AWS Notes
@aws_notes
5.61K subscribers
493 photos
43 videos
10 files
2.87K links
AWS Notes — Amazon Web Services Educational and Information Channel

Chat: https://xn--r1a.website/aws_notes_chat

Contacts: @apple_rom, https://www.linkedin.com/in/roman-siewko/
Download Telegram
About
Blog
Apps
Platform
Join
AWS Notes
5.61K subscribers
AWS Notes
IAM temporary delegation 🎉

https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-temporary-delegation.html

Теперь можно выдать нужные права временно (до 12 часов) без извращений с Лямбдами, удаляющими IAM User/Role через какое-то время.

#IAM
🔥15👀2👍1
1.6K viewsRoman Siewko
AWS Notes
IAM + JWT = IAM Outbound Identity Federation 💪

https://aws.amazon.com/blogs/aws/simplify-access-to-external-services-using-aws-iam-outbound-identity-federation/

С помощью IAM теперь можно логиниться в любой другой сервис, поддерживающий JWT.

Для этого нужно включить Outbound Identity Federation в IAM и в результате STS сервис в аккаунте, где это включено, будет обслуживать его уникальный эндпоинт и стандартные /.well-known/openid-configuration и /.well-known/jwks.json.

По умолчанию STS генерит JWT токен, в котором есть claims для аккаунта, региона и роли:

{
  "aud": "my-app",
  "sub": "arn:aws:iam::ACCOUNT_ID:role/MyAppRole",
  "https://sts.amazonaws.com/": {
    "aws_account": "ACCOUNT_ID",
    "source_region": "us-east-1",
    "principal_id": "arn:aws:iam::ACCOUNT_ID:role/MyAppRole"
  },
  "iss": "https://abc12345-def4-5678-90ab-cdef12345678.tokens.sts.global.api.aws",
  "exp": 1759786941,
  "iat": 1759786041,
  "jti": "5488e298-0a47-4c5b-80d7-6b4ab8a4cede"
}


Но можно добавить организацию, тэги и прочее:

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_outbound_token_claims.html

Итого, нонче можно использовать IAM в любом JWT поддерживающем сервисе, что реально круто. 👍

#IAM #JWT
🔥17👍3
1.6K viewsRoman Siewko
AWS Notes
🆕 IAM Policy Autopilot

https://aws.amazon.com/blogs/aws/simplify-iam-policy-creation-with-iam-policy-autopilot-a-new-open-source-mcp-server-for-builders/

As an MCP server, IAM Policy Autopilot operates in the background as builders converse with their AI coding assistants.

When your application needs IAM policies, your coding assistants can call IAM Policy Autopilot to analyze AWS SDK calls within your application and generate required identity-based IAM policies, providing you with necessary permissions to start with.

After permissions are created, if you still encounter Access Denied errors during testing, the AI coding assistant invokes IAM Policy Autopilot to analyze the denial and propose targeted IAM policy fixes.

After you review and approve the suggested changes, IAM Policy Autopilot updates the permissions.


#IAM
Amazon
Simplify IAM policy creation with IAM Policy Autopilot, a new open source MCP server for builders | Amazon Web Services
Speed up AWS development with an open source tool that analyzes your code to generate valid IAM policies, providing AI coding assistants with up-to-date AWS service knowledge and reliable permission recommendations.
👍81
1.32K viewsRoman Siewko