I am reading through the AWS documentation Understanding how IAM works and I'm confused about the definitions for identities and entities.
Identities
The IAM resource objects that are used to identify and group. You can attach a policy to an IAM identity. These include users, groups, and roles.
Entities
The IAM resource objects that AWS uses for authentication. These include IAM users, federated users, and assumed IAM roles.
What's the difference between the two? They are both IAM resource objects. They both include users and roles (although only identities have groups). You can only attach a policy to an identity but not an entity, but you ultimately authenticate an entity but not an identity. Is the naming difference just a question of grammar, or is there something fundamentally different between the two?
In the context of DDD, identity is something inherent to an entity. Only entities have it; it's something that uniquely identifies them among all other entities. For example, we deem two people as being different regardless of any "attributes" they possess.
IAM Entities. The IAM resource objects that AWS uses for authentication. These include IAM users and roles. Principals. A person or application that uses the AWS account root user, an IAM user, or an IAM role to sign in and make requests to AWS.
Identity-based policies There are two types of managed policies: AWS managed policies – Managed policies that are created and managed by AWS. Customer managed policies – Managed policies that you create and manage in your AWS account.
My understanding was helped by this diagram from the Wikipedia page on IAM.
Entities represent the actors on the system, and they may each have multiple identities.
Unfortunately this doesn't translate well to IAM resources, and the IAM User Guide itself is pretty loose when referring to entities, identities, and principals (it often seems to use them interchangeably). As you've already noticed, identities are special since they can have policies attached to them directly. While some entities can have policies attached to them (since they also happen to be identities), that's more of an implementation detail, rather than a feature.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With