Amazon Simple Queue Service
开发人员指南
AWS 服务或AWS文档中描述的功能,可能因地区/位置而异。请点击 Amazon AWS 入门,可查看中国地区的具体差异

Amazon SQS 的身份验证和访问控制

访问 Amazon SQS 时需要有 AWS 可以用来验证您的请求的凭证。这些凭证必须有权访问 AWS 资源,如 Amazon SQS 队列和消息。下面几节提供详细的信息来说明如何使用 AWS Identity and Access Management (IAM) 和 Amazon SQS 控制对您的资源的访问,从而对其进行保护。

主题

身份验证

您可以以下面任一类型的身份访问 AWS:

  • AWS 账户根用户 – When you first create an AWS account, you begin with a single sign-in identity that has complete access to all AWS services and resources in the account. This identity is called the AWS account root user and is accessed by signing in with the email address and password that you used to create the account. We strongly recommend that you do not use the root user for your everyday tasks, even the administrative ones. Instead, adhere to the best practice of using the root user only to create your first IAM user. Then securely lock away the root user credentials and use them to perform only a few account and service management tasks.

  • IAM 用户IAM 用户是您的 AWS 账户中的一种身份,它具有特定的自定义权限 (例如,用于在 Amazon SQS 中创建 a queue 的权限)。您可以使用 IAM 用户名和密码来登录以保护 AWS 网页,如 AWS 管理控制台AWS 开发论坛AWS Support Center

     

    除了用户名和密码之外,您还可以为每个用户生成访问密钥。在通过多个软件开发工具包之一或使用 AWS Command Line Interface (CLI) 以编程方式访问 AWS 服务时,可以使用这些密钥。SDK 和 CLI 工具使用访问密钥对您的请求进行加密签名。如果您不使用 AWS 工具,则必须自行对请求签名。Amazon SQS supports 签名版本 4,后者是一种用于对入站 API 请求进行身份验证的协议。有关验证请求的更多信息,请参阅 AWS General Reference 中的签名版本 4 签名流程

     

  • IAM 角色 – An IAM role is an IAM identity that you can create in your account that has specific permissions. It is similar to an IAM user, but it is not associated with a specific person. An IAM role enables you to obtain temporary access keys that can be used to access AWS services and resources. 具有临时凭证的 IAM 角色在以下情况下很有用:

     

    • 联合身份用户访问 – Instead of creating an IAM user, you can use existing user identities from AWS Directory Service, your enterprise user directory, or a web identity provider. These are known as federated users. AWS assigns a role to a federated user when access is requested through an identity provider. For more information about federated users, see Federated Users and Roles in the IAM 用户指南.

       

    • AWS 服务访问 – You can use an IAM role in your account to grant an AWS service permissions to access your account’s resources. For example, you can create a role that allows Amazon Redshift to access an Amazon S3 bucket on your behalf and then load data from that bucket into an Amazon Redshift cluster. For more information, see Creating a Role to Delegate Permissions to an AWS Service in the IAM 用户指南.

       

    • 运行在 Amazon EC2 上的应用程序 – You can use an IAM role to manage temporary credentials for applications that are running on an EC2 instance and making AWS API requests. This is preferable to storing access keys within the EC2 instance. To assign an AWS role to an EC2 instance and make it available to all of its applications, you create an instance profile that is attached to the instance. An instance profile contains the role and enables programs that are running on the EC2 instance to get temporary credentials. For more information, see Using Roles for Applications on Amazon EC2 in the IAM 用户指南.

访问控制

Amazon SQS 拥有自己的基于资源的权限系统,该系统使用了以用于 AWS Identity and Access Management (IAM) 策略的同一语言编写的策略。这意味着 Amazon SQS 策略与 IAM 策略的作用类似。

注意

所有 AWS 账户都可以向其账户下的用户授予权限,理解这一点很重要。交叉账户访问允许您共享对 AWS 资源的访问,而不需要管理其他用户。有关使用跨账户访问的信息,请参阅IAM 用户指南中的启用跨账户访问

Amazon SQS 目前只支持 IAM 中可用条件键的有限子集。有关更多信息,请参阅 Actions and Resource Reference

下面几节介绍如何管理 Amazon SQS 的权限。我们建议您先阅读概述。

本页内容: