Upgrade to Pro — share decks privately, control downloads, hide ads and more …

AWS Advanced Users Meetup vol.2

Avatar for y13i y13i
December 08, 2014
0
240

AWS Advanced Users Meetup vol.2

Avatar for y13i

y13i

December 08, 2014
Tweet

More Decks by y13i

See All by y13i
Alexa と Polly と私
Avatar for y13i y13i
0
550
Alpine Linux ノススメ
Avatar for y13i y13i
1
6.8k
2014-06-20 JAWS-UG Tokyo
Avatar for y13i y13i
0
670
JAWS-UG Nagano Kickoff Meeting
Avatar for y13i y13i
6
4.2k

Featured

See All Featured
The Illustrated Children's Guide to Kubernetes
Avatar for Chris Short chrisshort
48
50k
GraphQLの誤解/rethinking-graphql
Avatar for sonatard sonatard
72
11k
JavaScript: Past, Present, and Future - NDC Porto 2020
Avatar for David Neal reverentgeek
52
5.6k
A better future with KSS
Avatar for Kyle Neath kneath
239
17k
Documentation Writing (for coders)
Avatar for Carmen Chung carmenintech
74
5k
How to Ace a Technical Interview
Avatar for Jacob Kaplan-Moss jacobian
279
23k
The Web Performance Landscape in 2024 [PerfNow 2024]
Avatar for Tammy Everts tammyeverts
9
810
Being A Developer After 40
Avatar for Adrian Kosmaczewski akosma
90
590k
Building Applications with DynamoDB
Avatar for Matt Wood mza
96
6.6k
Connecting the Dots Between Site Speed, User Experience & Your Business [WebExpo 2025]
Avatar for Tammy Everts tammyeverts
8
530
Making the Leap to Tech Lead
Avatar for Ryan Cromwell cromwellryan
135
9.5k
Making Projects Easy
Avatar for Brett Harned brettharned
117
6.4k

Transcript

  1. IAM Instance Profile ʼʻ [email protected]

  2. IAM Role • IAMͷݖݶҕৡͷ࢓૊Έ • cf. http://dev.classmethod.jp/cloud/aws/iam-role- and-assumerole/

  3. IAM RoleΛEC2Πϯελϯεʹ ౉͢ • ͦͷΠϯελϯε಺͔ΒͷAPIίʔϧͰ໌ࣔతʹ credentialsΛࢦఆ͢Δඞཁ͕ͳ͘ͳΔʂˠ࠷ߴ

  4. ʼʻ

  5. IAM Role͸Πϯελϯεىಈ࣌ ͔͠౉ͤͳ͍ʂ ……AWS Management ConsoleͰ͸

  6. Use them! CLI SDK CFn

  7. IAM Roleͷ෇͚ସ͑ʂʂ • ԶͷRoleΛ༻ҙʢEC2ͱRDSͷRead only permissionΛ෇༩ʣ

  8. Instance ProfileΛ༻ҙ iam_client.create_instance_profile( instance_profile_name: "ore-no-instance-profile", path: "/", ) iam_client.add_role_to_instance_profile( instance_profile_name:

    "ore-no-instance-profile", role_name: "ore-no-iam-role-ec2", )

  9. Instance ProfileΛ෇͚ͯىಈ ec2_client.run_instances( instance_type: "t2.micro", image_id: "ami-b66ed3de", min_count: 1, max_count:

    1, key_name: “ore-no-keypair“, subnet_id: "subnet-12345678", iam_instance_profile: { name: "ore-no-instance-profile", } )

  10. ϩάΠϯͯ֬͠ೝ [ec2-user@ip-172-30-0-121 ~]$ aws ec2 describe-instances --region us-east-1 { "Reservations":

    [ { "OwnerId": "229075135534", "ReservationId": "r-7b800404", "Groups": [ { "GroupName": "common", "GroupId": "sg-6016a20a" } …… ͏Ή

  11. RoleΛ෇͚ସ͑ΔΑ iam_client.remove_role_from_instance_profile( instance_profile_name: "ore-no-instance-profile", role_name: "ore-no-iam-role-ec2", ) iam_client.add_role_to_instance_profile( instance_profile_name: "ore-no-instance-profile",

    role_name: "ore-no-iam-role-rds", ) Τϥʔग़ͳ͍ʂ͜ΕͰউͭΔʂ

  12. RDS͕ݟ͑Δ͸ͣ… [ec2-user@ip-172-30-0-121 ~]$ aws rds describe-db-instances --region us-east-1 A client

    error (AccessDenied) occurred when calling the DescribeDBInstances operation: User: arn:aws:sts:: 229075135534:assumed-role/ore-no-iam-role-ec2/i-5e3530b4 is not authorized to perform: rds:DescribeDBInstances !?

  13. Stop/Startͯ͠࠶֬ೝ [ec2-user@ip-172-30-0-121 ~]$ aws rds describe-db-instances --region us-east-1 { "DBInstances":

    [] } ͸͍

  14. Ͳ͏΍Β • ىಈதͷEC2ΠϯελϯεͷInstance Profileʹͻ΋ ෇͘RoleΛมߋͨ͠৔߹ɺଈ൓ө͸͞Εͳ͍Β͍͠ • Stop/Startͩͱ൓ө͞ΕΔ • Rebootͩͱμϝ •

    ࣌ؒܦաͰ൓өʁʢະݕূʣ

  15. ਗ਼͘ਖ਼͘͠IAM Role ͋Γ͕ͱ͏͍͟͝·ͨ͠