Upgrade to Pro — share decks privately, control downloads, hide ads and more …

AWS Advanced Users Meetup vol.2

Avatar for y13i y13i
December 08, 2014
0
230

AWS Advanced Users Meetup vol.2

Avatar for y13i

y13i

December 08, 2014
Tweet

More Decks by y13i

See All by y13i
Alexa と Polly と私
Avatar for y13i y13i
0
530
Alpine Linux ノススメ
Avatar for y13i y13i
1
6.8k
2014-06-20 JAWS-UG Tokyo
Avatar for y13i y13i
0
660
JAWS-UG Nagano Kickoff Meeting
Avatar for y13i y13i
6
4.1k

Featured

See All Featured
GitHub's CSS Performance
Avatar for Jon Rohan jonrohan
1031
460k
Docker and Python
Avatar for Tania Allard trallard
44
3.4k
Testing 201, or: Great Expectations
Avatar for Joseph Mastey jmmastey
42
7.5k
Thoughts on Productivity
Avatar for Jon Yablonski jonyablonski
69
4.6k
The Cult of Friendly URLs
Avatar for Andy Hume andyhume
78
6.4k
CSS Pre-Processors: Stylus, Less & Sass
Avatar for Bermon Painter bermonpainter
357
30k
Into the Great Unknown - MozCon
Avatar for Noah Learner thekraken
38
1.8k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
Avatar for Marc Duiker marcduiker
30
2.1k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
Avatar for Tammy Everts tammyeverts
52
2.7k
A designer walks into a library…
Avatar for Paul Jervis Heath pauljervisheath
205
24k
The Art of Delivering Value - GDevCon NA Keynote
Avatar for David Neal reverentgeek
14
1.5k
RailsConf 2023
Avatar for Aaron Patterson tenderlove
30
1.1k

Transcript

  1. IAM Instance Profile ʼʻ [email protected]

  2. IAM Role • IAMͷݖݶҕৡͷ࢓૊Έ • cf. http://dev.classmethod.jp/cloud/aws/iam-role- and-assumerole/

  3. IAM RoleΛEC2Πϯελϯεʹ ౉͢ • ͦͷΠϯελϯε಺͔ΒͷAPIίʔϧͰ໌ࣔతʹ credentialsΛࢦఆ͢Δඞཁ͕ͳ͘ͳΔʂˠ࠷ߴ

  4. ʼʻ

  5. IAM Role͸Πϯελϯεىಈ࣌ ͔͠౉ͤͳ͍ʂ ……AWS Management ConsoleͰ͸

  6. Use them! CLI SDK CFn

  7. IAM Roleͷ෇͚ସ͑ʂʂ • ԶͷRoleΛ༻ҙʢEC2ͱRDSͷRead only permissionΛ෇༩ʣ

  8. Instance ProfileΛ༻ҙ iam_client.create_instance_profile( instance_profile_name: "ore-no-instance-profile", path: "/", ) iam_client.add_role_to_instance_profile( instance_profile_name:

    "ore-no-instance-profile", role_name: "ore-no-iam-role-ec2", )

  9. Instance ProfileΛ෇͚ͯىಈ ec2_client.run_instances( instance_type: "t2.micro", image_id: "ami-b66ed3de", min_count: 1, max_count:

    1, key_name: “ore-no-keypair“, subnet_id: "subnet-12345678", iam_instance_profile: { name: "ore-no-instance-profile", } )

  10. ϩάΠϯͯ֬͠ೝ [ec2-user@ip-172-30-0-121 ~]$ aws ec2 describe-instances --region us-east-1 { "Reservations":

    [ { "OwnerId": "229075135534", "ReservationId": "r-7b800404", "Groups": [ { "GroupName": "common", "GroupId": "sg-6016a20a" } …… ͏Ή

  11. RoleΛ෇͚ସ͑ΔΑ iam_client.remove_role_from_instance_profile( instance_profile_name: "ore-no-instance-profile", role_name: "ore-no-iam-role-ec2", ) iam_client.add_role_to_instance_profile( instance_profile_name: "ore-no-instance-profile",

    role_name: "ore-no-iam-role-rds", ) Τϥʔग़ͳ͍ʂ͜ΕͰউͭΔʂ

  12. RDS͕ݟ͑Δ͸ͣ… [ec2-user@ip-172-30-0-121 ~]$ aws rds describe-db-instances --region us-east-1 A client

    error (AccessDenied) occurred when calling the DescribeDBInstances operation: User: arn:aws:sts:: 229075135534:assumed-role/ore-no-iam-role-ec2/i-5e3530b4 is not authorized to perform: rds:DescribeDBInstances !?

  13. Stop/Startͯ͠࠶֬ೝ [ec2-user@ip-172-30-0-121 ~]$ aws rds describe-db-instances --region us-east-1 { "DBInstances":

    [] } ͸͍

  14. Ͳ͏΍Β • ىಈதͷEC2ΠϯελϯεͷInstance Profileʹͻ΋ ෇͘RoleΛมߋͨ͠৔߹ɺଈ൓ө͸͞Εͳ͍Β͍͠ • Stop/Startͩͱ൓ө͞ΕΔ • Rebootͩͱμϝ •

    ࣌ؒܦաͰ൓өʁʢະݕূʣ

  15. ਗ਼͘ਖ਼͘͠IAM Role ͋Γ͕ͱ͏͍͟͝·ͨ͠