Upgrade to Pro — share decks privately, control downloads, hide ads and more …

AWS Advanced Users Meetup vol.2

Avatar for y13i y13i
December 08, 2014
0
250

AWS Advanced Users Meetup vol.2

Avatar for y13i

y13i

December 08, 2014
Tweet

More Decks by y13i

See All by y13i
Alexa と Polly と私
Avatar for y13i y13i
0
580
Alpine Linux ノススメ
Avatar for y13i y13i
1
6.9k
2014-06-20 JAWS-UG Tokyo
Avatar for y13i y13i
0
690
JAWS-UG Nagano Kickoff Meeting
Avatar for y13i y13i
6
4.4k

Featured

See All Featured
WCS-LA-2024
Avatar for Leonardo Collado-Torres lcolladotor
0
450
Test your architecture with Archunit
Avatar for Yoan thirion
1
2.2k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
Avatar for Kevin Liebholz kevinliebholz
37
6.3k
Speed Design
Avatar for Sergey Chernyshev sergeychernyshev
33
1.5k
Digital Projects Gone Horribly Wrong (And the UX Pros Who Still Save the Day) - Dean Schuster
Avatar for UX Y'all uxyall
0
380
My Coaching Mixtape
Avatar for mlcsv mlcsv
0
48
Bioeconomy Workshop: Dr. Julius Ecuru, Opportunities for a Bioeconomy in West Africa
Avatar for AKADEMIYA2063 akademiya2063
PRO
1
55
Let's Do A Bunch of Simple Stuff to Make Websites Faster
Avatar for Chris Coyier chriscoyier
508
140k
Practical Tips for Bootstrapping Information Extraction Pipelines
Avatar for Matthew Honnibal honnibal
25
1.7k
Stop Working from a Prison Cell
Avatar for Chris Michel hatefulcrawdad
273
21k
ReactJS: Keep Simple. Everything can be a component!
Avatar for Pedro Nauck pedronauck
666
130k
We Are The Robots
Avatar for Honza Javorek honzajavorek
0
160

Transcript

  1. IAM Instance Profile ʼʻ [email protected]

  2. IAM Role • IAMͷݖݶҕৡͷ࢓૊Έ • cf. http://dev.classmethod.jp/cloud/aws/iam-role- and-assumerole/

  3. IAM RoleΛEC2Πϯελϯεʹ ౉͢ • ͦͷΠϯελϯε಺͔ΒͷAPIίʔϧͰ໌ࣔతʹ credentialsΛࢦఆ͢Δඞཁ͕ͳ͘ͳΔʂˠ࠷ߴ

  4. ʼʻ

  5. IAM Role͸Πϯελϯεىಈ࣌ ͔͠౉ͤͳ͍ʂ ……AWS Management ConsoleͰ͸

  6. Use them! CLI SDK CFn

  7. IAM Roleͷ෇͚ସ͑ʂʂ • ԶͷRoleΛ༻ҙʢEC2ͱRDSͷRead only permissionΛ෇༩ʣ

  8. Instance ProfileΛ༻ҙ iam_client.create_instance_profile( instance_profile_name: "ore-no-instance-profile", path: "/", ) iam_client.add_role_to_instance_profile( instance_profile_name:

    "ore-no-instance-profile", role_name: "ore-no-iam-role-ec2", )

  9. Instance ProfileΛ෇͚ͯىಈ ec2_client.run_instances( instance_type: "t2.micro", image_id: "ami-b66ed3de", min_count: 1, max_count:

    1, key_name: “ore-no-keypair“, subnet_id: "subnet-12345678", iam_instance_profile: { name: "ore-no-instance-profile", } )

  10. ϩάΠϯͯ֬͠ೝ [ec2-user@ip-172-30-0-121 ~]$ aws ec2 describe-instances --region us-east-1 { "Reservations":

    [ { "OwnerId": "229075135534", "ReservationId": "r-7b800404", "Groups": [ { "GroupName": "common", "GroupId": "sg-6016a20a" } …… ͏Ή

  11. RoleΛ෇͚ସ͑ΔΑ iam_client.remove_role_from_instance_profile( instance_profile_name: "ore-no-instance-profile", role_name: "ore-no-iam-role-ec2", ) iam_client.add_role_to_instance_profile( instance_profile_name: "ore-no-instance-profile",

    role_name: "ore-no-iam-role-rds", ) Τϥʔग़ͳ͍ʂ͜ΕͰউͭΔʂ

  12. RDS͕ݟ͑Δ͸ͣ… [ec2-user@ip-172-30-0-121 ~]$ aws rds describe-db-instances --region us-east-1 A client

    error (AccessDenied) occurred when calling the DescribeDBInstances operation: User: arn:aws:sts:: 229075135534:assumed-role/ore-no-iam-role-ec2/i-5e3530b4 is not authorized to perform: rds:DescribeDBInstances !?

  13. Stop/Startͯ͠࠶֬ೝ [ec2-user@ip-172-30-0-121 ~]$ aws rds describe-db-instances --region us-east-1 { "DBInstances":

    [] } ͸͍

  14. Ͳ͏΍Β • ىಈதͷEC2ΠϯελϯεͷInstance Profileʹͻ΋ ෇͘RoleΛมߋͨ͠৔߹ɺଈ൓ө͸͞Εͳ͍Β͍͠ • Stop/Startͩͱ൓ө͞ΕΔ • Rebootͩͱμϝ •

    ࣌ؒܦաͰ൓өʁʢະݕূʣ

  15. ਗ਼͘ਖ਼͘͠IAM Role ͋Γ͕ͱ͏͍͟͝·ͨ͠