AWS Identity da Gudanarwa Access

Sashi na 1 na 3

A 2011, Amazon ya sanar da samun AWS Identity & Access Management (IAM) don tallafawa CloudFront. An kafa IAM a shekara ta 2010 kuma sun hada da goyon bayan S3. AWS Identity & Management Access (IAM) ba ka damar samun masu amfani da yawa a cikin asusun AWS. Idan ka yi amfani da Ayyukan Intanet na Amazon (AWS), kana sane cewa hanya guda kawai don sarrafa abun ciki a AWS ya hada da bada fitar da sunan mai amfani da kalmar sirri ko maɓallan damar shiga.

Wannan babban damuwa ne ga mafi yawan mu. IAM ya kawar da buƙatar raba kalmomin sirri da samun dama.

Kullum canza canjin kalmarmu ta AWS ko samar da sababbin maɓallai ne kawai bayani ne kawai lokacin da ma'aikaci zai bar tawagarmu. AWS Identity & Management Access (IAM) ya kasance mai kyau farkon barin kowane mai amfani da asusun da maɓalli guda. Duk da haka, mun kasance mai amfani S3 / CloudFront don haka muna kallon CloudFront da za a kara wa IAM wanda ya faru.

Na sami takardun a kan wannan sabis ɗin don zama bit warwatse. Akwai wasu ƙananan samfurori uku waɗanda ke ba da dama ga goyon baya ga Identity & Access Management (IAM). Amma masu haɓakawa yawanci suna da kyau saboda haka sai na nemi hanyar warwarewa kyauta ga sarrafa IAM tare da sabis na Amazon S3.

Wannan labarin yana tafiya ta hanyar aiwatar da Dokar Lissafin Layin da ke goyan bayan IAM da kafa ƙungiyar / mai amfani da damar S3. Kuna buƙatar samun saiti na asusun Amazon AWS S3 kafin ka fara saitawa Identity & Access Management (IAM).

Abinda na ke amfani dashi, Amfani da sabis na Mahimmanci ta Amazon (S3), zai biye ku ta hanyar aiwatar da asusun AWS S3.

A nan ne matakan da ke cikin kafa da aiwatar da mai amfani a IAM. An rubuta wannan don Windows amma zaka iya amfani da tweak don amfani a Linux, UNIX da / ko Mac OSX.

1. Shigar da kuma daidaita Siffar Layin Dokokin (CLI)

1. Ƙirƙiri Rukuni
2. Bada Rukunin Ƙungiyar zuwa S3 Bucket da CloudFront
3. Ƙirƙiri Mai amfani kuma Ƙara zuwa Rukuni
4. Ƙirƙiri Abinda ke shiga Sirri da Ƙirƙiri Keys
5. Samun gwajin

Shigar da kuma daidaita Siffar Layin Dokokin (CLI)

Lissafin Layin IAM Na Lissafin Shirin Java yana samuwa a cikin Amazon na AWS Developers Tools. Wannan kayan aiki yana ba ka damar kashe API umarni daga mai amfani da harsashi (DOS don Windows).

