Ubunikazi be-AWS kunye noLawulo lokuFikelela

Icandelo 1 le-3

Ngo-2011, ama-Amazon amemezele ukufumaneka kwe-AWS Identity & Access Management (IAM) inkxaso yeFolFFront. IAM yasungulwa ngo-2010 yaye iquka inkxaso yeS3. I-AWS Identity & Management Access (IAM) yenza ukuba ube nabasebenzisi abaninzi kwi-AWS akhawunti. Ukuba usebenzisa i-Amazon Web Services (AWS), uyazi ukuba indlela kuphela yokuphatha umxholo kwi-AWS ibandakanya ukunika igama lakho lomsebenzisi kunye nephasiwedi okanye ukufumana ukhiye.

Oku kunokwenene ukukhathazeka ngokwenene kuninzi lwethu. IAM iphelisa imfuno yokwabelana ngamaphasiwedi kunye neenkcukacha zokufikelela.

Ukutshintsha rhoqo iphasiwedi yethu ephezulu ye-AWS okanye ukuvelisa izihluthulelo ezintsha kukuphela kwesisombululo esixakekileyo xa ilungu lomsebenzi lishiya iqela lethu. Ubunikazi be-AWS kunye noLawulo lokuFikelela (IAM) kwakuqala ukuvumela ii-akhawunti zomsebenzisi ngabanye ukhiye. Nangona kunjalo, singumsebenzisi we-S3 / CloudFront ngoko siye sajonga i-CloudFront ukuba ifakwe kwi-IAM ekugqibeleni kwenzeka.

Ndafumana amaxwebhu kule nkonzo ukuba athathwe. Kukho imveliso emithathu yeqela elinikezela uluhlu lwe-Identity & Access Management (IAM). Kodwa abaphuhlisi bavame ukuxhalabisa ngoko ndifuna isisombululo samahhala ekulawuleni i-IAM nenkonzo yethu yakwa-Amazon S3.

Eli nqaku lihamba kwinkqubo yokumisela i-Command Line Interface exhasa i-IAM nokuseka iqela / umsebenzisi nge-S3 ukufikelela. Kufuneka ube ne-akhawunti ye-Amazon AWS S3 ngaphambi kokuba uqale ukuqwalasela i-Identity & Access Management (IAM).

Inqaku lam, Ukusebenzisa i-Amazon Simple Storage Service (S3), iya kukuhamba ngeenkqubo zokuseka i-akhawunti ye-AWS S3.

Namanyathelo abandakanyekayo ekumiseni nasekuphumezeni umsebenzisi kwi-IAM. Oku kubhaliwe kwiWindows kodwa unokwenza usebenze kwi Linux, UNIX kunye / okanye iMac OSX.

1. Faka kwaye uqwalasele i-Interface Line Line (CLI)

1. Yakha iQela
2. Nika I-Group Access kwi-Bucket ye-S3 ne-CloudFront
3. Yenza Umsebenzisi kwaye ungeze kwiQela
4. Yenza I-Profile Profile kwaye Yakha Keys
5. UkuFikelelwa kovavanyo

Faka kwaye uqwalasele i-Interface Line Line (CLI)

IAM I-Command Line Toolkit yinkqubo yeJava ekhoyo kumaziko e-AWS Developers ama-Amazon. Isixhobo sikuvumela ukuba wenze imiyalelo ye-IAM API kwi-shell utility (i-DOS ye-Windows).

