Dynamodb 简明教程
DynamoDB - Web Identity Federation
Web Identity Federation 允许你简化对大型用户组进行的身份验证和授权。你可以跳过创建单独帐户,并要求用户登录身份提供程序以获取临时证书或令牌。它使用 AWS Security Token Service (STS) 来管理证书。应用程序使用这些令牌与服务进行交互。
Web Identity Federation allows you to simplify authentication and authorization for large user groups. You can skip the creation of individual accounts, and require users to login to an identity provider to get temporary credentials or tokens. It uses AWS Security Token Service (STS) to manage credentials. Applications use these tokens to interact with services.
Web Identity Federation 还支持其他身份提供程序,如亚马逊、Google 和 Facebook。
Web Identity Federation also supports other identity providers such as – Amazon, Google, and Facebook.
Function − 在使用中,Web Identity Federation 首先调用身份提供程序进行用户和应用程序身份验证,然后提供程序返回令牌。这会导致应用程序调用 AWS STS 并传递令牌作为输入。STS 授权该应用程序并授予其临时访问证书,这允许应用程序使用 IAM 身份并基于策略访问资源。
Function − In use, Web Identity Federation first calls an identity provider for user and app authentication, and the provider returns a token. This results in the app calling AWS STS and passing the token for input. STS authorizes the app and grants it temporary access credentials, which allow the app to use an IAM role and access resources based on policy.
Implementing Web Identity Federation
在使用前,你必须执行以下三个步骤 −
You must perform the following three steps prior to use −
-
Use a supported third party identity provider to register as a developer.
-
Register your application with the provider to obtain an app ID.
-
Create a single or multiple IAM roles, including policy attachment. You must use a role per provider per app.
预先设置一个 IAM 身份以使用 Web Identity Federation。然后你的应用程序必须执行三步流程 −
Assume one of your IAM roles to use Web Identity Federation. Your app must then perform a three-step process −
-
Authentication
-
Credential acquisition
-
Resource Access
在第一步中,你的应用程序使用它自己接口调用提供程序,然后管理令牌处理过程。
In the first step, your app uses its own interface to call the provider and then manages the token process.
然后,步骤2管理令牌,要求您的应用程序向AWS STS发送请求。该请求包含第一个令牌、提供应用ID和IAM角色的ARN。STS提供在一定时间后到期的凭据设置。
Then step two manages tokens and requires your app to send an AssumeRoleWithWebIdentity request to AWS STS. The request holds the first token, the provider app ID, and the ARN of the IAM role. The STS the provides credentials set to expire after a certain period.
在最后一步中,您的应用程序收到来自STS的答复,其中包含DynamoDB资源的访问信息。它由访问凭证、到期时间、角色和角色ID组成。
In the final step, your app receives a response from STS containing access information for DynamoDB resources. It consists of access credentials, expiration time, role, and role ID.