• Kuna buƙatar gudu Java 1.6 ko mafi girma. Zaku iya sauke samfurin sabuwar daga Java.com. Don ganin wane sakon da aka shigar a kan tsarin Windows ɗinka, bude Dokar Girma da kuma shiga cikin java -version. Wannan ya ɗauka cewa java.exe yana cikin PATH.
• Sauke kayan aiki na IAM CLI kuma cire wani wuri a cikin kundin ka.
• Akwai fayiloli 2 a tushen kayan aiki na CLI wanda kana buƙatar sabuntawa.
  • takaddun shaidar takaddama.wannan: Wannan fayil yana riƙe da takardun shaidar AWS. Ƙara AWSAccessKeyId da AWSSecretKey, ajiye da kuma rufe fayil.
  • abokin ciniki-config.template : Kuna buƙatar sabunta wannan fayil idan kuna buƙatar uwar garken wakili. Cire samfurori da sabunta ClientProxyHost, ClientProxyPort, ClientProxyUsername da ClientProxyPassword. Ajiye kuma rufe fayil.
• Mataki na gaba zai hada da ƙarin Ƙariyar Mahalli. Je zuwa Sarrafa Gudanarwa | Abubuwan Yanki | Tsarin tsarin saiti | Abubuwan da ke Mahalli. Ƙara da wadannan masu canji:
  • AWS_IAM_HOME : Sanya wannan madauki zuwa shugabanci inda ka cire kayan aiki na CLI. Idan kuna gudana Windows kuma ba shi da shi a tushen kullun C ɗinku, mai canza zai zama C: \ IAMCli-1.2.0.
  • JAVA_HOME : Saita wannan madaidaici zuwa jagorar inda aka shigar da Java. Wannan zai zama wuri na fayil na java.exe. A cikin shigarwar Windows 7 Java ta al'ada, wannan zai zama kamar C: \ Fayilolin Shirin (x86) \ Java \ jre6.
  • AWS_CREDENTIAL_FILE : Sanya wannan madaidaiciya zuwa hanyar da sunan fayil na takaddun shaidar da aka samo a sama. Idan kuna gudana Windows kuma ba shi da shi a tushen kafran C ɗinku, mai sauƙi zai kasance C: \ IAMCli-1.2.0 \ wajan takaddama.
  • CLIENT_CONFIG_FILE : Kuna buƙatar ƙara wannan matakan yanayin idan kana buƙatar uwar garken wakili. Idan kuna gudana Windows kuma ba shi da shi a tushen ka na C, madadin zai zama C: \ IAMCli-1.2.0 \ abokin ciniki-config.template. Kada ka ƙara wannan madauki sai dai idan kana buƙatar shi.

• Gwada shigarwa ta hanyar zuwa Umurnin Umurnin kuma shigar da adireshin mai amfani na im. Idan dai ba ku sami kuskure ba, ya kamata ku zama mai kyau don tafiya.

Duk umurnin IAM za a iya gudu daga umarnin Umurnin. Dukkanin umarnin sun fara da "iam-".

Ƙirƙiri Rukuni

Akwai ƙananan ƙungiyoyi 100 da za a iya ƙirƙirar ga kowane asusun AWS. Yayin da zaka iya sanya izini a IAM a matakin mai amfani, ta amfani da kungiyoyi zasu zama mafi kyau. A nan ne tsari don ƙirƙirar ƙungiya a IAM.

• Hadawa don ƙirƙirar rukuni shine kim-groupcreate -g GROUPNAME [-p PATH] [-v] inda -p da -v suna zaɓuɓɓuka. Cikakkun bayanai game da Dokokin Lantarki yana samuwa a kan AWS Docs.

• Idan kana so ka ƙirƙiri rukuni da ake kira "masu jarrabawa", za ka shiga, iam-groupcreate -g masu ɗaukaka a Dokar Umurnin.
• Kuna iya duba cewa an kirkirar rukuni ta hanyar shigar da rukunin kungiya-ƙungiya a cikin Dokar Umurnin. Idan ka ƙirƙiri wannan rukuni, to fitarwa zai kasance wani abu kamar "arn: aws: iam :: 123456789012: rukuni / awesomeusers", inda lambar ku lambar asusun AWS ne.

Bada Rukunin Ƙungiyar zuwa S3 Bucket da CloudFront

Gudanar da ka'idojin abin da ƙungiya ta iya yi a S3 ko CloudFront. Ta hanyar tsoho, ƙungiyar ku ba za ta sami dama ga wani abu ba a AWS. Na sami takardun akan manufofi don ya zama OK amma a cikin ƙirƙirar wasu manufofi, Na yi jaraba da kuskure don samun abubuwa da ke aiki kamar yadda na so suyi aiki.

Kana da wasu zaɓuɓɓuka domin samar da manufofi.

Ɗaya daga cikin zaɓi shine zaka iya shigar da su kai tsaye cikin Dokar Umurni. Tun da yake kuna iya ƙirƙirar wata manufar kuma tweaking shi, a gare ni ya zama da sauƙi a ƙara manufar a cikin fayil ɗin rubutu sannan a ajiye fayil ɗin rubutu a matsayin saitin tare da umarni na-iam-groupuploadpolicy. A nan ne tsari ta yin amfani da fayil ɗin rubutu kuma aikawa ga IAM.

