77 lines
2.6 KiB
Markdown
77 lines
2.6 KiB
Markdown
---
|
||
title: "Assume Role"
|
||
type: concept
|
||
tags: [AWS, IAM, Security, Cross-Account, Authentication]
|
||
sources:
|
||
- ctp-topic-16-cross-account-terraform-modules.md
|
||
- ctp-topic-5-aws-identity-and-access-management-iam.md
|
||
last_updated: 2026-05-15
|
||
---
|
||
|
||
## Overview
|
||
|
||
Assume Role 是 AWS IAM 的一种安全机制,允许一个 AWS 实体(用户、服务或角色)通过调用 `sts:AssumeRole` API 获取另一个 IAM 角色的临时安全凭证,从而在不同的安全上下文中执行操作。这是 AWS 跨账号访问的核心机制。
|
||
|
||
## How It Works
|
||
|
||
```python
|
||
# 1. 源实体(如 ECS Deploy Runner)调用 STS AssumeRole
|
||
response = sts.assume_role(
|
||
RoleArn="arn:aws:iam::TARGET_ACCOUNT:role/Cross-account-ECS-Deploy-Runner-Role",
|
||
RoleSessionName="ecs-deploy-runner-session"
|
||
)
|
||
|
||
# 2. 获取临时凭证
|
||
temp_access_key = response['Credentials']['AccessKeyId']
|
||
temp_secret_key = response['Credentials']['SecretAccessKey']
|
||
temp_token = response['Credentials']['SessionToken']
|
||
|
||
# 3. 使用临时凭证访问目标账号资源
|
||
ec2_client = boto3.client('ec2',
|
||
aws_access_key_id=temp_access_key,
|
||
aws_secret_access_key=temp_secret_key,
|
||
aws_session_token=temp_token
|
||
)
|
||
```
|
||
|
||
## Key Properties
|
||
|
||
- **临时凭证**:有效期通常为 1-12 小时,过期后无法使用
|
||
- **最小权限**:仅获取所 Assume 角色的权限
|
||
- **审计可追溯**:所有 Assume 操作都会记录在 CloudTrail 中
|
||
- **无持久凭证泄露**:无需存储长期 Access Key
|
||
|
||
## Use Cases
|
||
|
||
| 场景 | 说明 |
|
||
|------|------|
|
||
| 跨账号部署 | Shared Account 的 EDR Assume 目标账号的角色执行 Terraform |
|
||
| 跨账号数据访问 | 账户 A 访问账户 B 的 S3 资源 |
|
||
| 服务间授权 | Lambda 函数 Assume 特定角色访问其他服务 |
|
||
| 联邦访问 | 跨账户的 IAM Role 信任关系 |
|
||
|
||
## Relationship with Cross-Account Terraform
|
||
|
||
在 [[Cross-account-Terraform-Modules]] 方案中:
|
||
|
||
```
|
||
[[Shared-Account]] (EDR)
|
||
↓ sts:AssumeRole
|
||
[[TF-State-Bucket-Accessor]] (目标账号) → 读写 Terraform 状态文件
|
||
↓
|
||
[[Cross-account-ECS-Deploy-Runner-Role]] (目标账号) → 执行资源部署
|
||
```
|
||
|
||
## Relationships
|
||
|
||
- [[Shared-Account]] ← uses ← [[Assume-Role]]
|
||
- [[ECS-Deploy-Runner]] ← uses ← [[Assume-Role]]
|
||
- [[Blast-Radius]] ← enables ← [[Assume-Role]]
|
||
- [[Cross-account-Terraform-Modules]] ← mechanism ← [[Assume-Role]]
|
||
|
||
## Related Concepts
|
||
|
||
- [[IAM-Policy]]:Assume Role 的权限边界由 IAM Policy 定义
|
||
- [[Blast-Radius]]:Assume Role 是控制爆炸半径的关键工具
|
||
- [[Cross-account-Terraform-Modules]]:Assume Role 是跨账号 Terraform 方案的核心技术
|