Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
AWS Advanced Users Meetup vol.2
Search
y13i
December 08, 2014
0
230
AWS Advanced Users Meetup vol.2
y13i
December 08, 2014
Tweet
Share
More Decks by y13i
See All by y13i
Alexa と Polly と私
y13i
0
530
Alpine Linux ノススメ
y13i
1
6.8k
2014-06-20 JAWS-UG Tokyo
y13i
0
660
JAWS-UG Nagano Kickoff Meeting
y13i
6
4.1k
Featured
See All Featured
GitHub's CSS Performance
jonrohan
1031
460k
Docker and Python
trallard
44
3.4k
Testing 201, or: Great Expectations
jmmastey
42
7.5k
Thoughts on Productivity
jonyablonski
69
4.6k
The Cult of Friendly URLs
andyhume
78
6.4k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
357
30k
Into the Great Unknown - MozCon
thekraken
38
1.8k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
30
2.1k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
52
2.7k
A designer walks into a library…
pauljervisheath
205
24k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
14
1.5k
RailsConf 2023
tenderlove
30
1.1k
Transcript
IAM Instance Profile ʼʻ
[email protected]
IAM Role • IAMͷݖݶҕৡͷΈ • cf. http://dev.classmethod.jp/cloud/aws/iam-role- and-assumerole/
IAM RoleΛEC2Πϯελϯεʹ ͢ • ͦͷΠϯελϯε͔ΒͷAPIίʔϧͰ໌ࣔతʹ credentialsΛࢦఆ͢Δඞཁ͕ͳ͘ͳΔʂˠ࠷ߴ
ʼʻ
IAM RoleΠϯελϯεىಈ࣌ ͔ͤ͠ͳ͍ʂ ……AWS Management ConsoleͰ
Use them! CLI SDK CFn
IAM Roleͷ͚ସ͑ʂʂ • ԶͷRoleΛ༻ҙʢEC2ͱRDSͷRead only permissionΛ༩ʣ
Instance ProfileΛ༻ҙ iam_client.create_instance_profile( instance_profile_name: "ore-no-instance-profile", path: "/", ) iam_client.add_role_to_instance_profile( instance_profile_name:
"ore-no-instance-profile", role_name: "ore-no-iam-role-ec2", )
Instance ProfileΛ͚ͯىಈ ec2_client.run_instances( instance_type: "t2.micro", image_id: "ami-b66ed3de", min_count: 1, max_count:
1, key_name: “ore-no-keypair“, subnet_id: "subnet-12345678", iam_instance_profile: { name: "ore-no-instance-profile", } )
ϩάΠϯͯ֬͠ೝ [ec2-user@ip-172-30-0-121 ~]$ aws ec2 describe-instances --region us-east-1 { "Reservations":
[ { "OwnerId": "229075135534", "ReservationId": "r-7b800404", "Groups": [ { "GroupName": "common", "GroupId": "sg-6016a20a" } …… ͏Ή
RoleΛ͚ସ͑ΔΑ iam_client.remove_role_from_instance_profile( instance_profile_name: "ore-no-instance-profile", role_name: "ore-no-iam-role-ec2", ) iam_client.add_role_to_instance_profile( instance_profile_name: "ore-no-instance-profile",
role_name: "ore-no-iam-role-rds", ) Τϥʔग़ͳ͍ʂ͜ΕͰউͭΔʂ
RDS͕ݟ͑Δͣ… [ec2-user@ip-172-30-0-121 ~]$ aws rds describe-db-instances --region us-east-1 A client
error (AccessDenied) occurred when calling the DescribeDBInstances operation: User: arn:aws:sts:: 229075135534:assumed-role/ore-no-iam-role-ec2/i-5e3530b4 is not authorized to perform: rds:DescribeDBInstances !?
Stop/Startͯ͠࠶֬ೝ [ec2-user@ip-172-30-0-121 ~]$ aws rds describe-db-instances --region us-east-1 { "DBInstances":
[] } ͍
Ͳ͏Β • ىಈதͷEC2ΠϯελϯεͷInstance Profileʹͻ ͘RoleΛมߋͨ͠߹ɺଈө͞Εͳ͍Β͍͠ • Stop/Startͩͱө͞ΕΔ • Rebootͩͱμϝ •
࣌ؒܦաͰөʁʢະݕূʣ
ਗ਼͘ਖ਼͘͠IAM Role ͋Γ͕ͱ͏͍͟͝·ͨ͠