I-AWS Identity kanye nokuphathwa kokufinyelela

Ingxenye 1 kwezingu-3

Ngo-2011, i-Amazon yamemezela ukutholakala kwe-AWS Identity & Access Management (IAM) ukwesekwa kwe-CloudFront. U-IAM wethulwa ngonyaka ka-2010 futhi wawuhlanganisa ukusekelwa kwe-S3. I-AWS Identity & Management Management (IAM) ikuvumela ukuthi ube nabasebenzisi abaningi ngaphakathi kwe-akhawunti ye-AWS. Uma usetshenzisile ama-Amazon Web Services (AWS), uyazi ukuthi indlela kuphela yokuphatha okuqukethwe ku-AWS ihilelekile ukunikeza igama lakho lomsebenzisi nephasiwedi noma ukufinyelela okhiye.

Lokhu kuyinkinga yangempela yokuphepha kwabaningi bethu. IAM iqeda isidingo sokuhlanganyela amaphasiwedi nokufinyelela okhiye.

Ukushintsha njalo iphasiwedi yethu eyinhloko ye-AWS noma ukudala izihluthulelo ezintsha kuyisisombululo esiyinkimbinkimbi lapho ilungu lomsebenzi lingashiya ithimba lethu. I-AWS Identity & Management Management (IAM) yayiyisiqalo esihle sokuvumela ama-akhawunti womsebenzisi ngamunye ngezihluthulelo ngabanye. Kodwa-ke, singumsebenzisi we-S3 / CloudFront ngakho-ke siye sabuka i-CloudFront ukuthi ingezwe ku-IAM okwenzeke ekugcineni.

Ngithole amadokhumenti kule nsizakalo ukuba ahlakazeke kancane. Kunemikhiqizo embalwa yeqembu lesithathu ehlinzeka ububanzi bokusekela kwe-Identity & Access Management (IAM). Kodwa abathuthukisi bavame ukuziqhenya ngakho ngafuna isixazululo samahhala ekuphatheni i-IAM nenkonzo yethu ye-Amazon S3.

Lesi sihloko sihamba ngenqubo yokusetha i-Command Line Interface esekela i-IAM nokusetha iqembu / umsebenzisi nge-S3 ukufinyelela. Kudingeka ube ne-akhawunti ye-Amazon AWS S3 ngaphambi kokuthi uqale ukulungisa i-Identity & Access Management (IAM).

Isihloko sami, Ukusebenzisa i-Amazon Simple Storage Service (S3), kuzokuhamba ngenqubo yokusetha i-akhawunti ye-AWS S3.

Nazi izinyathelo ezihilelekile ekumiseni nasekusebenziseni umsebenzisi ku-IAM. Lokhu kubhaliswe ku-Windows kepha ungakwazi ukuwasebenzisa ukuze usebenzise ku-Linux, UNIX kanye / noma i-Mac OSX.

1. Faka futhi ulungiselele IsiKhombo soMlayini we-Command (CLI)

1. Dala iqembu
2. Nika iqembu Ukufinyelela ku-S3 Bucket ne-CloudFront
3. Dala umsebenzisi futhi ungeze kuqembu
4. Dala iphrofayela ye-Login futhi Yakha Amakhi
5. Ukufinyelela kokuhlola

Faka futhi ulungiselele IsiKhombo soMlayini we-Command (CLI)

IAM Command Line Toolkit uhlelo lweJava olutholakala kuma-AWS Developers Tools e-Amazon. Ithuluzi ikuvumela ukuba usebenze imiyalo ye-IAM API kusuka ku-Umbuso we-shell (DOS for Windows).

