sup*_*san 1 amazon-web-services amazon-iam aws-php-sdk
我一直在使用AWS PHP SDK,除了IAM角色和权限之外,我似乎得到了所有东西.
:是否有人可以在IAM角色是如何工作的,并解释下列条款最简单的术语解释给我听StatementId,Action,ARN而且最重要的Principal用简单的英语?
为了让您了解我的困惑,这是我最近遇到的一个问题.我正在尝试创建一个API网关,其中Resource的方法触发Lambda函数.直到我复制粘贴这一点它才能工作:
$lambdaClient->addPermission([
'FunctionName' => 'fn name',
'StatementId' => 'ManagerInvokeAccess',
'Action' => 'lambda:InvokeFunction',
'Principal' => 'apigateway.amazonaws.com',
]);
但是在其他一些帖子中有人建议使用以下内容:
const permissions = {
FunctionName: target,
StatementId: 'api-gateway-execute',
Action: 'lambda:InvokeFunction',
Principal: 'apigateway.amazonaws.com',
SourceArn: 'arn:aws:execute-api:' + nconf.get('awsRegion') + ':' + nconf.get('awsAccountId') + ':' + nconf.get('apiGatewayId') + '/*'};
为什么第一个不包含任何帐户信息但第二个呢?还有另一个人粘贴了一些完全不同的东西来为他工作.在最后一个例子中有很多键(比如"Fn :: Join"),我甚至不知道从哪里开始以及它做什么.
如何找出在哪里找到这些政策?我们只是从某个地方复制粘贴它们是否有办法确定它们.如果是这样,必须始终指定哪些键.
任何帮助将不胜感激,因为我现在完全糊涂了.
首先,欢迎来到AWS世界!:-D
让我试着通过类比来解释你对如何理解IAM(一般)的疑虑.
认为有一个名为ORG1的组织.
Deparments of ORG1: 人力资源部,测试部,DEV-dept
Employees of ORG1: EMP1,EMP2,EMP3 ...... EMP10
Members of HR dept: HR1,HR2,HR3
现在,我想为人力资源部门创建一个角色,授予他们雇用/暂停员工的权限.该政策如下所示:
{
"Version": "2012-10-17", // This is version of the template. Don't change this. This is NOT a date field for your use.
"Statement": [
{
"Sid": "SOME-RANDOM-ID-WITH-NUMBER-1P1PP43EZUVRM", // This is used as ID in some cases to identify different statments
"Principal": HR-dept, // the dept who is allowed to assume this role or the one who is allowed to invoke this role
"Effect": "Allow", // has only 2 values: ALLOW/DENY. Either You want to provided the below privileges or you want to striped off these privileges.
"Action": [
"hire",
"suspend",
], // these are privileges which are granted
"Resource": "EMP1", // the entity on whom do you want to apply those actions on. In this case employee EMP1.
"Condition": {
"ArnLike": {
"AWS:SourceArn": "HR*" // You want anyone from HR-dept whose id starts with HR to be able to execute the action.ie HR1,HR2 or HR3 .
}
}
}
]
}
现在尝试从相同的角度理解下面的代码(内部此代码创建类似于上面的模板):
const permissions = {
FunctionName: target,
StatementId: 'api-gateway-execute', // This is just an ID. Dont sweat about it.
Principal: 'apigateway.amazonaws.com', //which entity group the invoker belongs to
Action: 'lambda:InvokeFunction', // The privilege you are giving to API gateway api's
SourceArn: 'arn:aws:execute-api:.. blah blah blah' // ie. the exact Id of api-gateway which all has rights to invoke lambda function
};
AWS中ARN是一种独特ID的资源.有点像EmployeeId公司.这在全球是独一无二的.
相信我,起初看起来你在AWS中想要做的事情很难理解,但在某些时候,当你跨越每一个障碍时,你会开始变得舒服.然后,您将欣赏AWS功能的可定制性.
| 归档时间: |
|
| 查看次数: |
669 次 |
| 最近记录: |