scratchstack-aws-principal

Principals for AWS and AWS-like services.

Principals come in two "flavors": actors and policies. A policy-based prinicpal can be completely specified via an ARN in an Identity and Access Management (IAM) Aspen policy, e.g., arn:aws:iam::123456789012:user/Sales/Bob. This is what most people think of when they refer to principals when talking about AWS. In this example:

• The partition (cloud instance) is aws (the AWS commercial cloud);
• The AWS account in the partition is 123456789012.
• This refers to an IAM user.
• The path to the user is /Sales/.
• The user name is Bob.

On the service implementation side, however, there are additional details attached to a principal actor. Groups, roles, and users have a universally unique ID. If the /Sales/Bob user is deleted and another is created, these users will have the same ARN but different unique IDs. While not part of the principal itself, this can be referred to in Aspen policies via the \${aws:username} policy variable. Assumed roles carry a token issue time, access via the \${aws:TokenIssueTime} variable, as well as an expiration time on or after which the assumed role is no longer valid.