为什么 aws assume-role-with-saml 需要角色和委托人?
why aws assume-role-with-saml requires role and principal?
有人可以解释为什么 assume-role-with-saml 操作需要一些已经在 saml-assertion 中的参数,例如 role-arn 和 principal-arn?
assume-role-with-saml
的亚马逊文档提供了以下信息:
--role-arn
字符串选项标识调用者承担的角色。
--principal-arn
string 选项需要仔细阅读。亚马逊说
The Amazon Resource Name (ARN) of the SAML provider in AWS IAM that describes the IdP
.
The explanation for the latter is given a few paragraphs before:
Before your application can call assume-role-with-saml , you must configure your SAML identity provider (IdP
) to issue the claims required by AWS.
同一页提供了一个link到Using Identity Providers,其中解释了术语:
Using identity providers, you can manage user identities outside of AWS, and you can give these external user identities permissions to use AWS resources in your account.
也就是说,您可以使用 --principal-arn
选项将外部用户身份与角色相关联。 --role-arn
选项并不是真正的 可选 ,而是必需的参数。
saml 断言(--saml-assertion
字符串) 选项)是附加的 "glue",可用于检查权限。按照此选项描述中的 link 到 Configuring a Relying Party and Adding Claims,亚马逊说
You also need to create appropriate claim rules in your IdP with AWS as a relying party. These rules map information about users and groups in your organization into appropriate SAML attributes. This lets you make sure that SAML authentication responses (assertions) from your IdP contain the necessary attributes that AWS uses in IAM policies to check permissions for federated users.
然后,links 到描述断言的页面:Configure Assertions for the SAML Authentication Response
经过一些研究,我可以回答。我问为什么发送 --role-arn 参数,如果它已经在 saml 断言中。事实上,saml 断言可以有多个角色,因此在 api 请求中有必要确定应该承担哪个角色。我在 this link
中找到了答案
有人可以解释为什么 assume-role-with-saml 操作需要一些已经在 saml-assertion 中的参数,例如 role-arn 和 principal-arn?
assume-role-with-saml
的亚马逊文档提供了以下信息:
--role-arn
字符串选项标识调用者承担的角色。--principal-arn
string 选项需要仔细阅读。亚马逊说The Amazon Resource Name (ARN) of the SAML provider in AWS IAM that describes the
IdP
.
Before your application can call assume-role-with-saml , you must configure your SAML identity provider (IdP
) to issue the claims required by AWS.
同一页提供了一个link到Using Identity Providers,其中解释了术语:
Using identity providers, you can manage user identities outside of AWS, and you can give these external user identities permissions to use AWS resources in your account.
也就是说,您可以使用 --principal-arn
选项将外部用户身份与角色相关联。 --role-arn
选项并不是真正的 可选 ,而是必需的参数。
saml 断言(--saml-assertion
字符串) 选项)是附加的 "glue",可用于检查权限。按照此选项描述中的 link 到 Configuring a Relying Party and Adding Claims,亚马逊说
You also need to create appropriate claim rules in your IdP with AWS as a relying party. These rules map information about users and groups in your organization into appropriate SAML attributes. This lets you make sure that SAML authentication responses (assertions) from your IdP contain the necessary attributes that AWS uses in IAM policies to check permissions for federated users.
然后,links 到描述断言的页面:Configure Assertions for the SAML Authentication Response
经过一些研究,我可以回答。我问为什么发送 --role-arn 参数,如果它已经在 saml 断言中。事实上,saml 断言可以有多个角色,因此在 api 请求中有必要确定应该承担哪个角色。我在 this link
中找到了答案