• Yi amfani da wani abu kamar Notepad kuma shigar da rubutu mai zuwa kuma ajiye fayil din:
  
  {
  "Bayanin": [{
  "Sakamakon": "Izinin",
  "Action": "s3: *",
  "Resource": [
  "arn: aws: s3 ::: BUCKETNAME",
  "arn: aws: s3 ::: BUCKETNAME / *"]
  },
  {
  "Sakamakon": "Izinin",
  "Action": "s3: ListAllMyBuckets",
  "Resource": "arn: aws: s3 ::: *"
  },
  {
  "Sakamakon": "Izinin",
  "Action": ["girgije: *"],
  "Resource": "*"
  }
  ]
  }
  
• Akwai sassa uku zuwa wannan manufofin. Anyi amfani da Ƙaƙwalwar don Yarda ko ƙin wasu nau'i na dama. Ayyukan shine ƙayyadaddun abubuwa da kungiyar zata iya yi. Za a yi amfani da Ma'aikatar don samun dama ga buckets guda.

• Zaka iya iyakance Ayyuka akayi daban-daban. A cikin wannan misali, "Action": ["s3: GetObject", "s3: ListBucket", "s3: GetObjectVersion"], rukuni zai iya lissafin abinda ke cikin guga da sauke abubuwa.
• Sashe na farko "Yarda" kungiyar ta yi dukkan ayyukan S3 na guga "BUCKETNAME".
• Sashe na biyu "Yarda" kungiyar ta lissafa duk buckets a S3. Kuna buƙatar wannan don haka za ku iya ganin jerin buckets idan kuna amfani da wani abu kamar AWS Console.

• Sashe na uku yana bada cikakken damar shiga kungiyar zuwa CloudFront.

Akwai kuri'a na zaɓuɓɓuka lokacin da suka zo manufofin IAM. Amazon yana da kayan aiki na musamman wanda ake kira AWS Policy Generator. Wannan kayan aiki yana bada Gari inda za ka iya ƙirƙirar manufofinka kuma samar da ainihin lambar da kake buƙatar aiwatar da manufofin. Haka kuma za ka iya bincika sashen Harshen Hanyoyin Harshe na Amfani da AWS Identity da Gudanar da Bayanin Gano Kan layi.

Ƙirƙiri Mai amfani kuma Ƙara zuwa Rukuni

Hanyar ƙirƙirar sabon mai amfani kuma ƙara zuwa rukuni don samar da damar samun su ta ƙunshi wasu matakai.

• Maganar don ƙirƙirar mai amfani ita ce iM-usercreate -u USERNAME [-p PATH] [-g GROUPS ...] [-k] [-v] inda -p, -g, -k da -v ne zaɓuɓɓuka. Cikakkun bayanai game da Dokokin Lantarki yana samuwa a kan AWS Docs.
• Idan kuna son ƙirƙirar mai amfani "bob", za ku shiga, iam-usercreate -u bob -g masu ɗaukaka a umurnin Prompt.
• Kuna iya duba cewa an yi amfani da mai amfani daidai ta hanyar shigar da ƙungiya-ƙungiya -g masu kyau a Dokar Gyara. Idan ka ƙirƙiri wannan mai amfani, to fitarwa zai zama abu kamar "arn: aws: iam :: 123456789012: mai amfani / bob", inda lambar ku lambar asusun AWS ne.

Ƙirƙiri Abokai na Farko da Ƙirƙiri Keys

A wannan lokaci, ka ƙirƙiri mai amfani amma kana buƙatar samar da su ta hanya don zahiri ƙara da cire abubuwa daga S3.

Akwai wasu zaɓuɓɓuka biyu don samar da masu amfani da damar samun S3 ta amfani da IAM. Zaka iya ƙirƙirar Mahadar shiga da kuma samar masu amfani da kalmar sirri. Suna iya amfani da takardun shaidar su don shiga cikin Kayan Aikin na Amazon AWS. Ƙarin wannan shine don ba masu amfani da maɓallin dama da maɓallin asiri. Suna iya amfani da waɗannan makullin a cikin kayan aiki na uku kamar S3 Fox, CloudBerry S3 Explorer ko S3 Browser.

Ƙirƙiri Mahadar shiga

Samar da bayanin shiga ga masu amfani da S3 suna ba su da sunan mai amfani da kalmar sirri da za su iya amfani dasu don shiga shafin yanar gizo na Amazon AWS.