• Kufuneka usebenze nge-Java 1.6 okanye ngaphezulu. Unokukhuphela i-version yangoku kusuka kwiJava.com. Ukubona ukuba yiyiphi ifayile efakwe kwi-Windows system, vula i-Command Prompt kwaye uthayiphe kwi-java -version. Oku kuthatha ukuba i-java.exe i-PATH yakho.
• Khuphela i-toolkit ye-IAM CLI uze uyivule kwindawo ethile kwi-drive yakho yangaphakathi.
• Kukho iifayile ezi-2 kwingcambu ye-CLI yezixhobo ezifunekayo ukuzihlaziya.
  • i-aws-credential.template: Le fayili igcina iziqinisekiso zakho ze-AWS. Yongeza i-AWSAccessKeyId kunye ne-AWSSecretKey yakho, gcina kwaye uvale ifayile.
  • umthengi-config.template : Udinga kuphela ukuhlaziya le fayile ukuba ufuna i-proxy server. Susa impawu # uze ubuyekeze iKlayentiProxyHost, iKlayentiProxyPort, igama lomsebenzisi kunye neCententProxyPassword. Gcina kwaye uvale ifayile.
• Isinyathelo esilandelayo kubandakanya ukongeza iiNguqulelo zeNdalo. Yiya kwiPaneli yokuLawula | Properties Properties | Izicwangciso zeenkqubo eziphambili | Zendalo. Yongeza ezi zilandelayo:
  • AWS_IAM_HOME : Beka olu tshintsha kwi-directory apho uvula khona i-toolkit ye-CLI. Ukuba uqhuba iWindows kwaye uyayifaka kwi-root drive yakho, i-variable iya kuba yiC: \ IAMCli-1.2.0.
  • JAVA_HOME : Beka olu tshintsha kwi-directory apho iJava ifakiwe khona. Oku kuya kuba yindawo yefayile ye java.exe. Kwimeko eqhelekileyo yokufakwa kwe-Windows 7 ye Java, oku kuya kuba yinto efana neC: \ Programme Files (x86) \ Java \ jre6.
  • I-AWS_CREDENTIAL_FILE : Beka le nguqulo kumendo kunye negama lefayile ye-aws-credential.template oye yahlaziywa ngasentla. Ukuba uqhuba iWindows kwaye uyayifaka kwi-root drive yakho yeC, uguqulo luya kuba yiC: \ IAMCli-1.2.0 \ aws-credentification.template.
  • CLIENT_CONFIG_FILE : Kuphela kufuneka udibanise le mimo yendawo ukuba ufuna i-proxy server. Ukuba uqhuba iWindows kwaye uyayifaka kwi-root drive yakho yeC, uguquko luya kuba yiC: \ IAMCli-1.2.0 \ client-config.template. Ungafaki le nguquko ngaphandle kokuba uyidinga.

• Vavanya ukufakela ngokuya kwi-Prompt Command kwaye ufake i-user-pathpath. Ngaphandle kokuba ungafumani impazamo, kufuneka ulungele ukuya.

Yonke imiyalelo ye-IAM ingaqhutywa kwi-Prompt Command. Yonke imiyalelo iqala nge "iam-".

Yakha iQela

Kukho amaqela angama-100 angadalwa kwi-akhawunti nganye ye-AWS. Ngoxa unako ukubeka iimvume kwi-IAM kumgangatho womsebenzisi, ukusebenzisa amaqela kuya kuba yinto efanelekileyo kakhulu. Nantsi inkqubo yokudala iqela kwi-IAM.

• I-syntax ekwakheni iqela i-group-groupcreate -g GROUPNAME [-p PATH] [-v] apho -p kunye -v zikhetho. Amaxwebhu apheleleyo kwi-Interface Line yoLwazi iyafumaneka kwi-AWS Docs.

• Ukuba ufuna ukudala iqela elibizwa ngokuthi "iindlobongela", ungangena, udibanise -cwangcisa -g awesomeusers kwi-Command Prompt.
• Ungaqwalasela ukuba iqela lenziwe ngokuchanekileyo ngokufaka i-group-path listpath kwi-Prompt Command. Ukuba udale kuphela leli qela, umphumo uza kuba yinto efana ne "arn: aws: iam :: 123456789012: iqela / izinto ezinobungqingili", apho inombolo yakho ye-AWS inombolo yenombolo.

Nika I-Group Access kwi-Bucket ye-S3 ne-CloudFront

Iipolisi zilawula oko iqela lakho liyakwazi ukukwenza kwi-S3 okanye kwi-CloudFront. Ngokungagqibekanga, iqela lakho aliyi kufumana nantoni na kwi-AWS. Ndifumene amaxwebhu emigaqo-nkqubo ukuba ilungile kodwa ekudaleni iipolisi ezimbalwa, ndenze inzame kunye nephutha ukwenza izinto zisebenze ngendlela endifuna ukuba zisebenze ngayo.

Unokhetho oluninzi lokudala imigaqo-nkqubo.

Enye inketho ungayifaka ngqo kwi-Prompt Command. Ekubeni unokuba udala umgaqo-nkqubo kwaye uyiguqula, kuba ngathi kubonakala kulula ukufaka umgaqo-nkqubo kwifayile yombhalo uze ulayishe ifayile yombhalo njengeparameter kunye nenqubomgomo yomyalelo wokulayisha iqela. Nantsi inkqubo usebenzisa ifayile yombhalo kunye nokulayisha kwi-IAM.

