Crate scratchstack_aws_principal[−][src]
Principals for AWS and AWS-like services.
Principals come in two “flavors”: actors and policies. A policy-based prinicpal can be completely specified via
an ARN in an Identity and Access Management (IAM) Aspen policy, e.g.,
arn:aws:iam::123456789012:user/Sales/Bob
. This is what most people think of when they refer to principals
when talking about AWS. In this example:
- The partition (cloud instance) is
aws
(the AWS commercial cloud); - The AWS account in the partition is
123456789012
. - This refers to an IAM user.
- The path to the user is
/Sales/
. - The user name is
Bob
.
On the service implementation side, however, there are additional details attached to a principal actor. Groups,
roles, and users have a
universally unique ID.
If the /Sales/Bob
user is deleted and another is created, these users will have the same ARN but different unique
IDs. While not part of the principal itself, this can be referred to in Aspen policies via the
\${aws:username}
policy
variable. Assumed roles carry a token issue time, access via the \${aws:TokenIssueTime}
variable, as well as
an expiration time on or after which the assumed role is no longer valid.
Re-exports
pub use actor::PrincipalActor; | |
pub use policy::PolicyPrincipal; |
Modules
actor | |
details | |
policy |
Enums
PrincipalError | Errors that can be raise during the parsing of principals. |
Functions
validate_account_id | Verify that an account id meets AWS requirements. |
validate_partition | Verify that a partition name meets the naming requirements. |
validate_path | Verify that a path meets AWS requirements. |
validate_region | Verify that a region name meets the naming requirements. |