Upgrade to Pro — share decks privately, control downloads, hide ads and more …

AWS Advanced Users Meetup vol.2

Avatar for y13i y13i
December 08, 2014
0
240

AWS Advanced Users Meetup vol.2

Avatar for y13i

y13i

December 08, 2014
Tweet

More Decks by y13i

See All by y13i
Alexa と Polly と私
Avatar for y13i y13i
0
560
Alpine Linux ノススメ
Avatar for y13i y13i
1
6.8k
2014-06-20 JAWS-UG Tokyo
Avatar for y13i y13i
0
670
JAWS-UG Nagano Kickoff Meeting
Avatar for y13i y13i
6
4.3k

Featured

See All Featured
Building Flexible Design Systems
Avatar for Yesenia Perez-Cruz yeseniaperezcruz
329
39k
Product Roadmaps are Hard
Avatar for C. Todd Lombardo iamctodd
PRO
55
11k
Typedesign – Prime Four
Avatar for Hannes Fritz hannesfritz
42
2.8k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
Avatar for Marc Duiker marcduiker
34
2.3k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
Avatar for Kevin Liebholz kevinliebholz
36
6.1k
Keith and Marios Guide to Fast Websites
Avatar for Keith Pitt keithpitt
411
23k
jQuery: Nuts, Bolts and Bling
Avatar for Doug Neiner dougneiner
65
7.9k
BBQ
Avatar for Matthew Crist matthewcrist
89
9.9k
It's Worth the Effort
Avatar for 3n 3n
187
28k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
Avatar for Aki / @LoveIdahoBurger aki_iinuma
127
54k
A Modern Web Designer's Workflow
Avatar for Chris Coyier chriscoyier
697
190k
Measuring & Analyzing Core Web Vitals
Avatar for Philip Tellis bluesmoon
9
630

Transcript

  1. IAM Instance Profile ʼʻ [email protected]

  2. IAM Role • IAMͷݖݶҕৡͷ࢓૊Έ • cf. http://dev.classmethod.jp/cloud/aws/iam-role- and-assumerole/

  3. IAM RoleΛEC2Πϯελϯεʹ ౉͢ • ͦͷΠϯελϯε಺͔ΒͷAPIίʔϧͰ໌ࣔతʹ credentialsΛࢦఆ͢Δඞཁ͕ͳ͘ͳΔʂˠ࠷ߴ

  4. ʼʻ

  5. IAM Role͸Πϯελϯεىಈ࣌ ͔͠౉ͤͳ͍ʂ ……AWS Management ConsoleͰ͸

  6. Use them! CLI SDK CFn

  7. IAM Roleͷ෇͚ସ͑ʂʂ • ԶͷRoleΛ༻ҙʢEC2ͱRDSͷRead only permissionΛ෇༩ʣ

  8. Instance ProfileΛ༻ҙ iam_client.create_instance_profile( instance_profile_name: "ore-no-instance-profile", path: "/", ) iam_client.add_role_to_instance_profile( instance_profile_name:

    "ore-no-instance-profile", role_name: "ore-no-iam-role-ec2", )

  9. Instance ProfileΛ෇͚ͯىಈ ec2_client.run_instances( instance_type: "t2.micro", image_id: "ami-b66ed3de", min_count: 1, max_count:

    1, key_name: “ore-no-keypair“, subnet_id: "subnet-12345678", iam_instance_profile: { name: "ore-no-instance-profile", } )

  10. ϩάΠϯͯ֬͠ೝ [ec2-user@ip-172-30-0-121 ~]$ aws ec2 describe-instances --region us-east-1 { "Reservations":

    [ { "OwnerId": "229075135534", "ReservationId": "r-7b800404", "Groups": [ { "GroupName": "common", "GroupId": "sg-6016a20a" } …… ͏Ή

  11. RoleΛ෇͚ସ͑ΔΑ iam_client.remove_role_from_instance_profile( instance_profile_name: "ore-no-instance-profile", role_name: "ore-no-iam-role-ec2", ) iam_client.add_role_to_instance_profile( instance_profile_name: "ore-no-instance-profile",

    role_name: "ore-no-iam-role-rds", ) Τϥʔग़ͳ͍ʂ͜ΕͰউͭΔʂ

  12. RDS͕ݟ͑Δ͸ͣ… [ec2-user@ip-172-30-0-121 ~]$ aws rds describe-db-instances --region us-east-1 A client

    error (AccessDenied) occurred when calling the DescribeDBInstances operation: User: arn:aws:sts:: 229075135534:assumed-role/ore-no-iam-role-ec2/i-5e3530b4 is not authorized to perform: rds:DescribeDBInstances !?

  13. Stop/Startͯ͠࠶֬ೝ [ec2-user@ip-172-30-0-121 ~]$ aws rds describe-db-instances --region us-east-1 { "DBInstances":

    [] } ͸͍

  14. Ͳ͏΍Β • ىಈதͷEC2ΠϯελϯεͷInstance Profileʹͻ΋ ෇͘RoleΛมߋͨ͠৔߹ɺଈ൓ө͸͞Εͳ͍Β͍͠ • Stop/Startͩͱ൓ө͞ΕΔ • Rebootͩͱμϝ •

    ࣌ؒܦաͰ൓өʁʢະݕূʣ

  15. ਗ਼͘ਖ਼͘͠IAM Role ͋Γ͕ͱ͏͍͟͝·ͨ͠