虽然我们不鼓励这样做，但在有限的时间内您仍然可以使用
EC2_PRIVATE_KEY 和 EC2_CERT 而不是 AWS_ACCESS_KEY 和
AWS_SECRET_KEY。有关更多信息，请参阅常用选项中的已弃用选项
适用于 Amazon Elastic Compute Cloud CLI 中的 API 工具
参考。如果您指定两组凭据，则命令行
工具使用访问密钥 ID 和秘密访问密钥。

替代方案

不过，您可能想先查看替代方案：如果您熟悉 Python，我强烈推荐优秀的 boto（Amazon Web Services 提供的当前和未来基础设施服务的集成接口），与访问密钥配合得很好，提供与 EC2 API 工具几乎相同的功能集 em>（以及大多数其他 AWS API），由于针对的是仅限较新的 AWS REST API。

解决方案

AWS Identity and Access Management (IAM) 不支持访问实际的 AWS 账户，仅涵盖 AWS 管理控制台，当然还有大多数 AWS API。您需要使用 AWS 账户的登录名和密码（即账户所有者的登录名和密码）登录才能访问安全凭证页面。

不过，不再建议这样做（请参阅IAM概念<中的安全凭证部分/a>):

[...] 当您创建 AWS 账户时，AWS 会提供
默认情况下，AWS 帐户拥有自己的秘密访问密钥和访问密钥 ID。
AWS 账户可以使用它们对 AWS 进行 API 调用。我们预计
您不会定期使用这些凭据，但会使用它们
只是为了最初为您设置一个管理员组
组织。我们建议所有进一步的 API 交互
您的 AWS 账户和 AWS 资源处于用户级别（例如
例如，使用用户的安全凭证）。 [强调我的]

但是，您仍然可以通过使用您自己的证书来实现您的目标，如 X.509 证书部分中进一步概述的那样：

虽然您可以使用 IAM 创建访问密钥，但不能使用 IAM
创建签名证书。但是，您可以使用免费的第三方
OpenSSL 等工具来创建证书。 [...] 获得后
签名证书，必须上传到IAM； [...]

如何实际执行后者在上传签名证书中进行了说明。

Preface

First and foremost, you might want to reconsider whether you actually need these X.509 certificates - the tutorial is correct in principle:

There are three types: access keys, X.509 certificates and key pairs.
The first and second type allow you to connect to the Amazon APIs.
Which type of credential depends on which API and tool you are using.
Some APIs and tools support both options, whereas others support just
one.

However, nowadays most modern APIs and tools are interacting with AWS by means of access keys only rather than X.509 certificates.

~~Unfortunately this is not the case for the EC2 API Tools the tutorial is based on though, which indeed require the use X.509 certificates due to being (mostly) based on the older EC2 SOAP API still.~~

Update: The EC2 API Tools meanwhile support AWS access keys as well and deprecated using X.509 certificates accordingly:

Although we don’t encourage it, for a limited time you can still use
EC2_PRIVATE_KEY and EC2_CERT instead of AWS_ACCESS_KEY and
AWS_SECRET_KEY. For more information, see Deprecated Options in Common Options
for API Tools in the Amazon Elastic Compute Cloud CLI
Reference. If you specify both sets of credentials, the command line
tools use the access key ID and secret access key.

Alternative

You might want to check out an alternative first though: If you are comfortable in Python, I'd highly recommend the excellent boto (An integrated interface to current and future infrastructural services offered by Amazon Web Services), which works just fine with access keys, offers almost the same feature set as the EC2 API tools (plus most other AWS APIs) and performs significantly faster due to targeting the newer AWS REST APIs only.

Solution

AWS Identity and Access Management (IAM) does not support accessing the actual AWS account, it only covers the AWS Management Console, and most AWS APIs of course. You'll need to sign in with the AWS account's login and password (i.e. those of the account owner) to access the Security Credentials page.

This is not recommended anymore though (see section Security Credentials within IAM Concepts):

[...] when you create an AWS account, AWS gives the
AWS account its own Secret Access Key and Access Key ID by default.
The AWS account can make API calls to AWS with them. We expect that
you won't use those credentials on a regular basis, but will use them
only to initially set up an administrators group for your
organization. We recommend that all further API interaction between
your AWS account and your AWS resources be at the user level (for
example, using users' security credentials). [emphasis mine]

However, you can still achieve your goal by using your own certificate as outlined further down in section X.509 Certificates:

Although you can use IAM to create an access key, you can't use IAM to
create a signing certificate. However, you can use free third-party
tools such as OpenSSL to create the certificate. [...] After you have the
signing certificate, you must upload it to IAM; [...]

How to actually do the latter is illustrated in Uploading a Signing Certificate.

回复收藏 0 原文

~没有更多了~