问题描述
我正在阅读有关临时凭证的AWS文档,并且已经了解了有关它们的持续时间:
I am going through this AWS doc about temporary credentials, and I have come across this, about the duration of them:
IAM用户创建的凭证在有效期内有效 您指定的时间,从900秒(15分钟)到最多 129600秒(36小时),默认值为43200秒(12小时); 使用帐户凭据创建的凭据范围可以 从900秒(15分钟)到最多3600秒(1 小时),默认值为1小时.
Credentials that are created by IAM users are valid for the duration that you specify, from 900 seconds (15 minutes) up to a maximum of 129600 seconds (36 hours), with a default of 43200 seconds (12 hours); credentials that are created by using account credentials can range from 900 seconds (15 minutes) up to a maximum of 3600 seconds (1 hour), with a default of 1 hour.
那么,created by IAM users
和created by using account credentials
有什么区别?
So, what is the difference between created by IAM users
and created by using account credentials
?
我正在通过boto3使用STS创建我的临时凭证,并且它们在一小时内就会过期.如何通过boto3使它们在此处提到的36个小时内有效?
I am creating my temporary credentials using STS via boto3, and they are being expired within an hour. How do I make them be valid for the 36 hours which is mentioned here, via boto3?
推荐答案
最大持续时间与用于呼叫STS的凭据有关.
如果您使用根凭据"(使用电子邮件地址登录),则将其视为帐户凭据".您通常不应该使用根凭据,因为它们功能太强大并且不受限制.您应该始终创建一个IAM用户并将其用于AWS上的日常工作.这样可以限制或撤消凭据,从而提供更好的安全控制.
If you use your Root Credentials (where you login with an email address), it is considered an Account Credential. You should not typically use root credentials since they are too powerful and cannot be restricted. You should always create an IAM User and use it for your day-to-day work on AWS. This allows the credentials to be restricted or revoked, which provides much better security control.
因此:
- 如果您使用根凭证调用STS,则限制为1小时
- 如果您使用IAM用户凭据致电STS,则限制为36小时
这篇关于如何增加STS凭证有效期的持续时间从一小时开始?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!