1
00:00:00,930 --> 00:00:01,890
Helen will come back.

2
00:00:01,950 --> 00:00:11,830
So let's talk now about the third identity am identity which is the I am all and I am role is a set

3
00:00:11,830 --> 00:00:17,800
of permissions that grant access to actions and resources in each of us.

4
00:00:17,850 --> 00:00:23,080
These solutions are attached to our role not to and I am a user or a group.

5
00:00:23,110 --> 00:00:31,300
So they're not fixed and assigned to a specific user or to a number of users in a group instead of being

6
00:00:31,300 --> 00:00:33,720
uniquely associated with one person.

7
00:00:33,730 --> 00:00:38,780
Our role is intended to be assumable by anyone who needs it.

8
00:00:38,830 --> 00:00:44,690
So an application needs that all the it can assume it if allowed a user needs that role that either

9
00:00:44,700 --> 00:00:51,850
can as you meet if allowed a role does not have standard long term credentials.

10
00:00:51,850 --> 00:00:56,260
So it's not like the user where you have to define password and access keys.

11
00:00:56,350 --> 00:00:57,310
It's not like that.

12
00:00:57,490 --> 00:01:03,420
So that all depends on STDs or temporary security credentials.

13
00:01:03,520 --> 00:01:08,220
If a user assumes that all assumes are all temporary security credentials by it.

14
00:01:08,260 --> 00:01:13,700
Yes as teachers are created dynamically and provided to the user doesn't have to be requested.

15
00:01:13,690 --> 00:01:18,600
Yes roles can be assumed or used by any of the following.

16
00:01:18,730 --> 00:01:28,150
It can be assumed by an user in the same account as the role can be seen by an user in a different account

17
00:01:28,210 --> 00:01:29,470
as the role.

18
00:01:29,950 --> 00:01:35,900
And it can be assumed by a web service offered by either the US like easy to.

19
00:01:35,920 --> 00:01:37,150
What do you mean here.

20
00:01:37,180 --> 00:01:45,520
If I have all that has access to x 3 whether it's one bucket or multiple buckets then I have an easy

21
00:01:45,520 --> 00:01:51,710
to instance they can take up this role in order to write and read from the S3 bucket.

22
00:01:51,880 --> 00:01:55,360
And also the role can be assumed by an external user.

23
00:01:55,360 --> 00:01:57,080
What you mean by external user none.

24
00:01:57,100 --> 00:02:02,170
I am a user which we referred to before as exactly the Federated users.

25
00:02:02,260 --> 00:02:07,450
So it could be authenticate by external identity provide a service that is compatible with Sammul to

26
00:02:07,690 --> 00:02:14,740
single sign on Active Directory to come to mind when we talk about something to or open ID connect I.

27
00:02:14,830 --> 00:02:19,630
And that is with Federation when you are talking about Google went on Facebook Amazon and so on and

28
00:02:19,630 --> 00:02:29,440
so forth or a custom built identity broker so a user in the same account in a different account an application

29
00:02:29,440 --> 00:02:32,790
or a rope were in need of this web service or a federated user.

30
00:02:32,830 --> 00:02:36,020
All these can assume are all in it.

31
00:02:36,040 --> 00:02:41,850
Yes there are two ways to use or su.

32
00:02:42,640 --> 00:02:51,700
The first one is in the I AM comes and I am user in your account using game console can switch to temporarily

33
00:02:51,700 --> 00:02:57,490
use the permissions of the role in the console and that is one way to do the cross account access if

34
00:02:57,490 --> 00:03:02,840
you are in an account there is a all in a different account to access and S3 bucket.

35
00:03:03,150 --> 00:03:05,650
OK the trusting.

36
00:03:05,650 --> 00:03:07,280
Get a count.

37
00:03:07,330 --> 00:03:09,770
And this is the trusted account.

38
00:03:10,060 --> 00:03:18,670
So you are a user here and there is a trust relation that trusting accounts said I am ok I trust this

39
00:03:18,700 --> 00:03:19,170
account.

40
00:03:19,170 --> 00:03:26,760
So this is account a this can be the trust thing is B I trust account a ok.

41
00:03:26,920 --> 00:03:34,120
Now if there is a role here and there are permissions to this role to access and its three bucket for

42
00:03:34,120 --> 00:03:42,070
instance in this account Fareed let's say this user has his own regular permissions and credentials

43
00:03:42,150 --> 00:03:44,720
in account inside the country.

44
00:03:45,400 --> 00:03:48,150
Can he at the same time assume the role.

45
00:03:48,160 --> 00:03:49,250
The answer is no.

46
00:03:49,270 --> 00:03:56,200
If he tries to switch and if he's allowed to switch to the old in the other account he temporarily loses

47
00:03:56,200 --> 00:03:58,050
his permissions in account.

48
00:03:58,420 --> 00:04:03,370
So you can't you are not combining Either you have your regular ones if you don't assume the role then

49
00:04:03,370 --> 00:04:07,450
you have the permissions for that all but not both at the same time.

50
00:04:07,690 --> 00:04:15,180
When he presumes the original role in his account account then he loses the permissions for the role

51
00:04:15,250 --> 00:04:20,740
but he retrieves or recovers the permissions he had within a account.

52
00:04:21,070 --> 00:04:26,060
So one way to switch or a similar role is through the game console when you switch.

53
00:04:26,440 --> 00:04:32,050
And in this case the users will give up their original permissions and take on the permissions assigned

54
00:04:32,050 --> 00:04:32,720
to them all.

55
00:04:33,040 --> 00:04:40,300
As long as they are assuming the role when the user exits the role that their original permissions are

56
00:04:40,300 --> 00:04:41,190
restored.