• Udinga ukuqhuba i-Java 1.6 noma ngaphezulu. Ungalanda inguqulo yakamuva kusuka ku-Java.com. Ukuze ubone ukuthi yiliphi inguqulo efakwe ohlelweni lwakho lwe-Windows, vula i-Command Prompt kanye nohlobo lwe-java -version. Lokhu kuthatha ukuthi i-java.exe ikuPATH yakho.
• Landa i-toolkit ye-IAM CLI futhi uvule endaweni ethile ku-drive yangakini.
• Kukhona amafayela angu-2 empandeni ye-toolkit ye-CLI okudingeka uyibuyekeze.
  • i-aws-credential.template: Leli fayela ligcina iziqinisekiso zakho ze-AWS. Engeza i-AWSAccessKeyId yakho ne-AWSSecretKey yakho, londoloza futhi uvale ifayela.
  • iklayenti-config.template : Udinga kuphela ukuvuselela le fayela uma udinga iseva proxy. Susa izimpawu ezingu- # uphinde ubuyekeze i-ClientProxyHost, iKlayentiProxyPort, igama leKlayentiProxy kanye neCententProxyPassword. Londoloza bese uvale ifayela.
• Isinyathelo esilandelayo sisho ukungeza iziguquko zendawo. Yiya kuPhaneli Yokulawula | Izakhiwo zesistimu | Izilungiselelo zesistimu ezithuthukile | Ukuhlukahluka kwendawo. Engeza okuguquguqukayo okulandelayo:
  • I-AWS_IAM_HOME : Beka lokhu okuguquguqukayo esiqondisweni lapho usule khona i-toolkit ye-CLI. Uma usebenzisa iWindows futhi uyiqedile engxenyeni yokushayela kwakho kwe-C, ukuguquguquka kuzoba yiC: \ IAMCli-1.2.0.
  • I-JAVA_HOME : Setha lokhu okuguquguqukayo kwisiqondisi lapho i-Java efakwe khona. Lokhu kungaba indawo yefayela le-java.exe. Ku-installation evamile ye-Windows 7 Java, lokhu kungaba into efana neC: \ Program Files (x86) \ Java \ jre6.
  • AWS_CREDENTIAL_FILE : Setha lokhu kuguquguquka egameni legama lefayela le-aws-credential.template oyilungile ngenhla. Uma usebenzisa i-Windows futhi uyiqedile ekumpandeni kwe-drive yakho ye-C, ukuguquguquka kuzoba ngu-C: \ IAMCli-1.2.0 \ aws-credential.template.
  • I-CLIENT_CONFIG_FILE : Udinga kuphela ukwengeza le variable variable uma udinga iseva proxy. Uma usebenzisa i-Windows futhi uyiqedile ekumpandeni kwe-C yakho yokushayela, ukuguquguquka kuzoba yi-C: \ IAMCli-1.2.0 \ client-config.template. Ungangeze le variable ngaphandle kokuthi uyidinge.

• Hlola ukufakwa ngokuya ku-Command Prompt bese ufaka ohlwini lokusebenzisa umsebenzisi. Uma nje ungatholi iphutha, kufanele ube kuhle ukuhamba.

Yonke imiyalo ye-IAM ingasebenza kusukela ku-Command Prompt. Yonke imiyalo iqala nge "iam-".

Dala iqembu

Kunamaqembu angaphezu kwama-100 angadalwa ku-akhawunti ngayinye ye-AWS. Ngenkathi ungasetha izimvume ku-IAM ezingeni lomsebenzisi, ukusebenzisa amaqembu kungaba yindlela engcono kakhulu. Nansi inqubo yokwakha iqembu ku-IAM.

• I-syntax yokwakha iqembu i-group-groupcreate -g GROUPNAME [-p PATH] [-v] lapho -p na -v kungakhetha. Amadokhumenti agcwele ku-Interface Linelayini atholakala kuma-AWS Amadokhumenti.

• Uma ufuna ukudala iqembu elibizwa ngokuthi "abesabekayo", ungangena, qamba-hlanganisa -g abahlukumezi ku-Command Prompt.
• Ungabheka ukuthi iqembu lidalwe ngokufanele ngokufaka i-group-pathlisty pathath ku-Command Prompt. Uma ngabe udale leli qembu kuphela, ukukhishwa kuzoba into efana ne "arn: aws: iam :: 123456789012: iqembu / amahloni", lapho inombolo inombolo yakho ye-AWS.

Nika iqembu Ukufinyelela ku-S3 Bucket ne-CloudFront

Izinqubomgomo zilawula lokho iqembu lakho elikwazi ukukwenza ku-S3 noma ku-CloudFront. Ngokuzenzakalelayo, iqembu lakho ngeke likwazi ukufinyelela kunoma yini ku-AWS. Ngithole amadokhumende kumigomo yokulungiswa kodwa ekudaleni izinqubomgomo ezimbalwa, ngenza kancane ukulingwa nephutha ukuze ngithole izinto zisebenza ngendlela engifuna ngayo ukusebenza.

Unezinketho ezimbalwa zokudala izinqubomgomo.

Enye indlela ongayifaka ngqo ku-Command Prompt. Njengoba ungase udale inqubomgomo futhi uyiguqule, kimi kubonakala kulula ukufaka inqubomgomo ibe yifayili yombhalo bese ulayishe ifayela lombhalo njengepharamitha ngenqubomgomo yomyalo wokulayisha iqembu. Nansi inqubo usebenzisa ifayela lombhalo futhi ulayishe ku-IAM.

