Reputation: 3327
Best practice AWS access key and secret for applications
What is the best practice for using the AWS and secret access keys when setting up the AWS application?
To get the access key and access secret, create an IAM account, but the IAM account is associated with a user, not with an application. What is the best to get an access key and access secret that is specific to an application (or different application environments, production, staging, etc.?) if the IAM users are meant to be for actual users and not for applications?
Upvotes: 0
Views: 1976
Answers (1)
Reputation: 19683
You wouldn't assign an IAM user to an application, typically you use an IAM Role.
To understand the difference, let us go through IAM basic knowledge
IAM controls: Who (authentication) can do What (authorization) in your AWS account. Authentication(who) with IAM is done with users/groups and roles whereas authorization(what) is done by policies.
Here the term
User - End user think about people
Groups- a set of users under one set of permission(policies)
Roles - are used to grant specific permission to specific actors for a set of duration of time. These actors can be authenticated by AWS or some trusted external system.
User and roles use policies for authorization. Keep in mind that user and role can't do anything until you allow certain actions with a policy.
Answer the following questions and you will differentiate between a user and a role:
- Can have a password? Yes-> user, No-> role
- Can have an access key? Yes-> user, No-> role
- Can belong to a group? Yes-> user, No -> role
- Can be associated with AWS resources (for example EC2 instances)? No-> user, Yes->role
AWS supports 3 Role Types for different scenarios
- AWS service roles (for example: EC2, Lambda, Redshift,...)
- Cross-Account Access: granting permissions to users from other AWS account, whether you control those account or not.
- Identity Provider Access: granting permissions to users authenticated by a trusted external system. AWS supports two kinds of identity federation: - Web-based identity such as Facebook, Goolge- IAM support ingeration via OpenID Connect - SAML 2.0 identity such as Active Directory, LDAP.
To understand what role is, you need to read its use case, I don't want to reinvent the wheel so please read the following AWS documents: https://aws.amazon.com/blogs/security/how-to-use-a-single-iam-user-to-easily-access-all-your-accounts-by-using-the-aws-cli/
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html
Hope it helps.
Upvotes: 3
Related Questions
- Filter Google Sheets pivot table for current month
- VBA Pivot Filter by month period
- How to use months as columns from date in Oracle SQL
- Excel Pivot Table - Display Year and Month Separately
- PivotTable to forecast by date
- Calculate difference from previous date in Excel pivot table
- Using GETPIVOTDATA with date range
- Pivot table Sort month for different years
- Month wise data in sql pivot
- How do I get per month average in an Excel Pivot Table