Download - 不談 IAM
![Page 1: 不談 IAM](https://reader033.vdocuments.pub/reader033/viewer/2022042817/55a6c8aa1a28ab5d1d8b463c/html5/thumbnails/1.jpg)
不談 IAM我們今天聊 Credential
Cliff Chao-kuan Lu
2015/3/26
![Page 2: 不談 IAM](https://reader033.vdocuments.pub/reader033/viewer/2022042817/55a6c8aa1a28ab5d1d8b463c/html5/thumbnails/2.jpg)
然後
•最近太忙了,準備有點趕
•投影片全部都是字字字•沒有動畫
![Page 3: 不談 IAM](https://reader033.vdocuments.pub/reader033/viewer/2022042817/55a6c8aa1a28ab5d1d8b463c/html5/thumbnails/3.jpg)
緣起
• AWS 抽象包裹了很多細節
•很多人忘記 AWS 是集成的 API• 把Management Console 當 cPanel在用
• 把 SDK 想成原生物件交互
![Page 4: 不談 IAM](https://reader033.vdocuments.pub/reader033/viewer/2022042817/55a6c8aa1a28ab5d1d8b463c/html5/thumbnails/4.jpg)
追本溯源
•還它原來面貌
•其中核心乃是 IAM
![Page 5: 不談 IAM](https://reader033.vdocuments.pub/reader033/viewer/2022042817/55a6c8aa1a28ab5d1d8b463c/html5/thumbnails/5.jpg)
所以今天
•談 API 簽署
•談 IAM 與 Credential
•談 IAM Idnetity如何善用
![Page 6: 不談 IAM](https://reader033.vdocuments.pub/reader033/viewer/2022042817/55a6c8aa1a28ab5d1d8b463c/html5/thumbnails/6.jpg)
API 簽署
•http://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
![Page 7: 不談 IAM](https://reader033.vdocuments.pub/reader033/viewer/2022042817/55a6c8aa1a28ab5d1d8b463c/html5/thumbnails/7.jpg)
API 簽署 (v4)
• Create canonical request
• Create digest of the request
• Create a string (algorithm, request, date, credential scope, digest)
• Create signing key with HMAC on the string using Secret Key
• Signature = keyed hash(signing key, string)
•有點煩,交給 SDK 吧
![Page 8: 不談 IAM](https://reader033.vdocuments.pub/reader033/viewer/2022042817/55a6c8aa1a28ab5d1d8b463c/html5/thumbnails/8.jpg)
重點
• AWS 只會看到 Access Key / Security Token (STS)
• Credential 才是一切的核心
![Page 9: 不談 IAM](https://reader033.vdocuments.pub/reader033/viewer/2022042817/55a6c8aa1a28ab5d1d8b463c/html5/thumbnails/9.jpg)
Credential 來源
• IAM User• GetSession()
• IAM Role • Instance Profile
• 其他授權
• AssumeRole()
![Page 10: 不談 IAM](https://reader033.vdocuments.pub/reader033/viewer/2022042817/55a6c8aa1a28ab5d1d8b463c/html5/thumbnails/10.jpg)
Credential 帶有Metadata
• MFA (透過 GetSession() 或 AssumeRole())
• Expire
• Identity ARN• 除非被 403 ,我不知能如何高尚的取得
• CloudTrail Logs 有,但有些遲
• Policies
![Page 11: 不談 IAM](https://reader033.vdocuments.pub/reader033/viewer/2022042817/55a6c8aa1a28ab5d1d8b463c/html5/thumbnails/11.jpg)
Credential Policies
•來自 IAM Role / User 的 Policy
• AssumeRole() 時可以帶入額外 Policies
• AWS 接到 Request 時,會再比對是否有權限呼叫該 API(比對所有 policy)
![Page 12: 不談 IAM](https://reader033.vdocuments.pub/reader033/viewer/2022042817/55a6c8aa1a28ab5d1d8b463c/html5/thumbnails/12.jpg)
用例:Role 取代 Group
• Role 可以在 Principal 要求帶入MFA
• IAM User 必須先有權限呼叫 AssumeRole,查驗MFA 後,才能變身
• IAM Group 權柄天授,只能透過 Group Policy 加以限制
• Login as IAM User `clifflu`
• AssumRole(‘arn:aws:iam::123412341234:role/admin’)
![Page 13: 不談 IAM](https://reader033.vdocuments.pub/reader033/viewer/2022042817/55a6c8aa1a28ab5d1d8b463c/html5/thumbnails/13.jpg)
用例:IAM Role per Service Role
• Web Tier 各有 Instance Profile 進行基本授權
•如果有多於一種 Service Role 在同一台機器上• Instance Profile 只授權成為各個 Service Role 之 IAM Role
•開發機?• 只要 Principal 帶有 ec2,就能當作 Instance Profile 用;把 AWS Account 加入 Principal,就能授權其他 Identity AssumeRole
![Page 14: 不談 IAM](https://reader033.vdocuments.pub/reader033/viewer/2022042817/55a6c8aa1a28ab5d1d8b463c/html5/thumbnails/14.jpg)
注意
• STS 頗慢,每個 web request 都調用,客戶會哭
•善用 regional endpoint
• Temporary credential 一小時後到期,記得 renew
•管理的花樣就多了
![Page 15: 不談 IAM](https://reader033.vdocuments.pub/reader033/viewer/2022042817/55a6c8aa1a28ab5d1d8b463c/html5/thumbnails/15.jpg)
過去讓它過去
•曾經我們建議將 credential 存在 S3,讓機器定時抓取以 rotate credential
•不是不能用,但安全有疑慮Credential 不應該離開它的持有者
•使用 Instance Profile with or without AssumRole() 是當今王道
![Page 16: 不談 IAM](https://reader033.vdocuments.pub/reader033/viewer/2022042817/55a6c8aa1a28ab5d1d8b463c/html5/thumbnails/16.jpg)
如果機器不在 AWS
•建立 VM IAM User 生成 Credential 是一招,但不容易 rotate credential
•在 AWS 開台機器,查驗 requester 身份以後,回傳對應的 Temp Credential (STS) 也是一招。我叫它 Credential Factory,Stephen 大大說 AWS 管這叫 Credential Vending Machine
![Page 17: 不談 IAM](https://reader033.vdocuments.pub/reader033/viewer/2022042817/55a6c8aa1a28ab5d1d8b463c/html5/thumbnails/17.jpg)
順道一提
• IAM Policy 的辨識規則貌似幾個月前變了
•以前 {Allow All} + {Allow All; Condition: MFA} 會 Deny, 但現在好像會 Allow 了
![Page 18: 不談 IAM](https://reader033.vdocuments.pub/reader033/viewer/2022042817/55a6c8aa1a28ab5d1d8b463c/html5/thumbnails/18.jpg)
沒了