Role つくる
% aws iam get-role --role-name foobar
% aws iam create-role --role-name foobar --assume-role-policy-document file://assume-role-policy.json
% aws iam get-role --role-name foobar
assume-role-policy.json
というのは、
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Policy つくる
arn:aws:iam::aws:policy/AmazonS3FullAccess
など既存のものを使ってもよい。
% aws iam create-policy --policy-name testpolicy --policy-document file://testpolicy.json
% aws iam list-policies --query Policies[?PolicyName==\'testpolicy\']
% export POLICY_ARN=`aws iam list-policies --query Policies[?PolicyName==\'testpolicy\'].Arn --output text`
% echo $POLICY_ARN
testpolicy.json
というのは、
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:List*"
],
"Resource": [
"arn:aws:s3:::*"
]
}
]
}
Role に Policy を attach する
% aws iam attach-role-policy --role-name foobar --policy-arn $POLICY_ARN
% aws iam list-attached-role-policies --role-name foobar
Instance Profile をつくる
% aws iam create-instance-profile --instance-profile-name hogefuga
% aws iam get-instance-profile --instance-profile-name hogefuga
Instance Profile に Role を attach する
% aws iam add-role-to-instance-profile --instance-profile-name hogefuga --role-name foobar
% aws iam get-instance-profile --instance-profile-name hogefuga
以上でいけてるはず。
確認: 作成した Instance Profile を利用してみる
Negative Control: 作成したInstance Profileを使わずにEC2をローンチする
% aws ec2 run-instances \
--region ap-northeast-1 \
--instance-type t2.nano \
--associate-public-ip-address \
--key-name otiai10-test.tokyo \
--image-id ami-92df37ed \
--security-group-ids sg-8fec68f7
[ec2-user@ip-172-31-26-230 ~]$ aws s3 ls s3://otiai10-test-bucket
Unable to locate credentials. You can configure credentials by running "aws configure".
Positive: 作成したInstance Profileを付与してEC2をローンチする
% aws ec2 run-instances \
--region ap-northeast-1 \
--instance-type t2.nano \
--associate-public-ip-address \
--key-name otiai10-test.tokyo \
--image-id ami-92df37ed \
--security-group-ids sg-8fec68f7 \
--iam-instance-profile Name=hogefuga
[ec2-user@ip-172-31-21-74 ~]$ aws s3 ls s3://otiai10-test-bucket
PRE aaa/
PRE bbb/
PRE xxx/
[ec2-user@ip-172-31-21-74 ~]$ touch perm-test-example.txt
[ec2-user@ip-172-31-21-74 ~]$ aws s3 cp perm-test-example.txt s3://otiai10-test-bucket/example.txt
upload failed: ./perm-test-example.txt to s3://otiai10-test-bucket/example.txt An error occurred (AccessDenied) when calling the PutObject operation: Access Denied
当該 Instance Profile を付与したインスタンスだけが、S3へ指定した権限を持つことが確認できた。
後片付け
% aws ec2 terminate-instances --instance-ids i-00dd9b9d9310be741 i-0f78bdb6bf62cc5c5
% aws iam remove-role-from-instance-profile --instance-profile-name hogefuga --role-name foobar
% aws iam delete-instance-profile --instance-profile-name hogefuga
% aws iam detach-role-policy --role-name foobar --policy-arn $POLICY_ARN
% aws iam delete-role --role-name foobar
雑感
- IAM Instance Profile まわりをCLIでやるのはたいへんだるい
DRYな備忘録として