LoginSignup
0
0

More than 5 years have passed since last update.

@tcsh(Hirokazu HATANO)

[JAWS-UG CLI] IAM:#80 IAMロールの作成 (aws-opsworks-ec2-role)

Last updated at Posted at 2017-06-26

前提条件

IAMへの権限

IAMに対してフル権限があること。

AWS CLIのバージョン

コマンド
aws --version
結果(例)
      aws-cli/1.9.0 Python/2.7.5 Darwin/13.4.0 botocore/1.3.0

0. 準備

変数の確認

プロファイルが想定のものになっていることを確認します。

変数の確認
aws configure list
結果(例)

            Name                    Value             Type    Location
            ----                    -----             ----    --------
         profile       iamFull-prjZ-mbp13iamFull-prjZ-mbp13              env    AWS_DEFAULT_PROFILE
      access_key     ****************XXXX shared-credentials-file
      secret_key     ****************XXXX shared-credentials-file
          region                eu-west-1              env    AWS_DEFAULT_REGION

1. 事前作業

1.1. IAMロール名の決定

変数の設定
IAM_ROLE_NAME='aws-opsworks-ec2-role'

同じ名前のIAMロールが存在しないことを確認します。

コマンド
aws iam get-role \
         --role-name ${IAM_ROLE_NAME}
結果(例)
      A client error (NoSuchEntity) occurred when calling the GetRole operation: The role with name aws-opsworks-ec2-role cannot be found.

2. ロールの作成

2.1. assumeロールの決定

変数の設定
FILE_ROLE_DOC="${IAM_ROLE_NAME}.json" \
        && echo ${FILE_ROLE_DOC}
コマンド
cat << EOF > ${FILE_ROLE_DOC}
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
EOF

cat ${FILE_ROLE_DOC}
コマンド
jsonlint -q ${FILE_ROLE_DOC}

2.2. ロールの作成

変数の確認
cat << ETX

        IAM_ROLE_NAME: ${IAM_ROLE_NAME}
        FILE_ROLE_DOC: ${FILE_ROLE_DOC}

ETX
コマンド
aws iam create-role \
        --role-name ${IAM_ROLE_NAME} \
        --assume-role-policy-document file://${FILE_ROLE_DOC}
結果(例)
      {
        "Role": {
          "AssumeRolePolicyDocument": {
              "Version": "2012-10-17",
              "Statement": [
                  {
                      "Action": "sts:AssumeRole",
                      "Sid": "",
                      "Effect": "Allow",
                      "Principal": {
                          "Service": "ec2.amazonaws.com"
                      }
                  }
              ]
          },
          "RoleId": "AROAJOMDKX4MPARLRM5CO",
          "CreateDate": "2015-10-23T02:05:55.750Z",
          "RoleName": "aws-opsworks-ec2-role",
          "Path": "/",
          "Arn": "arn:aws:iam::XXXXXXXXXXXX:role/aws-opsworks-ec2-role"
        }
      }
コマンド
aws iam get-role \
         --role-name ${IAM_ROLE_NAME}
結果(例)
      {
        "Role": {
          "AssumeRolePolicyDocument": {
              "Version": "2012-10-17",
              "Statement": [
                  {
                      "Action": "sts:AssumeRole",
                      "Principal": {
                          "Service": "ec2.amazonaws.com"
                      },
                      "Effect": "Allow",
                      "Sid": ""
                  }
              ]
          },
          "RoleId": "AROAJOMDKX4MPARLRM5CO",
          "CreateDate": "2015-10-23T02:05:55Z",
          "RoleName": "aws-opsworks-ec2-role",
          "Path": "/",
          "Arn": "arn:aws:iam::XXXXXXXXXXXX:role/aws-opsworks-ec2-role"
        }
      }

完了

0
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
0
0