Upgrade to Pro — share decks privately, control downloads, hide ads and more …

AWS Advanced Users Meetup vol.2

Sponsored · Your Podcast. Everywhere. Effortlessly. Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
Avatar for y13i y13i
December 08, 2014
0
250

AWS Advanced Users Meetup vol.2

Avatar for y13i

y13i

December 08, 2014
Tweet

More Decks by y13i

See All by y13i
Alexa と Polly と私
Avatar for y13i y13i
0
580
Alpine Linux ノススメ
Avatar for y13i y13i
1
6.9k
2014-06-20 JAWS-UG Tokyo
Avatar for y13i y13i
0
690
JAWS-UG Nagano Kickoff Meeting
Avatar for y13i y13i
6
4.4k

Featured

See All Featured
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
Avatar for Aki / @LoveIdahoBurger aki_iinuma
128
55k
Performance Is Good for Brains [We Love Speed 2024]
Avatar for Tammy Everts tammyeverts
12
1.4k
How GitHub (no longer) Works
Avatar for Zach Holman holman
316
140k
New Earth Scene 8
Avatar for Sydney Stone popppiees
1
1.5k
[RailsConf 2023] Rails as a piece of cake
Avatar for Vladimir Dementyev palkan
59
6.3k
The Language of Interfaces
Avatar for Des Traynor destraynor
162
26k
技術選定の審美眼(2025年版) / Understanding the Spiral of Technologies 2025 edition
Avatar for Takuto Wada twada
PRO
117
110k
Joys of Absence: A Defence of Solitary Play
Avatar for Sebastian Deterding codingconduct
1
290
16th Malabo Montpellier Forum Presentation
Avatar for AKADEMIYA2063 akademiya2063
PRO
0
51
It's Worth the Effort
Avatar for 3n 3n
188
29k
Gemini Prompt Engineering: Practical Techniques for Tangible AI Outcomes
Avatar for Mfonobong Umondia mfonobong
2
280
A Soul's Torment
Avatar for Nat Ma seathinner
5
2.3k

Transcript

  1. IAM Instance Profile ʼʻ [email protected]

  2. IAM Role • IAMͷݖݶҕৡͷ࢓૊Έ • cf. http://dev.classmethod.jp/cloud/aws/iam-role- and-assumerole/

  3. IAM RoleΛEC2Πϯελϯεʹ ౉͢ • ͦͷΠϯελϯε಺͔ΒͷAPIίʔϧͰ໌ࣔతʹ credentialsΛࢦఆ͢Δඞཁ͕ͳ͘ͳΔʂˠ࠷ߴ

  4. ʼʻ

  5. IAM Role͸Πϯελϯεىಈ࣌ ͔͠౉ͤͳ͍ʂ ……AWS Management ConsoleͰ͸

  6. Use them! CLI SDK CFn

  7. IAM Roleͷ෇͚ସ͑ʂʂ • ԶͷRoleΛ༻ҙʢEC2ͱRDSͷRead only permissionΛ෇༩ʣ

  8. Instance ProfileΛ༻ҙ iam_client.create_instance_profile( instance_profile_name: "ore-no-instance-profile", path: "/", ) iam_client.add_role_to_instance_profile( instance_profile_name:

    "ore-no-instance-profile", role_name: "ore-no-iam-role-ec2", )

  9. Instance ProfileΛ෇͚ͯىಈ ec2_client.run_instances( instance_type: "t2.micro", image_id: "ami-b66ed3de", min_count: 1, max_count:

    1, key_name: “ore-no-keypair“, subnet_id: "subnet-12345678", iam_instance_profile: { name: "ore-no-instance-profile", } )

  10. ϩάΠϯͯ֬͠ೝ [ec2-user@ip-172-30-0-121 ~]$ aws ec2 describe-instances --region us-east-1 { "Reservations":

    [ { "OwnerId": "229075135534", "ReservationId": "r-7b800404", "Groups": [ { "GroupName": "common", "GroupId": "sg-6016a20a" } …… ͏Ή

  11. RoleΛ෇͚ସ͑ΔΑ iam_client.remove_role_from_instance_profile( instance_profile_name: "ore-no-instance-profile", role_name: "ore-no-iam-role-ec2", ) iam_client.add_role_to_instance_profile( instance_profile_name: "ore-no-instance-profile",

    role_name: "ore-no-iam-role-rds", ) Τϥʔग़ͳ͍ʂ͜ΕͰউͭΔʂ

  12. RDS͕ݟ͑Δ͸ͣ… [ec2-user@ip-172-30-0-121 ~]$ aws rds describe-db-instances --region us-east-1 A client

    error (AccessDenied) occurred when calling the DescribeDBInstances operation: User: arn:aws:sts:: 229075135534:assumed-role/ore-no-iam-role-ec2/i-5e3530b4 is not authorized to perform: rds:DescribeDBInstances !?

  13. Stop/Startͯ͠࠶֬ೝ [ec2-user@ip-172-30-0-121 ~]$ aws rds describe-db-instances --region us-east-1 { "DBInstances":

    [] } ͸͍

  14. Ͳ͏΍Β • ىಈதͷEC2ΠϯελϯεͷInstance Profileʹͻ΋ ෇͘RoleΛมߋͨ͠৔߹ɺଈ൓ө͸͞Εͳ͍Β͍͠ • Stop/Startͩͱ൓ө͞ΕΔ • Rebootͩͱμϝ •

    ࣌ؒܦաͰ൓өʁʢະݕূʣ

  15. ਗ਼͘ਖ਼͘͠IAM Role ͋Γ͕ͱ͏͍͟͝·ͨ͠