AWS Storage Gateway User Guide
Authentication and Access Control
Authentication and Access Control for AWS
Storage Gateway
Access to AWS Storage Gateway requires credentials that AWS can use to authenticate your requests.
Those credentials must have permissions to access AWS resources, such as a gateway, file share, volume,
or tape. The following sections provide details on how you can use
AWS Identity and Access Management
and Storage Gateway to help secure your resources by controlling who can access them:
•
•
Authentication
You can access AWS as any of the following types of identities:
•
AWS account root user
– When you first create an AWS account, you begin with a single sign-in
identity that has complete access to all AWS services and resources in the account. This identity is
called the AWS account
root user
and is accessed by signing in with the email address and password
that you used to create the account. We strongly recommend that you do not use the root user for
your everyday tasks, even the administrative ones. Instead, adhere to the
root user only to create your first IAM user
. Then securely lock away the root user credentials and use
them to perform only a few account and service management tasks.
•
IAM user
is an identity within your AWS account that has specific custom permissions
(for example, permissions to create a gateway in AWS Storage Gateway). You can use an IAM user
name and password to sign in to secure AWS webpages like the
.
In addition to a user name and password, you can also generate
for each user. You can
use these keys when you access AWS services programmatically, either through
AWS Command Line Interface (CLI)
. The SDK and CLI tools use the access keys
to cryptographically sign your request. If you don’t use AWS tools, you must sign the request yourself.
AWS Storage Gateway supports
Signature Version 4
, a protocol for authenticating inbound API
requests. For more information about authenticating requests, see
Signature Version 4 Signing Process
in the
AWS General Reference
.
•
IAM role
is an IAM identity that you can create in your account that has specific
permissions. An IAM role is similar to an IAM user in that it is an AWS identity with permissions policies
that determine what the identity can and cannot do in AWS. However, instead of being uniquely
associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role
does not have standard long-term credentials such as a password or access keys associated with it.
Instead, when you assume a role, it provides you with temporary security credentials for your role
session. IAM roles with temporary credentials are useful in the following situations:
•
Federated user access
– Instead of creating an IAM user, you can use existing identities from AWS
Directory Service, your enterprise user directory, or a web identity provider. These are known as
federated users
. AWS assigns a role to a federated user when access is requested through an
. For more information about federated users, see
in the
IAM User
Guide
.
API Version 2013-06-30
294