获取STS扮演角色用户标签

huangapple go评论76阅读模式
英文:

Get STS Assume Role User Tags

问题

我正试图将元数据存储到一个STS“假定角色”会话中,以便在会话用户调用我的服务时可以检索它。

为了实现这一点,我在STS assumeRole 创建过程中设置了一个标签:

AWSSecurityTokenService service = ...
AssumeRoleRequest request = new AssumeRoleRequest();
request.setTags(ImmutableList.of(new Tag().withKey("metadataKey").withValue("metadataValue")));
...
service.assumeRole(request);

在我的后端服务中,我接收调用者的用户名和ARN,这对应于临时会话。然而,我无法查找IAM用户的详细信息(其中包含标签)。

AmazonIdentityManagement iamClient = ...
GetUserRequest request = new GetUserRequest();
request.setUsername(...);
// 由于临时用户的用户名中有冒号,下面的这行代码会失败
iamClient.getUser(request);

如何检索临时“假定角色用户”的标签?

英文:

I am trying to store metadata into an STS "assume role" session so that I can retrieve it when the session user calls my service.

To accomplish this, I am setting a tag during the STS assumeRole creation:

AWSSecurityTokenService service = ...
AssumeRoleRequest request = new AssumeRoleRequest();
request.setTags(ImmutableList.of(new Tag().withKey("metadataKey").withValue("metadataValue")));
...
service.assumeRole(request);

In my backend service, I receive the username and ARN of the caller which corresponds to the temporary session. However, I am not able to lookup the details of the IAM user (which would contain the tags).

AmazonIdentityManagement iamClient = ...
GetUserRequest request = new GetUserRequest();
request.setUsername(...);
// this next line fails because the temporary user has a colon in the username
iamClient.getUser(request);

How would I retrieve the Tags of a temporary 'Assume Role user'?

答案1

得分: 1

如何检索临时“假定角色用户”的标签?

这个问题基于对标签用途的误解。标签用于进一步允许/拒绝对资源的访问。它们不用作存储元数据的画布。这得到了AWS文档的支持:

当您使用会话凭证进行后续请求时,请求上下文包括aws:PrincipalTag上下文键。您可以在策略的条件元素中使用aws:PrincipalTag键,以基于这些标签允许或拒绝访问。在此处查看更多

无法通过IAM ARN查找临时会话用户,因为AWS没有存储持久数据。

但是,有一个变通方法,您可以使用“会话名称”字段存储有限的元数据。AWS在ARN中使用会话名称,因此只要这些值不是敏感信息,就可以实际存储它们。

在角色创建期间:

AWSSecurityTokenService service = ...
request.setRoleSessionName("metadata=test");
service.assumeRole(request);

最终,用户ARN的格式如下,可以被另一个服务读取:

[generatedId]:metadata=test[moreData]
英文:

> How would I retrieve the Tags of a temporary 'Assume Role user'?

This question is based on a misunderstanding of what Tags are used for. Tags are used to further ALLOW / DENY access to resources. They are not used as a canvas for storing metadata. This is supported by the AWS documentation:

> When you use the session credentials to make a subsequent request, the request context includes the aws:PrincipalTag context key. You can use the aws:PrincipalTag key in the Condition element of your policies to allow or deny access based on those tags. See more here

Temporary session users cannot be looked up from an IAM ARN as there is no persistent data stored by AWS.

However, there is a workaround where you can store limited metadata using the "session name" field. AWS uses the session name in the ARN, so values can actually be stored as long as they are not sensitive information.

During the role creation:

AWSSecurityTokenService service = ...
request.setRoleSessionName("metadata=test");
service.assumeRole(request);

Finally, the user ARN is in this format and can be read by another service

[generatedId]:metadata=test[moreData]

huangapple
  • 本文由 发表于 2020年9月2日 07:24:37
  • 转载请务必保留本文链接:https://go.coder-hub.com/63696713.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定