#1-ALLUXIO/错题本
Questions & Answers
- What is assume role? What is the relationship between assume role and IAM and s3 bucket?
Assume role is a API returns a set of temporary security credentials that you can use to access AWS resources that you might not normally have access to.
Amazon Resource Name (ARN) arn:aws:iam::123456789012:role/UpdateApp
AWS Security Token Service (AWS STS)
AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources.
- How dose assume role works in Alluxio?
Alluxio would be given the IAM credentials of Role A, and then the ARN of Role B. We would then use Role A to fetch a temporary STS token to assume the privileges of Role B.
Sample - command to mount the bucket with assume role options:
/opt/alluxio/bin/alluxio fs mount \
--option alluxio.underfs.s3.inherit.acl=false \
--option aws.accessKeyId=<access key> \
--option aws.secretKey=<secret key> \
--option alluxio.underfs.s3.server.side.encryption.enabled=true \
--option alluxio.underfs.s3.proxy.host=<ip> \
--option alluxio.underfs.s3.proxy.port=<port> \
--option alluxio.underfs.s3.secure.http.enabled=true \
--option alluxio.underfs.s3.assumerole.enabled=true \
--option alluxio.underfs.s3.assumerole.rolearn=arn:aws:iam::<aws account>:role/<role> \
--option alluxio.underfs.s3.assumerole.proxy.https.enabled=false \
--option alluxio.underfs.s3.assumerole.https.enabled=true \
--option alluxio.underfs.s3.assumerole.proxy.host=<ip> \
--option alluxio.underfs.s3.assumerole.proxy.port=<port> \
/s3/<bucket name> s3://<bucket name>
- What is mount in Alluxio?
- What is the relationship between AWS credentials and assume a role and mount alluxio?
Use AWS credentials to mount s3 to alluxio and use that credentials to assume a * role to access s3.
If my article solve your problem, could(paypal, wechat see the bottom) you crowdfund a cup of tea for me?
中文版本
Alluxio商业版支持 aws 的 assume role 功能。
首先,assume role 是 AWS 的一个功能(assume role 是 API,调用它会返回一套临时的安全凭证信息)
然后,Alluxio和assume role的关系:假设有两个角色 A 和 B ,Alluxio 把 IAM 凭证给角色A, 然后把 Amazon 资源名称给角色B。我们使用角色A 获取一个临时的 STS token 去 担任 Role B 的权限。
最后,alluxio mount 和 assume role 的关系,以及使用 mount 挂载 s3 文件系统的例子:Alluxio 使用 AWS 凭证把 s3 挂载到 Alluxio 然后使用该凭证去担任某个角色以访问s3中的资源。
/opt/alluxio/bin/alluxio fs mount \
--option alluxio.underfs.s3.inherit.acl=false \
--option aws.accessKeyId=<access key> \
--option aws.secretKey=<secret key> \
--option alluxio.underfs.s3.server.side.encryption.enabled=true \
--option alluxio.underfs.s3.proxy.host=<ip> \
--option alluxio.underfs.s3.proxy.port=<port> \
--option alluxio.underfs.s3.secure.http.enabled=true \
--option alluxio.underfs.s3.assumerole.enabled=true \
--option alluxio.underfs.s3.assumerole.rolearn=arn:aws:iam::<aws account>:role/<role> \
--option alluxio.underfs.s3.assumerole.proxy.https.enabled=false \
--option alluxio.underfs.s3.assumerole.https.enabled=true \
--option alluxio.underfs.s3.assumerole.proxy.host=<ip> \
--option alluxio.underfs.s3.assumerole.proxy.port=<port> \
/s3/<bucket name> s3://<bucket name>
如果我的文章解决了您的问题,众筹我顿自助,可好(提取码:f4nf)?