• Sebenzisa into efana ne-Notepad uze ufake umbhalo olandelayo uze ulondoloze ifayile:
  
  {
  "Ingxelo": [{
  "Impembelelo": "Vumela",
  "Isenzo": "s3: *",
  "Isibonelelo": [
  "arn: aws: s3 ::: BUCKETNAME",
  "arn: aws: s3 ::: BUCKETNAME / *"]
  },
  {
  "Impembelelo": "Vumela",
  "Isenzo": "s3: ListAllMyBuckets",
  "Isixhobo": "arn: aws: s3 ::: *"
  },
  {
  "Impembelelo": "Vumela",
  "Isenzo": ["ngaphambili]: *"],
  "Isixhobo": "*"
  }
  ]
  }
  
• Kukho amacandelo amathathu kulo mgaqo-nkqubo. I-Effect isetyenzisiweyo ukuVumela okanye ukulahla uhlobo oluthile lokufikelela. I-Action yinto ekhethekileyo eyenziwa yiqela. Isibonelelo siya kusetyenziswa ukunika ufikelelo lweebhakethi.

• Unako ukukhawulela iActions ngabanye. Kulo mzekelo, "I-Action": ["s3: GetObject", "s3: ListBucket", "s3: GetObjectVersion"], iqela liyakwazi ukuluhlu lokubhalisa kwibhakethi nokukhuphela izinto.
• Icandelo lokuqala "Ivumela" iqela ukwenza zonke izenzo ze-S3 kwibhakethi "BUCKETNAME".
• Icandelo lesibini "Ivumela" iqela ukuba lihlule zonke iibhakethi kwi-S3. Uyakudinga oku ukuze ukwazi ukubona uluhlu lweebhakethi xa usebenzisa into efana ne-AWS Console.

• Icandelo lesithathu linika iqela ukufikelela ngokupheleleyo kwi-CloudFront.

Kukho iinketho ezininzi xa kuza kwiinkqubo ze-IAM. I-Amazon inesisityezelo esilungileyo esikhoyo esibizwa ngokuba yi-AWS Policy Generator. Esi sixhobo sinikeza i-GUI apho unokudala khona iipolisi zakho kwaye uvelise ikhowudi yangempela oyifunayo ukuphumeza umgaqo-nkqubo. Unokujonga kwakhona iCandelo loLwimi loLwazi lokuFikelela kokuSebenzisa i-AWS Identity kunye noLawulo lokuPhathwa koLwazi kwi-intanethi.

Yenza Umsebenzisi kwaye ungeze kwiQela

Inkqubo yokudala umsebenzisi omtsha kunye nokongeza kwiqela ukuwanika ukufikelela kufaka amanqanaba ambalwa.

• I-syntax yokudala umsebenzisi i-uam-usercreate -u-USERNAME [-p PATH] [-g IGOUPHA ...] [-k] [-v] apho -p, -g, -k kunye -v zikhetho. Amaxwebhu apheleleyo kwi-Interface Line yoLwazi iyafumaneka kwi-AWS Docs.
• Ukuba ufuna ukudala umsebenzisi "bob", ungangena, u-usebenzise -u bob -g awesomeusers kwi-Prompt Command.
• Ungaqwalasela ukuba umsebenzisi wadalwa ngokufanelekileyo ngokufaka abahluleli beqela -g-awesomeusers kwi-Prompt Command. Ukuba udale kuphela lo mse benzisi, umphumo uza kuba yinto efana ne "arn: aws: iam :: 123456789012: umsebenzisi / bob", apho inombolo inombolo yakho ye-akhawunti ye-AWS.

Yakha i-Logon Profile kwaye Yakha Keys

Kule ngongoma, udale umsebenzisi kodwa kufuneka uwanike indlela yokongeza kwaye ususe izinto ukusuka kwi-S3.

Kukho iindlela ezi-2 ezifumanekayo ukubonelela abasebenzisi bakho ukufikelela kwi-S3 usebenzisa i-IAM. Unokwenza iProfayile yokungena kwaye unikezele abasebenzisi bakho ngephasiwedi. Bangasebenzisa iziqinisekiso zabo ukungena kwi-Amazon AWS Console. Enye inketho kukunika abasebenzisi bakho ukhiye wokufikelela kunye nencoko eyimfihlo. Bangasebenzisa ezi zitshixo kwizixhobo zenkampani ye-3 njenge-S3 Fox, i-CloudBerry S3 Explorer okanye i-S3 Browser.

Yenza I-Profile Profile

Ukudala iProfayile yokungena kubasebenzisi bakho be-S3 inikezela ngegama lomsebenzisi kunye nephasiwedi abangayisebenzisa ukungena kwi-Amazon AWS Console.

• I-syntax yokudala iphrofayli yokungena ngemvume i-user-useaddloproprofile -u USERNAME -p IPASSWORD. Amaxwebhu apheleleyo kwi-Interface Line yoLwazi iyafumaneka kwi-AWS Docs.
• Ukuba ufuna ukudala iphrofayli yokungena ngemvume yomsebenzisi "bob", ungangena, u-useraddloginprofile -u bob -p IPASSWORD kwi-Prompt Command.

