Following is the documentation for AWS switch role -
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-api.html
What is the equivalent of this available for Alibaba Cloud ?
The goal is to use something similar in Alibaba cloud so that the credentials obtained from the assumed role can be used to create / access resources in another account based on the permissions given to that role.
The AssumeRole functionality is available in Alibaba Cloud, Details can be accessed on AssumeRole
It could have solutions for cross account access. usually in two scenes
personal account, you could just create one RAM role for him. it could be faster.
company account, you could add different company account in your enterprises. they will be one of the member , then it is ok for cross access.
Related
I am getting confused on these 3 terms. What I know OCI is infrastructure provided by Oracle, IAM is user and IDCS is Identity cloud service. But I dont understand differences and terms.
Is IAM user and normal user are same?
is OCI and IDCS are same?
What exactly IDCS is?
Let me try to answer your questions:
IAM or Identity Access Management is a tool designed to control who access to your cloud services. IAM user is an user who access to a service in your Cloud. What do you mean by normal user I cannot know.
OCI or Oracle Cloud Infrastructure, is a deep and broad platform of cloud services that enable you to build and run a wide range of applications in a scalable, secure, highly available, fault-tolerant and high-performance environment.
Oracle Identity Cloud Service (IDCS) is an Identity-as-a-Service (IDaaS) solution available in Oracle Cloud. It is designed to extend enterprise controls by automating PaaS and SaaS account provisioning and deprovisioning, simplifying the user experience for accessing cloud applications by providing seamless integration with enterprise identity stores and authentication services, and facilitating compliance activities by clearly reporting on cloud application usage.
Although it look like IDCS and IAM might look the same, they are designed to different purposes. IDCS is focused on SaaS or PaaS services by integrating itself with identity stores as Active Directory or LDAP inside organizations. IAM is designed to control Cloud resources providing access to each component, like a block storage or a computer instance.
Hope it clarifies a bit.
Regards
First of all
OCI refer to Oracle Cloud infrastructure and it's cloud computing solutions same as MS azure or amazon AWS, but offered by Oracle and it's providing various services such as servers, storage, network, applications and services through a global network of Oracle Corporation managed by different data center around the world.
IAM refer to Identity and Access Management this is services allow you to control who can access to cloud resource and even control what type of access they have, and to which specific resource, there is different Components of IAM such as resource, user, group and more you can check Oracle documentation that provide also examples here
IDCS refer to Oracle Identity Cloud Service and it's consider as Identity-as-a-Service (IDaaS) solution, Oracle Identity Cloud Service provides identity management, single-sign-on (SSO) and identity governance for applications on-premise, in the cloud and mobile applications , Any user can access the application at any time, anywhere on a device in a secure manner. Oracle IDCS integrates directly with existing directories and identity management system, making it easier for users to access applications. Providing a platform that is robust and secure, allows users to access, develop and deploy their applications.
Check the documentation here
The benefits of implementing Oracle Identity Cloud Service are; Improved Business Responsiveness, Enhanced User Productivity and Experience, Hybrid Multi-Channel Access and finally Simplified IT and Reduced Cost.
In addition to the answers above, IDCS can play role of IDP for federated login to Oracle Cloud Infrastructure console.
I want to restrict access to a webpage on a AWS EC2 instance, to only company employees, which are spread all over the world. I have successfully whitelisted the UK offices, but i haven't for colleagues in Asia and Europe.
Rather than adding IP's daily, which also changes for the user, i want a system which can verify the employees. Poor design.
I was thinking of having a Cognito User Pool and Identify Pool. Or a VPN for user to login.
Have people had similar issues and how have they overcome them. Any advice will be appericated.
Amazon Cognito would be a perfect solution for this. You can scan the user's E-Mail in the Pre-Authentication Lambda Trigger, and based on the user's E-Mail ID and other login parameters, you could allow or deny the Authentication Event.
For more information on the Pre-Authentication Lambda Trigger and sample codes, I would recommend you to go through this official AWS documentation.
Here is the scenario, I've an instance of Oracle Identity Manager (OIM). The instance stores all of my user profiles. Now, I'm writing few REST APIs, which should be authenticated using users present on OIM.
I'm also thinking of using AWS cognito to provide authentication flow. So, my questions are
Q. How can we connect Cognito & OIM?
Q. If no need of Cognito for this scenario, then how can we make use of OIM?
I've recently strated looking into both the tools. So, please spare me for some obvious questions.
I'm from the Cognito team, and Bruce0's suggestion is spot on. If you need to access AWS resources, you would set up a developer authenticated identity provider which could leverage this (or any other identity manager/provider).
They don't want to give me their Amazon username and password because it has their complete purchase history.
Is there anyway for them to authorize me as a user?
Amazon has AWS Identity and Access Management, that should help with what your asking. http://aws.amazon.com/iam/
It's easy enough to create new accounts on Amazon, and it's also reasonable to keep corporate and personal accounts separate for expense purposes. I'd recommend doing that for simplicity, but I understand that it could be a concern regarding potential misuse on the rest of the Amazon site.
The use of access keys (as suggested by #KristianGlass) may be adequate, as well, allowing you to create and kill instances, but not allowing you access to the main AWS console. Elasticfox also works with the EC2 keys, so you could use that as a surrogate for the console.
Depending on what you're looking for, they might just be able to create you an Access Key and have you use that.
If they look under "Security Credentials" in their Account page (this should be a link to it) they can easily "Create a new Access Key" (they will of course need to give you both the Access Key ID and the Secret Access Key).
To paraphrase Amazon's documentation about Access Keys, you can use them for making requests to REST or Query APIs - specifically this includes EC2.
Is it possible to have multiple users to manage an Amazon EC2 environment? I want to give access to several additional people to create machines on my existing billing account.
Amazon just announced AWS Identity and Access Management - http://aws.amazon.com/iam/
As of right now, it's in 'preview' mode, but this will allow you to have multiple AWS management accounts.
A few months ago Amazon announced Consolidated Billing. I never used it, but I think that is what you're looking for:
Consolidated Billing enables you to see a combined view of AWS costs incurred by all accounts in your department or company, as well as obtain a detailed cost report for each individual AWS account associated with your paying account. Consolidated Billing may also lower your overall costs since the rolled up usage across all of your accounts could help you reach lower-priced volume tiers more quickly.
Consolidated Billing Guide
This is absolutely possible using IAM service of AWS. With the help of IAM you can create users and give them specific permissions on various services of amazon.
You can try http://LabSlice.com. It's primarily for Virtual Lab Management (ie. playground environments), but may suit your needs.