Reputation: 171
Difference between AWS IAM "Identity" and "Entity"
I am reading through the AWS documentation Understanding how IAM works and I'm confused about the definitions for identities and entities.
Identities
The IAM resource objects that are used to identify and group. You can attach a policy to an IAM identity. These include users, groups, and roles.
Entities
The IAM resource objects that AWS uses for authentication. These include IAM users, federated users, and assumed IAM roles.
What's the difference between the two? They are both IAM resource objects. They both include users and roles (although only identities have groups). You can only attach a policy to an identity but not an entity, but you ultimately authenticate an entity but not an identity. Is the naming difference just a question of grammar, or is there something fundamentally different between the two?
Upvotes: 11
Views: 5969
Answers (5)
Reputation: 23
Based on my understanding of this page
First you need to understand what a principal is.
Principal - (AWS account root user, IAM User, Role, Federated User, or Assumed Role) - used by a person or an application, to sign into (authentication) AWS and request for an action or operation on an AWS resource.
IAM Entity - (IAM users, federated users, and assumed IAM roles) - IAM resource objects that AWS uses for authentication.
Note: Both Principal and IAM Entity are used for Authentication (not authorization) of the User or Application.
You may have observed IAM Entity consist of IAM resource objects only, and AWS account root user is not part of it. As AWS account root user is not part of IAM service.
Once the user's or application's credentials are successfully authenticated by matching the sign-in credentials to a Principal.
For AWS to grant Principal access to use AWS Services it needs to validate the IAM policies and determine what action/operation are allowed/denied to the principal. Here IAM Identity comes into picture.
IAM Identity - (users, groups, and roles) - IAM resources that can be authorized in policies to perform action/operation on resources.
In simple term Users/application authenticate against Principals / IAM Entities using sign-in credentials or access keys. Once authenticated, principals' (AWS account root user + IAM Entities) grant request to perform action/operation are validated(allowed/denied) against the IAM Identities authorized in the policies.
Upvotes: 1
Reputation: 414
I found this answer in a LinkedIn course:
Entities are the users and roles requesting access, whereas identities include anything you can attach a policy to which includes groups.
Upvotes: 0
Reputation: 31
As far as I understand an Entity is about authentication where as Identities are about authorization.
For example, let's say we can have two entities (Admin Andy & Janitor Jerry). Both can login because they are both entities. Admin Andy (the entity) is a "User". As a "User" he also has the identity of "User Admin Andy". Janitor Jerry (the entity) is also a "User". As a "User" he has the identity of "User Janitor Jerry".
There might exist a Group called "Janitors" which has permissions to access the mop closet. This "Group" is an Identity but not an Entity. The policy defining access to the mop closet would then be attached to the Group not the User.
There might be another policy which gets attached to the User Identity for Jerry called "Jerries Locker Access".
An alternative way to handle the "Janitors" group is to define a Role called "Janitor" instead of defining a Group called "Janitors". You would attach the policy for the mop closet to the "Janitor Role" and attach the "Janitor Role" to the User "Jerry".
Conclusion:
Entities can login.
Identities can Receive permissions in the form of policies.
--
At least that is how I understand it. If I'm wrong, please correct me.
Upvotes: 3
Reputation: 139
I found this page from AWS to also be useful:
Understanding how IAM works - With Diagram
I agree that these terms are often used interchangeably and this was the clearest example I could find.
Upvotes: 0
Reputation: 1722
My understanding was helped by this diagram from the Wikipedia page on IAM.
Entities represent the actors on the system, and they may each have multiple identities.
Unfortunately this doesn't translate well to IAM resources, and the IAM User Guide itself is pretty loose when referring to entities, identities, and principals (it often seems to use them interchangeably). As you've already noticed, identities are special since they can have policies attached to them directly. While some entities can have policies attached to them (since they also happen to be identities), that's more of an implementation detail, rather than a feature.
Upvotes: 11
Related Questions
- AWS IAM role principal vs role session principal
- AWS IAM Role vs Group
- Differences between 'root account credentials' and 'IAM user credentials'
- What is the difference between OAI vs IAM 'users' on AWS?
- Query regarding AWS IAM Service
- Difference between credentials and accessKey
- AWS IAM: Is this a Resource or Identity based policy?
- IAM - Purpose of role identity in AWS
- What is the IAM User Attributes?
- Difference between "Identity providers" and "authentication providers"