• Ungaqwalasela ukuba iprofayili yokungena yenziwe ngokuchanekileyo ngokufaka i-user-loggetprofileprofile -u bob kwi-Prompt Command. Ukuba usungule iphrofayli yokungena ngemvume ye-bob, umphumo uza kuba yinto ethi "Iphrofayli yokungena ikhona kubasebenzisi bomsebenzisi".

Yakha i Keys

Ukudala i-AWS Secret Access Key kunye ne-ID ye-AWS yokuFikelela kwiNkcazo yokuKhawula iya kuvumela abasebenzisi bakho ukuba basebenzise isofthiwe yeqela lesithathu njengalezo ezikhankanywe ngaphambili. Gcina ukhumbule ukuba njengomlinganiselo wokhuseleko, unokufumana kuphela ezi zihluthuko ngexesha lokwengeza iphrofayili yomsebenzisi. Qinisekisa ukuba ukopi kwaye unamathisele umphumo kwi-Prompt Command kwaye ugcine kwifayile yombhalo. Ungathumela ifayile kumsebenzisi wakho.

• I-syntax yokongeza izitshixo zomsebenzisi iam-useradkeykey [-u USERNAME]. Amaxwebhu apheleleyo kwi-Interface Line yoLwazi iyafumaneka kwi-AWS Docs.
• Ukuba ufuna ukudala izitshixo zomsebenzisi "bob", uza kufaka i-user-dodkey -u bob kwi-Prompt Command.
• Umyalelo uya kukhupha izitshixo eziza kubheka into enje:
  AKIACOOB5BQVEXAMPLE
  BvQW1IpqVzRdbwPUirD3pK6L8ngoX4PTEXAMPLE
  
  Umgca wokuqala yi-ID ye-Access Key kunye nomgca wesibini yiNkcazo yokuFinyelela iMfihlo. Udinga zombini kwesoftware yesithathu.

UkuFikelelwa kovavanyo

Ngoku ukuba udale amaqela e-IAM / abasebenzisi kwaye unike amaqela ukungena usebenzisa imigaqo-nkqubo, kufuneka uvavanye ukufikelela.

Ukufikelela kwiConsole

Abasebenzisi bakho bangasebenzisa igama labo lomsebenzisi kunye nephasiwedi ukungena ngemvume kwi-AWS Console. Nangona kunjalo, oku akusiyo iphepha lokungena ngemvume lexesha eliqhelekileyo elisetyenziselwa i-akhawunti ephezulu ye-AWS.

Kukho i-URL ekhethekileyo onokuyisebenzisa okuza kunika ifomu yokungena kwi-akhawunti yakho ye-Amazon AWS kuphela. Nantsi i-URL yokungena kwi-S3 kubasebenzisi bakho be-IAM.

https://AWS-ACCOUNT-NUMBER.signin.aws.amazon.com/console/s3

I-AWS-ACCOUNT-NUMBER yinombolo yakho ye-AWS rhoqo. Unokufumana oku ngokungena kwi-Amazon Web Service Sign In ifomu. Ngena kwaye nqakraza kwi-Akhawunti | Umsebenzi weAkhawunti. Inombolo yakho yeakhawunti ikhoneni eliphezulu eliphezulu. Qinisekisa ukuba ususa i-dashes. I-URL iya kubheka into efana ne-https://123456789012.signin.aws.amazon.com/console/s3.

Ukusebenzisa iifayile zokufikelela

Unokukhuphela uze ufake ifowuni yezinto ezi-3 esele zikhankanywe kweli nqaku. Faka i-ID ye-Key Key kunye neNkcazo yokuFinyelela imfihlelo ngamaphepha e-third party tool.

Ndiyincoma kakhulu ukuba udale umsebenzisi wokuqala kwaye ube nalo msebenzisi uvavanyo olupheleleyo ukuba banokwenza konke abakudinga ukukwenza kwi-S3. Emva kokuba uqinisekise omnye wabasebenzisi bakho, ungaqhubeka nokuseka bonke abasebenzisi bakho be-S3.

Izibonelelo

Nazi izibonelelo ezimbalwa zokunika ukuqonda okungcono kwe-Identity & Management Access (IAM).

• Ukuqalisa nge-IAM
• IAM Command Line Toolkit
• Amazon AWS Console
• I-AWS Policy Generator
• Ukusebenzisa i-AWS Identity and Management Management

• IAM Notes Release
• IiForam zeengxoxo zeIAM
• Imibuzo ye-IAM