Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
AWS Advanced Users Meetup vol.2
Search
y13i
December 08, 2014
0
230
AWS Advanced Users Meetup vol.2
y13i
December 08, 2014
Tweet
Share
More Decks by y13i
See All by y13i
Alexa と Polly と私
y13i
0
510
Alpine Linux ノススメ
y13i
1
6.7k
2014-06-20 JAWS-UG Tokyo
y13i
0
630
JAWS-UG Nagano Kickoff Meeting
y13i
6
3.9k
Featured
See All Featured
RailsConf 2023
tenderlove
29
900
GitHub's CSS Performance
jonrohan
1030
460k
Done Done
chrislema
181
16k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
44
6.8k
Intergalactic Javascript Robots from Outer Space
tanoku
269
27k
Side Projects
sachag
452
42k
No one is an island. Learnings from fostering a developers community.
thoeni
19
3k
Adopting Sorbet at Scale
ufuk
73
9.1k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
226
22k
Building Your Own Lightsaber
phodgson
103
6.1k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.3k
Faster Mobile Websites
deanohume
305
30k
Transcript
IAM Instance Profile ʼʻ
[email protected]
IAM Role • IAMͷݖݶҕৡͷΈ • cf. http://dev.classmethod.jp/cloud/aws/iam-role- and-assumerole/
IAM RoleΛEC2Πϯελϯεʹ ͢ • ͦͷΠϯελϯε͔ΒͷAPIίʔϧͰ໌ࣔతʹ credentialsΛࢦఆ͢Δඞཁ͕ͳ͘ͳΔʂˠ࠷ߴ
ʼʻ
IAM RoleΠϯελϯεىಈ࣌ ͔ͤ͠ͳ͍ʂ ……AWS Management ConsoleͰ
Use them! CLI SDK CFn
IAM Roleͷ͚ସ͑ʂʂ • ԶͷRoleΛ༻ҙʢEC2ͱRDSͷRead only permissionΛ༩ʣ
Instance ProfileΛ༻ҙ iam_client.create_instance_profile( instance_profile_name: "ore-no-instance-profile", path: "/", ) iam_client.add_role_to_instance_profile( instance_profile_name:
"ore-no-instance-profile", role_name: "ore-no-iam-role-ec2", )
Instance ProfileΛ͚ͯىಈ ec2_client.run_instances( instance_type: "t2.micro", image_id: "ami-b66ed3de", min_count: 1, max_count:
1, key_name: “ore-no-keypair“, subnet_id: "subnet-12345678", iam_instance_profile: { name: "ore-no-instance-profile", } )
ϩάΠϯͯ֬͠ೝ [ec2-user@ip-172-30-0-121 ~]$ aws ec2 describe-instances --region us-east-1 { "Reservations":
[ { "OwnerId": "229075135534", "ReservationId": "r-7b800404", "Groups": [ { "GroupName": "common", "GroupId": "sg-6016a20a" } …… ͏Ή
RoleΛ͚ସ͑ΔΑ iam_client.remove_role_from_instance_profile( instance_profile_name: "ore-no-instance-profile", role_name: "ore-no-iam-role-ec2", ) iam_client.add_role_to_instance_profile( instance_profile_name: "ore-no-instance-profile",
role_name: "ore-no-iam-role-rds", ) Τϥʔग़ͳ͍ʂ͜ΕͰউͭΔʂ
RDS͕ݟ͑Δͣ… [ec2-user@ip-172-30-0-121 ~]$ aws rds describe-db-instances --region us-east-1 A client
error (AccessDenied) occurred when calling the DescribeDBInstances operation: User: arn:aws:sts:: 229075135534:assumed-role/ore-no-iam-role-ec2/i-5e3530b4 is not authorized to perform: rds:DescribeDBInstances !?
Stop/Startͯ͠࠶֬ೝ [ec2-user@ip-172-30-0-121 ~]$ aws rds describe-db-instances --region us-east-1 { "DBInstances":
[] } ͍
Ͳ͏Β • ىಈதͷEC2ΠϯελϯεͷInstance Profileʹͻ ͘RoleΛมߋͨ͠߹ɺଈө͞Εͳ͍Β͍͠ • Stop/Startͩͱө͞ΕΔ • Rebootͩͱμϝ •
࣌ؒܦաͰөʁʢະݕূʣ
ਗ਼͘ਖ਼͘͠IAM Role ͋Γ͕ͱ͏͍͟͝·ͨ͠