使用 AWS STS 时哪个 AWS 账户会被计费?
Which AWS account gets billed when using AWS STS?
我希望使用 AWS STS 从另一个团队拥有的另一个 AWS 账户访问资源。
比如说,AWS 账户 A 试图访问 AWS 账户 B。
basically the steps I am following:
1. Create a user in Account A
2. Create Role in Account B with the necesaary permissions
3. Add assume role permissions for user in Account A
4. Use User credentials to get temporary credentials for Account B.
5. Use temp credentials on Account B.
但是,在阅读了大量 AWS 文档后,我无法弄清楚哪个账户需要为跨账户 API 调用付费?
当您使用 AssumeRole 授予对另一个亚马逊账户(账户 B)的访问权限时,您的身份会切换到另一个账户,用户名是您担任的角色名称。
唯一被调用的交叉账户 API 将是 AssumeRole。成功后,您将使用从 AssumeRole 返回的帐户 B 的临时凭证来使用 APIs。
除用户名外,所有所有权、账单等都与您最初以普通 IAM 用户身份登录账户 B 相同。
CloudTrail 记录 STS 类型调用,例如 AssumeRole 并记录所有经过身份验证的 API 请求。一旦 AssumeRole 成功,您的 activity(使用临时凭证)将被 CloudTrail 记录在账户 B 中。这当然假设 CloudTrail 已启用。
此 link 将为您提供有关 AWS 在使用 AssumeRole 时使用的用户身份的更多详细信息。
When you create a role for cross-account access, you establish trust from the account that owns the role and the resources (trusting account) to the account that contains the users (trusted account). To do this, you specify the trusted account number as the Principal in the role's trust policy. That allows potentially any user in the trusted account to assume the role. To complete the configuration, the administrator of the trusted account must give specific groups or users in that account permission to switch to the role.
Link
正如每个人都提到的,帐户 A 中的用户只是在帐户 B 中担任角色以临时访问帐户 B 中的资源,所有权保持不变,所有者为他拥有的资源付费。在这种情况下,支付的是帐户 B。 STS 是用于承担角色的服务,是 IAM 的一部分。
以下摘自IAM FAQ.
Q: How do I assume an IAM role?
You assume an IAM role by calling the AWS Security Token Service (STS) AssumeRole APIs (in other words, AssumeRole, AssumeRoleWithWebIdentity, and AssumeRoleWithSAML). These APIs return a set of temporary security credentials that applications can then use to sign requests to AWS service APIs.
Q: How many IAM roles can I assume?
There is no limit to the number of IAM roles you can assume, but you can only act as one IAM role when making requests to AWS services.
Q: Who can use IAM roles?
Any AWS customer can use IAM roles.
Q: How much do IAM roles cost?
IAM roles are free of charge. You will continue to pay for any resources a role in your AWS account consumes.
我希望使用 AWS STS 从另一个团队拥有的另一个 AWS 账户访问资源。
比如说,AWS 账户 A 试图访问 AWS 账户 B。
basically the steps I am following:
1. Create a user in Account A
2. Create Role in Account B with the necesaary permissions
3. Add assume role permissions for user in Account A
4. Use User credentials to get temporary credentials for Account B.
5. Use temp credentials on Account B.
但是,在阅读了大量 AWS 文档后,我无法弄清楚哪个账户需要为跨账户 API 调用付费?
当您使用 AssumeRole 授予对另一个亚马逊账户(账户 B)的访问权限时,您的身份会切换到另一个账户,用户名是您担任的角色名称。
唯一被调用的交叉账户 API 将是 AssumeRole。成功后,您将使用从 AssumeRole 返回的帐户 B 的临时凭证来使用 APIs。
除用户名外,所有所有权、账单等都与您最初以普通 IAM 用户身份登录账户 B 相同。
CloudTrail 记录 STS 类型调用,例如 AssumeRole 并记录所有经过身份验证的 API 请求。一旦 AssumeRole 成功,您的 activity(使用临时凭证)将被 CloudTrail 记录在账户 B 中。这当然假设 CloudTrail 已启用。
此 link 将为您提供有关 AWS 在使用 AssumeRole 时使用的用户身份的更多详细信息。
When you create a role for cross-account access, you establish trust from the account that owns the role and the resources (trusting account) to the account that contains the users (trusted account). To do this, you specify the trusted account number as the Principal in the role's trust policy. That allows potentially any user in the trusted account to assume the role. To complete the configuration, the administrator of the trusted account must give specific groups or users in that account permission to switch to the role. Link
正如每个人都提到的,帐户 A 中的用户只是在帐户 B 中担任角色以临时访问帐户 B 中的资源,所有权保持不变,所有者为他拥有的资源付费。在这种情况下,支付的是帐户 B。 STS 是用于承担角色的服务,是 IAM 的一部分。
以下摘自IAM FAQ.
Q: How do I assume an IAM role? You assume an IAM role by calling the AWS Security Token Service (STS) AssumeRole APIs (in other words, AssumeRole, AssumeRoleWithWebIdentity, and AssumeRoleWithSAML). These APIs return a set of temporary security credentials that applications can then use to sign requests to AWS service APIs.
Q: How many IAM roles can I assume? There is no limit to the number of IAM roles you can assume, but you can only act as one IAM role when making requests to AWS services.
Q: Who can use IAM roles? Any AWS customer can use IAM roles.
Q: How much do IAM roles cost? IAM roles are free of charge. You will continue to pay for any resources a role in your AWS account consumes.