Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
AWS Advanced Users Meetup vol.2
Search
y13i
December 08, 2014
0
230
AWS Advanced Users Meetup vol.2
y13i
December 08, 2014
Tweet
Share
More Decks by y13i
See All by y13i
Alexa と Polly と私
y13i
0
520
Alpine Linux ノススメ
y13i
1
6.7k
2014-06-20 JAWS-UG Tokyo
y13i
0
640
JAWS-UG Nagano Kickoff Meeting
y13i
6
4k
Featured
See All Featured
Intergalactic Javascript Robots from Outer Space
tanoku
270
27k
GitHub's CSS Performance
jonrohan
1030
460k
Rails Girls Zürich Keynote
gr2m
94
13k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
11
900
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
33
2k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
28
9.2k
RailsConf 2023
tenderlove
29
980
ReactJS: Keep Simple. Everything can be a component!
pedronauck
666
120k
Into the Great Unknown - MozCon
thekraken
34
1.6k
Building a Scalable Design System with Sketch
lauravandoore
460
33k
Build The Right Thing And Hit Your Dates
maggiecrowley
33
2.5k
Gamification - CAS2011
davidbonilla
80
5.1k
Transcript
IAM Instance Profile ʼʻ
[email protected]
IAM Role • IAMͷݖݶҕৡͷΈ • cf. http://dev.classmethod.jp/cloud/aws/iam-role- and-assumerole/
IAM RoleΛEC2Πϯελϯεʹ ͢ • ͦͷΠϯελϯε͔ΒͷAPIίʔϧͰ໌ࣔతʹ credentialsΛࢦఆ͢Δඞཁ͕ͳ͘ͳΔʂˠ࠷ߴ
ʼʻ
IAM RoleΠϯελϯεىಈ࣌ ͔ͤ͠ͳ͍ʂ ……AWS Management ConsoleͰ
Use them! CLI SDK CFn
IAM Roleͷ͚ସ͑ʂʂ • ԶͷRoleΛ༻ҙʢEC2ͱRDSͷRead only permissionΛ༩ʣ
Instance ProfileΛ༻ҙ iam_client.create_instance_profile( instance_profile_name: "ore-no-instance-profile", path: "/", ) iam_client.add_role_to_instance_profile( instance_profile_name:
"ore-no-instance-profile", role_name: "ore-no-iam-role-ec2", )
Instance ProfileΛ͚ͯىಈ ec2_client.run_instances( instance_type: "t2.micro", image_id: "ami-b66ed3de", min_count: 1, max_count:
1, key_name: “ore-no-keypair“, subnet_id: "subnet-12345678", iam_instance_profile: { name: "ore-no-instance-profile", } )
ϩάΠϯͯ֬͠ೝ [ec2-user@ip-172-30-0-121 ~]$ aws ec2 describe-instances --region us-east-1 { "Reservations":
[ { "OwnerId": "229075135534", "ReservationId": "r-7b800404", "Groups": [ { "GroupName": "common", "GroupId": "sg-6016a20a" } …… ͏Ή
RoleΛ͚ସ͑ΔΑ iam_client.remove_role_from_instance_profile( instance_profile_name: "ore-no-instance-profile", role_name: "ore-no-iam-role-ec2", ) iam_client.add_role_to_instance_profile( instance_profile_name: "ore-no-instance-profile",
role_name: "ore-no-iam-role-rds", ) Τϥʔग़ͳ͍ʂ͜ΕͰউͭΔʂ
RDS͕ݟ͑Δͣ… [ec2-user@ip-172-30-0-121 ~]$ aws rds describe-db-instances --region us-east-1 A client
error (AccessDenied) occurred when calling the DescribeDBInstances operation: User: arn:aws:sts:: 229075135534:assumed-role/ore-no-iam-role-ec2/i-5e3530b4 is not authorized to perform: rds:DescribeDBInstances !?
Stop/Startͯ͠࠶֬ೝ [ec2-user@ip-172-30-0-121 ~]$ aws rds describe-db-instances --region us-east-1 { "DBInstances":
[] } ͍
Ͳ͏Β • ىಈதͷEC2ΠϯελϯεͷInstance Profileʹͻ ͘RoleΛมߋͨ͠߹ɺଈө͞Εͳ͍Β͍͠ • Stop/Startͩͱө͞ΕΔ • Rebootͩͱμϝ •
࣌ؒܦաͰөʁʢະݕূʣ
ਗ਼͘ਖ਼͘͠IAM Role ͋Γ͕ͱ͏͍͟͝·ͨ͠
y13i
tanoku
jonrohan
gr2m
honnibal
eileencodes
tenderlove
pedronauck
thekraken
lauravandoore
maggiecrowley
davidbonilla
![IAM Instance Profile ʼʻ [email protected]](https://files.speakerdeck.com/presentations/b8997c5060fe013234ac7a10b4727eb7/slide_0.jpg){kind=link}
![ϩάΠϯͯ֬͠ೝ [ec2-user@ip-172-30-0-121 ~]$ aws ec2 describe-instances --region us-east-1 { "Reservations":](https://files.speakerdeck.com/presentations/b8997c5060fe013234ac7a10b4727eb7/slide_9.jpg){kind=link}
![RDS͕ݟ͑Δͣ… [ec2-user@ip-172-30-0-121 ~]$ aws rds describe-db-instances --region us-east-1 A client](https://files.speakerdeck.com/presentations/b8997c5060fe013234ac7a10b4727eb7/slide_11.jpg){kind=link}
![Stop/Startͯ͠࠶֬ೝ [ec2-user@ip-172-30-0-121 ~]$ aws rds describe-db-instances --region us-east-1 { "DBInstances":](https://files.speakerdeck.com/presentations/b8997c5060fe013234ac7a10b4727eb7/slide_12.jpg){kind=link}