• Hadawa don ƙirƙirar bayanan shiga shine iam-useraddloginprofile -U USERNAME -p KASHEWA. Cikakkun bayanai game da Dokokin Lantarki yana samuwa a kan AWS Docs.
• Idan kuna son ƙirƙirar bayanin martaba don mai amfani "bob", za ku shiga, iam-useraddloginprofile -u bob -p KASHEWA a Dokar Gyara.

• Zaka iya duba cewa an halicci bayanin martaba daidai ta shigar da mai-usergetloginprofile -u bob a Umurnin Umurnin. Idan ka ƙirƙiri bayanin martaba na shiga don bob, kayan aiki zai kasance wani abu kamar "Shiga Mahalar da aka samu don mai amfani bob".

Ƙirƙiri Keys

Samar da wani AWS Secret Access Key da kuma daidai AWS Access Key ID za ta ba da damar masu amfani su yi amfani da software na uku kamar yadda aka ambata. Ka tuna cewa a matsayin ma'auni na tsaro, za ka iya samun waɗannan maɓallan yayin aiwatar da ƙara bayanin martabar mai amfani. Tabbatar ka kwafa da manna fitarwa daga Dokar Kira da ajiyewa a cikin fayil ɗin rubutu. Zaka iya aika fayil ɗin zuwa mai amfani.

• Hadawa don ƙara mabuɗan don mai amfani shi ne i-useraddkey [-U USERNAME]. Cikakkun bayanai game da Dokokin Lantarki yana samuwa a kan AWS Docs.
• Idan kuna son ƙirƙirar mabuɗan don mai amfani "bob", za ku shiga iam-useraddkey -u bob a umurnin Prompt.
• Umurnin zai fito da makullin wanda zai yi kama da wannan:
  AKIACOOB5BQVEXAMPLE
  BvQW1IpqVzRdbwPUirD3pK6L8ngoX4PTEXAMPLE
  
  Lissafi na farko shi ne ID ɗin Dama mai mahimmanci kuma layi na biyu shi ne Maɓallin Access Key. Kana buƙatar duka biyu don software na uku.

Samun gwajin

Yanzu da ka kirkiro ƙungiyoyi / masu amfani na IAM kuma ya ba kungiyoyin damar yin amfani da manufofin, kana buƙatar gwada damar.

Ƙungiyar Console

Masu amfani da ku za su iya amfani da sunan mai amfani da kalmar shiga don shiga cikin AWS Console. Duk da haka, wannan ba shafin yanar gizon yanar gizo na yau da kullum wanda aka yi amfani dashi ga babban asusun AWS ba.

Akwai URL mai mahimmanci da za ka iya amfani da wanda zai samar da hanyar shiga don asusun Amazon AWS kawai. Ga adireshin nan don shiga S3 don masu amfani da IAM.

https://AWS-ACCOUNT-NUMBER.signin.aws.amazon.com/console/s3

Lambar AWS-ACCOUNT-NUMBER shine lambar asusun AWS na yau da kullum. Za ka iya samun wannan ta shiga cikin Shafin yanar gizo na Intanet na Amazon. Shiga kuma danna Asusun | Ayyukan Ayyuka. Lambar asusun ku a cikin kusurwar dama. Tabbatar ka cire dashes. URL ɗin zai yi kama da https://123456789012.signin.aws.amazon.com/console/s3.

Amfani da Ƙunin Hanya

Zaku iya saukewa da shigar da kowane kayan aiki na uku wanda aka ambata a wannan labarin. Shigar da ID ɗin damar samun dama da kuma asirin sirri ta hanyar takardun kayan aiki na 3rd.

Ina bayar da shawarar sosai don ƙirƙirar mai amfani na farko sannan kuma mai amfani ya yi cikakken jarrabawa cewa za su iya yin duk abin da suke bukata a S3. Bayan ka tabbatar da ɗaya daga cikin masu amfani da ku, za ku iya ci gaba da kafa duk masu amfani da S3.

Resources

Ga wadansu 'yan albarkatu don ba ku fahimtar Gida da Gudanarwa (IAM).

• Farawa tare da IAM
• Rukunin Layin Jagora na IAM
• Amazon AWS Console
• AWS Policy Generator
• Yin amfani da AWS Identity da Gudanarwa Access

• IAM Release Notes
• IAM Tattaunawa Tattaunawa
• IAM FAQs