• Sebenzisa into efana ne-Notepad bese ufaka umbhalo olandelayo bese ulondoloza ifayela:
  
  {
  "Isitatimende": [{
  "Umphumela": "Vumela", "
  "Isenzo": "s3: *",
  "Imithombo": [
  "i-arn: aws: s3 ::: BUCKETNAME",
  "i-arn: aws: s3 ::: BUCKETNAME / *"]
  },
  {
  "Umphumela": "Vumela", "
  "Isenzo": "s3: UhluAllMyBuckets",
  "Imithombo": "arn: aws: s3 ::: *"
  },
  {
  "Umphumela": "Vumela", "
  "Isenzo": ["isifuba sangaphambili: *"],
  "Imithombo": "*"
  }}
  ]
  }}
  
• Kunezigaba ezintathu kule nqubomgomo. I-Effect isetshenziselwa Ukuvumela noma Ukushaya uhlobo oluthile lokufinyelela. Isenzo yizinto ezenziwa iqembu. Imithombo izosetshenziselwa ukunikeza ukufinyelela kwamabhakede ngamanye.

• Ungakwazi ukukhawulela Izenzo ngabanye. Kulesi sibonelo, "Isenzo": ["s3: GetObject", "s3: ListBucket", "s3: GetObjectVersion"], iqembu lizokwazi ukuhlunga okuqukethwe kwebhakede nokulanda izinto.
• Isigaba sokuqala "Ivumela" iqembu ukuba lenze zonke izenzo ze-S3 zebhakede elithi "BUCKETNAME".
• Isigaba sesibili "Ivumela" iqembu ukuthi lihlule zonke izimbiza ku-S3. Udinga lokhu ukuze ubone ngempela uhlu lwamabhakede uma usebenzisa into efana ne-AWS Console.

• Isigaba sesithathu sinikeza iqembu ithuba lokufinyelela okugcwele ku-CloudFront.

Kunezinketho eziningi lapho kufika izinqubomgomo ze-IAM. Ama-Amazon anethuluzi elihle kakhulu elitholakalayo elibizwa nge-AWS Policy Generator. Leli thuluzi linikeza i-GUI lapho ungakha khona izinqubomgomo zakho futhi wenze ikhodi yangempela oyidingayo ukuze usebenzise inqubomgomo. Ungaphinda uhlole isigaba solimi lwe-Access Access lwe-AWS Idatha nokuPhathwa kokuPhathwa kwe-Access Management.

Dala umsebenzisi futhi ungeze kuqembu

Inqubo yokudala umsebenzisi omusha nokwengeza eqenjini ukuwanikeza ukufinyelela kuhilela izinyathelo ezimbalwa.

• I-syntax yokudala umsebenzisi i-usam-userreate -u-USERNAME [-p PATH] [-g GROUPS ...] [-k] [-v] lapho -p, -g, -k kanye -v kuyizinketho. Amadokhumenti agcwele ku-Interface Linelayini atholakala kuma-AWS Amadokhumenti.
• Uma ufuna ukwakha umsebenzisi "bob", ungangena, u-usercreate -u bob -g abesabekayo ku-Command Prompt.
• Ungabheka ukuthi umsebenzisi wadalwe ngendlela efanele ngokufaka abahluleli beqembu -g abahlukumezi ku-Command Prompt. Uma ngabe udale kuphela lo msebenzisi, ukukhishwa kuzoba into efana ne "arn: aws: iam :: 123456789012: umsebenzisi / bob", lapho inombolo inombolo yakho ye-AWS.

Dala iphrofayela ye-Logon bese udala amakhi

Kuleli phuzu, udale umsebenzisi kodwa udinga ukuwahlinzeka ngendlela yokwengeza nokususa izinto kusuka ku-S3.

Kunezinketho ezimbili ezitholakalayo ukuze unikeze abasebenzisi bakho ukufinyelela ku-S3 besebenzisa i-IAM. Ungakha iphrofayela ye-Login futhi unikeze abasebenzisi bakho ngephasiwedi. Bangasebenzisa iziqinisekiso zabo ukungena kwi-Amazon AWS Console. Enye indlela ukunikeza abasebenzisi bakho ukhiye wokufinyelela kanye nesikhiye semfihlo. Bangasebenzisa lezi zihluthulelo kumathuluzi eqembu lesithathu njengo-S3 Fox, i-CloudBerry S3 Explorer noma i-S3 Browser.

Dala iphrofayela yomlando

Ukudala iphrofayela yokungena yabasebenzisi bakho be-S3 inikeza igama lomsebenzisi nephasiwedi abangayisebenzisa ukungena ngemvume ku-Amazon AWS Console.

• I-syntax yokudala iphrofayli yokungena ngemvume iyin-useraddloginprofile -u USERNAME -p PASSWORD. Amadokhumenti agcwele ku-Interface Linelayini atholakala kuma-AWS Amadokhumenti.
• Uma ufuna ukudala iphrofayli yokungena ngemvume yomsebenzisi "bob", ungangena, i-useraddloginprofile -u bob -p PASSWORD ku-Command Prompt.

