Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
AWS Advanced Users Meetup vol.2
Search
y13i
December 08, 2014
0
230
AWS Advanced Users Meetup vol.2
y13i
December 08, 2014
Tweet
Share
More Decks by y13i
See All by y13i
Alexa と Polly と私
y13i
0
540
Alpine Linux ノススメ
y13i
1
6.8k
2014-06-20 JAWS-UG Tokyo
y13i
0
660
JAWS-UG Nagano Kickoff Meeting
y13i
6
4.2k
Featured
See All Featured
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
45
7.5k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
283
13k
How STYLIGHT went responsive
nonsquared
100
5.7k
Balancing Empowerment & Direction
lara
1
510
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
35
2.5k
What’s in a name? Adding method to the madness
productmarketing
PRO
23
3.6k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.8k
jQuery: Nuts, Bolts and Bling
dougneiner
63
7.8k
GraphQLとの向き合い方2022年版
quramy
49
14k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
138
34k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
367
26k
Speed Design
sergeychernyshev
32
1k
Transcript
IAM Instance Profile ʼʻ
[email protected]
IAM Role • IAMͷݖݶҕৡͷΈ • cf. http://dev.classmethod.jp/cloud/aws/iam-role- and-assumerole/
IAM RoleΛEC2Πϯελϯεʹ ͢ • ͦͷΠϯελϯε͔ΒͷAPIίʔϧͰ໌ࣔతʹ credentialsΛࢦఆ͢Δඞཁ͕ͳ͘ͳΔʂˠ࠷ߴ
ʼʻ
IAM RoleΠϯελϯεىಈ࣌ ͔ͤ͠ͳ͍ʂ ……AWS Management ConsoleͰ
Use them! CLI SDK CFn
IAM Roleͷ͚ସ͑ʂʂ • ԶͷRoleΛ༻ҙʢEC2ͱRDSͷRead only permissionΛ༩ʣ
Instance ProfileΛ༻ҙ iam_client.create_instance_profile( instance_profile_name: "ore-no-instance-profile", path: "/", ) iam_client.add_role_to_instance_profile( instance_profile_name:
"ore-no-instance-profile", role_name: "ore-no-iam-role-ec2", )
Instance ProfileΛ͚ͯىಈ ec2_client.run_instances( instance_type: "t2.micro", image_id: "ami-b66ed3de", min_count: 1, max_count:
1, key_name: “ore-no-keypair“, subnet_id: "subnet-12345678", iam_instance_profile: { name: "ore-no-instance-profile", } )
ϩάΠϯͯ֬͠ೝ [ec2-user@ip-172-30-0-121 ~]$ aws ec2 describe-instances --region us-east-1 { "Reservations":
[ { "OwnerId": "229075135534", "ReservationId": "r-7b800404", "Groups": [ { "GroupName": "common", "GroupId": "sg-6016a20a" } …… ͏Ή
RoleΛ͚ସ͑ΔΑ iam_client.remove_role_from_instance_profile( instance_profile_name: "ore-no-instance-profile", role_name: "ore-no-iam-role-ec2", ) iam_client.add_role_to_instance_profile( instance_profile_name: "ore-no-instance-profile",
role_name: "ore-no-iam-role-rds", ) Τϥʔग़ͳ͍ʂ͜ΕͰউͭΔʂ
RDS͕ݟ͑Δͣ… [ec2-user@ip-172-30-0-121 ~]$ aws rds describe-db-instances --region us-east-1 A client
error (AccessDenied) occurred when calling the DescribeDBInstances operation: User: arn:aws:sts:: 229075135534:assumed-role/ore-no-iam-role-ec2/i-5e3530b4 is not authorized to perform: rds:DescribeDBInstances !?
Stop/Startͯ͠࠶֬ೝ [ec2-user@ip-172-30-0-121 ~]$ aws rds describe-db-instances --region us-east-1 { "DBInstances":
[] } ͍
Ͳ͏Β • ىಈதͷEC2ΠϯελϯεͷInstance Profileʹͻ ͘RoleΛมߋͨ͠߹ɺଈө͞Εͳ͍Β͍͠ • Stop/Startͩͱө͞ΕΔ • Rebootͩͱμϝ •
࣌ؒܦաͰөʁʢະݕূʣ
ਗ਼͘ਖ਼͘͠IAM Role ͋Γ͕ͱ͏͍͟͝·ͨ͠