Upgrade to Pro — share decks privately, control downloads, hide ads and more …

AWS Advanced Users Meetup vol.2

y13i
December 08, 2014
0
180

AWS Advanced Users Meetup vol.2

y13i

December 08, 2014
Tweet

More Decks by y13i

See All by y13i
Alexa と Polly と私
y13i
0
410
Alpine Linux ノススメ
y13i
1
6.4k
2014-06-20 JAWS-UG Tokyo
y13i
0
510
JAWS-UG Nagano Kickoff Meeting
y13i
6
3.3k

Featured

See All Featured
How STYLIGHT went responsive
nonsquared
89
4.3k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
349
27k
Stop Working from a Prison Cell
hatefulcrawdad
264
18k
VelocityConf: Rendering Performance Case Studies
addyosmani
317
22k
Product Roadmaps are Hard
iamctodd
39
7.9k
Building an army of robots
kneath
300
41k
Mobile First: as difficult as doing things right
swwweet
213
7.9k
What the flash - Photography Introduction
edds
64
10k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
15
1.2k
Why You Should Never Use an ORM
jnunemaker
PRO
49
8k
BBQ
matthewcrist
75
8.2k
Principles of Awesome APIs and How to Build Them.
keavy
119
16k

Transcript

  1. IAM Instance Profile
    ʼʻ
    [email protected]

    View Slide

  2. IAM Role
    • IAMͷݖݶҕৡͷ࢓૊Έ
    • cf. http://dev.classmethod.jp/cloud/aws/iam-role-
    and-assumerole/

    View Slide

  3. IAM RoleΛEC2Πϯελϯεʹ
    ౉͢
    • ͦͷΠϯελϯε಺͔ΒͷAPIίʔϧͰ໌ࣔతʹ
    credentialsΛࢦఆ͢Δඞཁ͕ͳ͘ͳΔʂˠ࠷ߴ

    View Slide

  4. ʼʻ

    View Slide

  5. IAM Role͸Πϯελϯεىಈ࣌
    ͔͠౉ͤͳ͍ʂ
    ……AWS Management ConsoleͰ͸

    View Slide

  6. Use them!
    CLI
    SDK CFn

    View Slide

  7. IAM Roleͷ෇͚ସ͑ʂʂ
    • ԶͷRoleΛ༻ҙʢEC2ͱRDSͷRead only
    permissionΛ෇༩ʣ

    View Slide

  8. Instance ProfileΛ༻ҙ
    iam_client.create_instance_profile(
    instance_profile_name: "ore-no-instance-profile",
    path: "/",
    )
    iam_client.add_role_to_instance_profile(
    instance_profile_name: "ore-no-instance-profile",
    role_name: "ore-no-iam-role-ec2",
    )

    View Slide

  9. Instance ProfileΛ෇͚ͯىಈ
    ec2_client.run_instances(
    instance_type: "t2.micro",
    image_id: "ami-b66ed3de",
    min_count: 1,
    max_count: 1,
    key_name: “ore-no-keypair“,
    subnet_id: "subnet-12345678",
    iam_instance_profile: {
    name: "ore-no-instance-profile",
    }
    )

    View Slide

  10. ϩάΠϯͯ֬͠ೝ
    [[email protected] ~]$ aws ec2 describe-instances --region us-east-1
    {
    "Reservations": [
    {
    "OwnerId": "229075135534",
    "ReservationId": "r-7b800404",
    "Groups": [
    {
    "GroupName": "common",
    "GroupId": "sg-6016a20a"
    }
    ……
    ͏Ή

    View Slide

  11. RoleΛ෇͚ସ͑ΔΑ
    iam_client.remove_role_from_instance_profile(
    instance_profile_name: "ore-no-instance-profile",
    role_name: "ore-no-iam-role-ec2",
    )
    iam_client.add_role_to_instance_profile(
    instance_profile_name: "ore-no-instance-profile",
    role_name: "ore-no-iam-role-rds",
    )
    Τϥʔग़ͳ͍ʂ͜ΕͰউͭΔʂ

    View Slide

  12. RDS͕ݟ͑Δ͸ͣ…
    [[email protected] ~]$ aws rds describe-db-instances --region us-east-1
    A client error (AccessDenied) occurred when calling the DescribeDBInstances operation: User: arn:aws:sts::
    229075135534:assumed-role/ore-no-iam-role-ec2/i-5e3530b4 is not authorized to perform: rds:DescribeDBInstances
    !?

    View Slide

  13. Stop/Startͯ͠࠶֬ೝ
    [[email protected] ~]$ aws rds describe-db-instances --region us-east-1
    {
    "DBInstances": []
    }
    ͸͍

    View Slide

  14. Ͳ͏΍Β
    • ىಈதͷEC2ΠϯελϯεͷInstance Profileʹͻ΋
    ෇͘RoleΛมߋͨ͠৔߹ɺଈ൓ө͸͞Εͳ͍Β͍͠
    • Stop/Startͩͱ൓ө͞ΕΔ
    • Rebootͩͱμϝ
    • ࣌ؒܦաͰ൓өʁʢະݕূʣ

    View Slide

  15. ਗ਼͘ਖ਼͘͠IAM Role
    ͋Γ͕ͱ͏͍͟͝·ͨ͠

    View Slide