which then provides a set of temporary credentials that can be used to access a service.
For example:
User1is an IAM User with permission to launch an Amazon E2 instance. They can use their credentials to authenticate to AWS and request that an instance is launched. However, they do not have permission to Terminate the EC2 instance.Admin-Roleis an IAM Role that has permission to Terminate EC2 instances.User1callsAssumeRole()onAdmin-Role. If they have permission to do this, they will receive back a set of temporary credentials.User1then uses these credentials to callTerminateInstances(). In doing so, they use the temporary credentials to send the request, rather than their own credentials.
Similarly:
Lambda1is an AWS Lambda functionLambda-Roleis an IAM Role that is associated with theLambda1function. The role has been granted permission to access Amazon S3.- When the
Lambda1function, the Lambda service automatically AssumesLambda-Roleand provides those credentials to the Lambda function so that it can call S3.
Notice that in this second example, the Lambda function does not have credentials itself. Rather, the AWS service assumes the Role on its behalf and provides the credentials. This is identical to the way that IAM Roles are assigned to Amazon EC2 instances.
Also, note that assuming an IAM Role can actually provide more permissions that originally available. User1 could assume a role to obtain permission to Terminate an instance, which they are not permitted to do themselves. Therefore, it is important to control who is allowed to call AssumeRole or use PassRole (which is used to assign IAM Roles to services like EC2 and Lambda), otherwise they might gain more permissions that you want them to have.
来源:https://stackoverflow.com/questions/63198514/what-can-you-do-with-iam-roles-that-you-cannot-do-with-iam-groups