57
00:04:41,200 --> 00:04:43,500
So that's one way to switch roles.

58
00:04:43,510 --> 00:04:51,100
What's the other way the other way is to do programmatic access requests using that Seelye using the

59
00:04:51,100 --> 00:04:53,610
tool for Windass partial or the API.

60
00:04:53,630 --> 00:04:59,710
So you send in a request to assume the role an application or service offered by the areas like is it

61
00:04:59,710 --> 00:05:07,390
you can assume a role by requesting temporary security credentials for a role with which they make programmatic

62
00:05:07,390 --> 00:05:15,190
request to us and use our all this way so that you don't have to share or maintain long term security

63
00:05:15,190 --> 00:05:20,360
credentials by creating music for each entity that requires access to that resource.

64
00:05:20,380 --> 00:05:26,130
So I have a resource that's three buckets here and this is that all who whoever needs it can request.

65
00:05:26,130 --> 00:05:27,450
We will look into that.

66
00:05:27,670 --> 00:05:34,450
If we authenticated and allow then we will issue temporary security credentials Dawkins and the users

67
00:05:34,450 --> 00:05:40,150
can then talk the talk take the talking assume that I'll do whatever they want and there is an expiry

68
00:05:40,240 --> 00:05:48,490
time for that talking either before they exit or if it expires then they are denied access but all delegation

69
00:05:49,150 --> 00:05:55,990
a user who assumes a role temporarily gives up his or her own permissions and the state takes on the

70
00:05:55,990 --> 00:05:58,830
permissions of the role that we already mentioned.

71
00:05:59,170 --> 00:06:03,960
When these are exits or stops using that all the original user permissions are restored.

72
00:06:04,270 --> 00:06:06,210
No a question might come to mind.

73
00:06:06,370 --> 00:06:13,660
I have in the example we gave account be an account and we said right and we had the user here and we

74
00:06:13,660 --> 00:06:16,860
had the three buckets here and we had a role here.

75
00:06:17,380 --> 00:06:25,810
There is a way to provide cross account access also through exactly through resource base policies.

76
00:06:25,810 --> 00:06:31,450
So when should I use what is the advantage of using in the scenario a resource based policy as opposed

77
00:06:31,450 --> 00:06:39,060
to a one of the things we said that when a user in an account assumes that all in a different account

78
00:06:39,060 --> 00:06:44,370
cross account access then they temporarily lose their permissions in account.

79
00:06:45,060 --> 00:06:52,680
But what if the requirement was that the user wants to go while he has an account a user with his permissions

80
00:06:53,190 --> 00:06:59,080
wants to copy or download some files from here into an S3 bucket that they on here.

81
00:07:00,130 --> 00:07:04,180
If you use that all they don't have any rights in account.

82
00:07:04,240 --> 00:07:11,350
As long as they use the dogs so they can read files from the bucket and it can be but they cannot download

83
00:07:11,350 --> 00:07:13,820
it to the bucket in a county a Why.

84
00:07:13,840 --> 00:07:18,160
Because they don't have the permissions they either have their own permissions or they have the account

85
00:07:18,310 --> 00:07:19,600
permissions.

86
00:07:19,630 --> 00:07:26,760
Now how can I do such a scenario in that case use the resource based policies and not the I am wrong.

87
00:07:26,920 --> 00:07:34,180
Unlike our user base policy or resource based policy specified who in the form of a list of account

88
00:07:34,180 --> 00:07:35,990
IDs can access the resource.

89
00:07:36,190 --> 00:07:41,170
So now we are talking about the principle and the resource base policies that would be attached to the

90
00:07:41,170 --> 00:07:49,960
bucket in a can be gross account access with resource base policy has an advantage overall.

91
00:07:50,020 --> 00:07:55,560
So you can do it the or all you can do it via the resource base plus the advantage of resource based

92
00:07:55,630 --> 00:08:01,660
policy is with a resource that is accessed through our resource base policy they use are still works

93
00:08:01,720 --> 00:08:03,910
in the Trusted account trusted.

94
00:08:03,910 --> 00:08:11,470
Here is a trust thing is B and does not have to give up his or her own user permissions in place of

95
00:08:11,470 --> 00:08:16,660
the role permissions so they don't have to swear permission to take on the role and give up their own

96
00:08:17,160 --> 00:08:23,380
with resource base policy they can maintain their permissions in a county.

97
00:08:23,470 --> 00:08:28,630
In other words the user continues to have access to resources in that trusted account.

98
00:08:28,630 --> 00:08:34,420
At the same time as he or she has access to their sources in the thrusting account this is B and this

99
00:08:34,420 --> 00:08:42,520
is a this is useful for tasks such as copying information to or from the shared resource in the other

100
00:08:42,520 --> 00:08:44,830
account.

101
00:08:44,830 --> 00:08:51,600
The disadvantage is that not all services support resource based policies so you cannot use them as

102
00:08:51,650 --> 00:08:56,300
policy responses all the way because not all the services would allow you to do that.

103
00:08:56,620 --> 00:08:58,170
So thats the flipside.

104
00:08:58,660 --> 00:08:59,230
Okay.

105
00:08:59,410 --> 00:09:04,570
In the near future we are going to talk about service rules when you create an AM road that will be

106
00:09:04,570 --> 00:09:07,500
assumed by a service this is called the service road.

107
00:09:08,050 --> 00:09:09,190
Enough said for now.

108
00:09:09,210 --> 00:09:14,680
We'll take a break and we will continue and detail whatever wrongs are in the next lecture.

109
00:09:14,850 --> 00:09:15,120
Elsie.