IAM

1. 首页
2. IAM

IAM is used to control permissions on AWS resources that can be applied to a group of users as well as to individual users. At the same time, IAM can also be combined with other authentication systems, such as Shibboleth, Microsoft ActiveDirectory. At the same time, you can also audit the access information (using AWS CloudTrail)

You can associate IAM roles with Kubernetes service accounts. This service account can then provide AWS permissions to containers in any pod that uses the service account. With this feature, you no longer need to provide extended permissions to an Amazon EKS node IAM role so that pods on that node can call AWS APIs

As an AWS security best practice, it's best to have narrow-scoped IAM policies so that users are only authorized to perform actions on the resources they expect. This is even more important when you plan to authorize users to run some code in AWS services (for example, in a lambda function to access other resources). In this case, IAM provides a way to standardize the roles that authorized users can grant to AWS services: IAM PassRole