AWS IAM 角色中的默认信任策略是什么意思？

Question

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

你能解释一下这里的ec2.amazonaws.com是什么意思吗？我现在可以通过什么方式承担这个角色？

Answer 1

A Principal within an Amazon IAM policy 指定 允许或拒绝访问的用户（IAM 用户、联合用户或担任角色的用户）、AWS 账户、AWS 服务或其他委托人实体一个资源:

You use the Principal element in the trust policies for IAM roles and in resource-based policies—that is, in policies that you embed directly in a resource. For example, you can embed such policies in an Amazon S3 bucket, an Amazon Glacier vault, an Amazon SNS topic, an Amazon SQS queue, or an AWS KMS encryption key.

对于手头的策略，主体是 AWS 服务 ec2.amazonaws.com，也就是说，此信任策略授予 Amazon EC2 服务承担 any您账户中的 IAM 角色（即隐含 "Resource": "*" 语句）。

您可以进一步将政策限制为仅涵盖一个或多个特定角色，这需要通过 Resource 声明（例如 "Resource": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:role/ROLE-NAME"
这在 IAM Roles for Amazon EC2, where you are effectively Using an IAM Role to Grant Permissions to Applications Running on Amazon EC2

AWS IAM 角色中的默认信任策略是什么意思？

What does the default trust policy in an AWS IAM role mean?

amazon-web-services

amazon-iam