Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
AWS Advanced Users Meetup vol.2
Search
y13i
December 08, 2014
250
0
Share
AWS Advanced Users Meetup vol.2
y13i
December 08, 2014
More Decks by y13i
See All by y13i
Alexa と Polly と私
y13i
0
590
Alpine Linux ノススメ
y13i
1
6.9k
2014-06-20 JAWS-UG Tokyo
y13i
0
690
JAWS-UG Nagano Kickoff Meeting
y13i
6
4.4k
Featured
See All Featured
Into the Great Unknown - MozCon
thekraken
40
2.3k
For a Future-Friendly Web
brad_frost
183
10k
Marketing Yourself as an Engineer | Alaka | Gurzu
gurzu
0
180
New Earth Scene 8
popppiees
3
2.1k
Hiding What from Whom? A Critical Review of the History of Programming languages for Music
tomoyanonymous
2
730
Balancing Empowerment & Direction
lara
6
1k
Git: the NoSQL Database
bkeepers
PRO
432
67k
Crafting Experiences
bethany
1
110
GitHub's CSS Performance
jonrohan
1032
470k
sira's awesome portfolio website redesign presentation
elsirapls
0
210
Navigating the Design Leadership Dip - Product Design Week Design Leaders+ Conference 2024
apolaine
0
270
Dominate Local Search Results - an insider guide to GBP, reviews, and Local SEO
greggifford
PRO
0
140
Transcript
IAM Instance Profile ʼʻ
[email protected]
IAM Role • IAMͷݖݶҕৡͷΈ • cf. http://dev.classmethod.jp/cloud/aws/iam-role- and-assumerole/
IAM RoleΛEC2Πϯελϯεʹ ͢ • ͦͷΠϯελϯε͔ΒͷAPIίʔϧͰ໌ࣔతʹ credentialsΛࢦఆ͢Δඞཁ͕ͳ͘ͳΔʂˠ࠷ߴ
ʼʻ
IAM RoleΠϯελϯεىಈ࣌ ͔ͤ͠ͳ͍ʂ ……AWS Management ConsoleͰ
Use them! CLI SDK CFn
IAM Roleͷ͚ସ͑ʂʂ • ԶͷRoleΛ༻ҙʢEC2ͱRDSͷRead only permissionΛ༩ʣ
Instance ProfileΛ༻ҙ iam_client.create_instance_profile( instance_profile_name: "ore-no-instance-profile", path: "/", ) iam_client.add_role_to_instance_profile( instance_profile_name:
"ore-no-instance-profile", role_name: "ore-no-iam-role-ec2", )
Instance ProfileΛ͚ͯىಈ ec2_client.run_instances( instance_type: "t2.micro", image_id: "ami-b66ed3de", min_count: 1, max_count:
1, key_name: “ore-no-keypair“, subnet_id: "subnet-12345678", iam_instance_profile: { name: "ore-no-instance-profile", } )
ϩάΠϯͯ֬͠ೝ [ec2-user@ip-172-30-0-121 ~]$ aws ec2 describe-instances --region us-east-1 { "Reservations":
[ { "OwnerId": "229075135534", "ReservationId": "r-7b800404", "Groups": [ { "GroupName": "common", "GroupId": "sg-6016a20a" } …… ͏Ή
RoleΛ͚ସ͑ΔΑ iam_client.remove_role_from_instance_profile( instance_profile_name: "ore-no-instance-profile", role_name: "ore-no-iam-role-ec2", ) iam_client.add_role_to_instance_profile( instance_profile_name: "ore-no-instance-profile",
role_name: "ore-no-iam-role-rds", ) Τϥʔग़ͳ͍ʂ͜ΕͰউͭΔʂ
RDS͕ݟ͑Δͣ… [ec2-user@ip-172-30-0-121 ~]$ aws rds describe-db-instances --region us-east-1 A client
error (AccessDenied) occurred when calling the DescribeDBInstances operation: User: arn:aws:sts:: 229075135534:assumed-role/ore-no-iam-role-ec2/i-5e3530b4 is not authorized to perform: rds:DescribeDBInstances !?
Stop/Startͯ͠࠶֬ೝ [ec2-user@ip-172-30-0-121 ~]$ aws rds describe-db-instances --region us-east-1 { "DBInstances":
[] } ͍
Ͳ͏Β • ىಈதͷEC2ΠϯελϯεͷInstance Profileʹͻ ͘RoleΛมߋͨ͠߹ɺଈө͞Εͳ͍Β͍͠ • Stop/Startͩͱө͞ΕΔ • Rebootͩͱμϝ •
࣌ؒܦաͰөʁʢະݕূʣ
ਗ਼͘ਖ਼͘͠IAM Role ͋Γ͕ͱ͏͍͟͝·ͨ͠
y13i
thekraken
brad_frost
gurzu
popppiees
tomoyanonymous
lara
bkeepers
bethany
jonrohan
elsirapls
apolaine
greggifford
![IAM Instance Profile ʼʻ [email protected]](https://files.speakerdeck.com/presentations/b8997c5060fe013234ac7a10b4727eb7/slide_0.jpg){kind=link}
![ϩάΠϯͯ֬͠ೝ [ec2-user@ip-172-30-0-121 ~]$ aws ec2 describe-instances --region us-east-1 { "Reservations":](https://files.speakerdeck.com/presentations/b8997c5060fe013234ac7a10b4727eb7/slide_9.jpg){kind=link}
![RDS͕ݟ͑Δͣ… [ec2-user@ip-172-30-0-121 ~]$ aws rds describe-db-instances --region us-east-1 A client](https://files.speakerdeck.com/presentations/b8997c5060fe013234ac7a10b4727eb7/slide_11.jpg){kind=link}
![Stop/Startͯ͠࠶֬ೝ [ec2-user@ip-172-30-0-121 ~]$ aws rds describe-db-instances --region us-east-1 { "DBInstances":](https://files.speakerdeck.com/presentations/b8997c5060fe013234ac7a10b4727eb7/slide_12.jpg){kind=link}
