Sources from where users can come to access AWS services
Federations : Grouping of users of multiple domains like IAM, Facebook, Google etc.
Identity Broker : An AWS service used to connect an user to a federation.
Allows to take an user from point X and join it to point Y.
Identity Store : Services having their won users db, like Facebook, Google
Identity : An user
- Federations
- Federations with Mobile
- Cross Account Access
Federations : Grouping of users of multiple domains like IAM, Facebook, Google etc.
Identity Broker : An AWS service used to connect an user to a federation.
Allows to take an user from point X and join it to point Y.
Identity Store : Services having their won users db, like Facebook, Google
Identity : An user
Steps to Remember :
- Create Identity Broker that will connect to organisation's LDAP directory and AWS STS.
- Identity Broker first connect to organisation's LDAP to verify user then it will connect to AWS Security Token Service (STS).
- Call to STS
Scenario 1:
Identity Broker calls getFedrationToken function with IAM credentials, IAM policy, duration (1-36 hrs: validity of new token) and a policy that contains which permissions to be assigned.
Scenario 2:
If Identity Broker get an IAM role associated with user from LDAP then Identity Broker calls STS and returned token will contains permissions based on the role's permissions. - STS returns a temporary token with a Access Key, Secrete Access Key, a Token and its Duration (Lifetime of token).
- Then Application uses this token to call S3 bucket.
- S3 confirms permission from IAM and allow application to access bucket.
No comments:
Post a Comment