Auto-sync: update nexus workspace
This commit is contained in:
76
wiki/concepts/Assume-Role.md
Normal file
76
wiki/concepts/Assume-Role.md
Normal file
@@ -0,0 +1,76 @@
|
||||
---
|
||||
title: "Assume Role"
|
||||
type: concept
|
||||
tags: [AWS, IAM, Security, Cross-Account, Authentication]
|
||||
sources:
|
||||
- ctp-topic-16-cross-account-terraform-modules.md
|
||||
- ctp-topic-5-aws-identity-and-access-management-iam.md
|
||||
last_updated: 2026-05-15
|
||||
---
|
||||
|
||||
## Overview
|
||||
|
||||
Assume Role 是 AWS IAM 的一种安全机制,允许一个 AWS 实体(用户、服务或角色)通过调用 `sts:AssumeRole` API 获取另一个 IAM 角色的临时安全凭证,从而在不同的安全上下文中执行操作。这是 AWS 跨账号访问的核心机制。
|
||||
|
||||
## How It Works
|
||||
|
||||
```python
|
||||
# 1. 源实体(如 ECS Deploy Runner)调用 STS AssumeRole
|
||||
response = sts.assume_role(
|
||||
RoleArn="arn:aws:iam::TARGET_ACCOUNT:role/Cross-account-ECS-Deploy-Runner-Role",
|
||||
RoleSessionName="ecs-deploy-runner-session"
|
||||
)
|
||||
|
||||
# 2. 获取临时凭证
|
||||
temp_access_key = response['Credentials']['AccessKeyId']
|
||||
temp_secret_key = response['Credentials']['SecretAccessKey']
|
||||
temp_token = response['Credentials']['SessionToken']
|
||||
|
||||
# 3. 使用临时凭证访问目标账号资源
|
||||
ec2_client = boto3.client('ec2',
|
||||
aws_access_key_id=temp_access_key,
|
||||
aws_secret_access_key=temp_secret_key,
|
||||
aws_session_token=temp_token
|
||||
)
|
||||
```
|
||||
|
||||
## Key Properties
|
||||
|
||||
- **临时凭证**:有效期通常为 1-12 小时,过期后无法使用
|
||||
- **最小权限**:仅获取所 Assume 角色的权限
|
||||
- **审计可追溯**:所有 Assume 操作都会记录在 CloudTrail 中
|
||||
- **无持久凭证泄露**:无需存储长期 Access Key
|
||||
|
||||
## Use Cases
|
||||
|
||||
| 场景 | 说明 |
|
||||
|------|------|
|
||||
| 跨账号部署 | Shared Account 的 EDR Assume 目标账号的角色执行 Terraform |
|
||||
| 跨账号数据访问 | 账户 A 访问账户 B 的 S3 资源 |
|
||||
| 服务间授权 | Lambda 函数 Assume 特定角色访问其他服务 |
|
||||
| 联邦访问 | 跨账户的 IAM Role 信任关系 |
|
||||
|
||||
## Relationship with Cross-Account Terraform
|
||||
|
||||
在 [[Cross-account-Terraform-Modules]] 方案中:
|
||||
|
||||
```
|
||||
[[Shared-Account]] (EDR)
|
||||
↓ sts:AssumeRole
|
||||
[[TF-State-Bucket-Accessor]] (目标账号) → 读写 Terraform 状态文件
|
||||
↓
|
||||
[[Cross-account-ECS-Deploy-Runner-Role]] (目标账号) → 执行资源部署
|
||||
```
|
||||
|
||||
## Relationships
|
||||
|
||||
- [[Shared-Account]] ← uses ← [[Assume-Role]]
|
||||
- [[ECS-Deploy-Runner]] ← uses ← [[Assume-Role]]
|
||||
- [[Blast-Radius]] ← enables ← [[Assume-Role]]
|
||||
- [[Cross-account-Terraform-Modules]] ← mechanism ← [[Assume-Role]]
|
||||
|
||||
## Related Concepts
|
||||
|
||||
- [[IAM-Policy]]:Assume Role 的权限边界由 IAM Policy 定义
|
||||
- [[Blast-Radius]]:Assume Role 是控制爆炸半径的关键工具
|
||||
- [[Cross-account-Terraform-Modules]]:Assume Role 是跨账号 Terraform 方案的核心技术
|
||||
Reference in New Issue
Block a user