ishenwei/nexus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
804954c367698e3726ed2fa92ee87691995a30d5
nexus/wiki/concepts/Assume-Role.md

77 lines
2.6 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
---
title: "Assume Role"
type: concept
tags: [AWS, IAM, Security, Cross-Account, Authentication]
sources:
- ctp-topic-16-cross-account-terraform-modules.md
- ctp-topic-5-aws-identity-and-access-management-iam.md
last_updated: 2026-05-15
---
## Overview
Assume Role 是 AWS IAM 的一种安全机制,允许一个 AWS 实体(用户、服务或角色)通过调用 `sts:AssumeRole` API 获取另一个 IAM 角色的临时安全凭证,从而在不同的安全上下文中执行操作。这是 AWS 跨账号访问的核心机制。
## How It Works
```python
# 1. 源实体(如 ECS Deploy Runner调用 STS AssumeRole
response = sts.assume_role(
RoleArn="arn:aws:iam::TARGET_ACCOUNT:role/Cross-account-ECS-Deploy-Runner-Role",
RoleSessionName="ecs-deploy-runner-session"
)
# 2. 获取临时凭证
temp_access_key = response['Credentials']['AccessKeyId']
temp_secret_key = response['Credentials']['SecretAccessKey']
temp_token = response['Credentials']['SessionToken']
# 3. 使用临时凭证访问目标账号资源
ec2_client = boto3.client('ec2',
aws_access_key_id=temp_access_key,
aws_secret_access_key=temp_secret_key,
aws_session_token=temp_token
)
```
## Key Properties
- **临时凭证**:有效期通常为 1-12 小时,过期后无法使用
- **最小权限**:仅获取所 Assume 角色的权限
- **审计可追溯**:所有 Assume 操作都会记录在 CloudTrail 中
- **无持久凭证泄露**:无需存储长期 Access Key
## Use Cases
| 场景 | 说明 |
|------|------|
| 跨账号部署 | Shared Account 的 EDR Assume 目标账号的角色执行 Terraform |
| 跨账号数据访问 | 账户 A 访问账户 B 的 S3 资源 |
| 服务间授权 | Lambda 函数 Assume 特定角色访问其他服务 |
| 联邦访问 | 跨账户的 IAM Role 信任关系 |
## Relationship with Cross-Account Terraform
在 [[Cross-account-Terraform-Modules]] 方案中:
```
[[Shared-Account]] (EDR)
↓ sts:AssumeRole
[[TF-State-Bucket-Accessor]] (目标账号) → 读写 Terraform 状态文件
[[Cross-account-ECS-Deploy-Runner-Role]] (目标账号) → 执行资源部署
```
## Relationships
- [[Shared-Account]] ← uses ← [[Assume-Role]]
- [[ECS-Deploy-Runner]] ← uses ← [[Assume-Role]]
- [[Blast-Radius]] ← enables ← [[Assume-Role]]
- [[Cross-account-Terraform-Modules]] ← mechanism ← [[Assume-Role]]
## Related Concepts
- [[IAM-Policy]]Assume Role 的权限边界由 IAM Policy 定义
- [[Blast-Radius]]Assume Role 是控制爆炸半径的关键工具
- [[Cross-account-Terraform-Modules]]Assume Role 是跨账号 Terraform 方案的核心技术
Reference in New Issue View Git Blame Copy Permalink