• Ungabheka ukuthi iphrofayela yokungena ngemvume idalwe kahle ngokufaka i-user-loginprofile -u bob ku-Command Prompt. Uma ngabe udale iphrofayli yokungena ngemvume ye-bob, ukukhishwa kuyoba into efana ne- "I-Profile yokungena ikhona kumsebenzisi bob".

Dala Amakhi

Ukwakha i-AWS Secret Access Key kanye ne-ID ehambisanayo ye-AWS Access Key kuzovumela abasebenzisi bakho ukuthi basebenzise isofthiwe yeqembu lesithathu njengalezo ezibalulwe ngaphambili. Khumbula ukuthi njengendlela yokuphepha, ungathola kuphela lezi zakhi ngesikhathi senqubo yokwengeza iphrofayela yomsebenzisi. Qinisekisa ukuthi ukopisha futhi unamathisele okukhiphayo kusuka ku-Command Prompt bese ulondoloza kufayela lokubhala. Ungathumela ifayela kumsebenzisi wakho.

• I-syntax yokwengeza okhiye womsebenzisi iam-useraddkey [-u USERNAME]. Amadokhumenti agcwele ku-Interface Linelayini atholakala kuma-AWS Amadokhumenti.
• Uma ufuna ukudala ukhiye womsebenzisi "bob", ungangena i-user-ddkey -u bob ku-Command Prompt.
• Umyalo uzokhipha izikhiye ezingabheka into enjengale:
  AKIACOOB5BQVEXAMPLE
  BvQW1IpqVzRdbwPUirD3pK6L8ngoX4PTEXAMPLE
  
  Umzila wokuqala yi-ID Yokufinyelela Kokufinyelela kanye nomugqa wesibili yi-Key Access Key. Udinga kokubili isofthiwe yeqembu lesithathu.

Ukufinyelela kokuhlola

Manje njengoba usungule amaqembu / abasebenzisi be-IAM futhi unikeze amaqembu ukufinyelela ngokusebenzisa izinqubomgomo, udinga ukuhlola ukufinyelela.

Ukufinyelela kwekhonsoli

Abasebenzisi bakho bangasebenzisa igama lomsebenzisi nephasiwedi ukungena ngemvume ku-AWS Console. Kodwa-ke, lokhu akuyona ikhasi lokungena ngemvume le-console elivamile elisetshenziselwa i-akhawunti eyinhloko ye-AWS.

Kukhona i-URL ekhethekile ongayisebenzisa eyokunikeza ifomu lokungena ngemvume kwe-akhawunti yakho ye-Amazon AWS kuphela. Nasi i-URL yokungena ngemvume ku-S3 kubasebenzisi bakho be-IAM.

https://AWS-ACCOUNT-NUMBER.signin.aws.amazon.com/console/s3

I-AWS-ACCOUNT-NUMBER iyinombolo yakho ye-akhawunti ejwayelekile ye-AWS. Ungathola lokhu ngokungena kwifomu le-Amazon Web Service Sign In. Ngena ngemvume bese uchofoza ku-Akhawunti | Umsebenzi we-Akhawunti. Inombolo yakho ye-akhawunti iphezu ekhoneni elingakwesokudla. Qinisekisa ukuthi ususa ama-dashes. I-URL izobukeka okuthile njenge-https://123456789012.signin.aws.amazon.com/console/s3.

Ukusebenzisa ama-Keys okufinyelela

Ungalanda futhi ufake noma yikuphi amathuluzi weqembu lesithathu esivele ashiwo kulesi sihloko. Faka i-ID Yokhiye Wokufinyelela kanye Nokhiye Wokufinyeleleka Kwemfihlakalo kumadokhumenti wethhuluzi lesithathu.

Ngincoma ngokuqinile ukuthi udale umsebenzisi wokuqala futhi ube nomsebenzisi ovivinya ngokugcwele ukuthi bangakwenza konke okudingayo ukukwenza ku-S3. Emva kokuqinisekisa omunye wabasebenzisi bakho, ungaqhubeka nokusetha bonke abasebenzisi bakho be-S3.

Izinsiza

Nazi izinsiza ezimbalwa okuzokunika ukuqonda okungcono kwe-Identity & Access Management (IAM).

• Ukuqala nge-IAM
• IAM Command Line Toolkit
• I-Amazon AWS Console
• I-AWS Policy Generator
• Ukusebenzisa i-AWS Identity and Management Management

• Amanothi wokukhishwa kwe-IAM
• Ama-Forum Wezingxoxo ze-IAM
• IAM FAQs