More than 5 years have passed since last update.

[JAWS-UG CLI] IAM:#80 IAMロールの作成 (aws-opsworks-ec2-role)

Last updated at 2017-07-22Posted at 2017-06-26

前提条件

IAMへの権限

IAMに対してフル権限があること。

AWS CLIのバージョン

コマンド

aws --version

結果(例)

      aws-cli/1.9.0 Python/2.7.5 Darwin/13.4.0 botocore/1.3.0

準備
=======

変数の確認

プロファイルが想定のものになっていることを確認します。

変数の確認

aws configure list

結果(例)


            Name                    Value             Type    Location
            ----                    -----             ----    --------
         profile       iamFull-prjZ-mbp13iamFull-prjZ-mbp13              env    AWS_DEFAULT_PROFILE
      access_key     ****************XXXX shared-credentials-file
      secret_key     ****************XXXX shared-credentials-file
          region                eu-west-1              env    AWS_DEFAULT_REGION

事前作業
===========

1.1. IAMロール名の決定

変数の設定

IAM_ROLE_NAME='aws-opsworks-ec2-role'

同じ名前のIAMロールが存在しないことを確認します。

コマンド

aws iam get-role \
         --role-name ${IAM_ROLE_NAME}

結果(例)

      A client error (NoSuchEntity) occurred when calling the GetRole operation: The role with name aws-opsworks-ec2-role cannot be found.

ロールの作成
===============

2.1. assumeロールの決定

変数の設定

FILE_ROLE_DOC="${IAM_ROLE_NAME}.json" \
        && echo ${FILE_ROLE_DOC}

コマンド

cat << EOF > ${FILE_ROLE_DOC}
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
EOF

cat ${FILE_ROLE_DOC}

コマンド

jsonlint -q ${FILE_ROLE_DOC}

2.2. ロールの作成

変数の確認

cat << ETX

        IAM_ROLE_NAME: ${IAM_ROLE_NAME}
        FILE_ROLE_DOC: ${FILE_ROLE_DOC}

ETX

コマンド

aws iam create-role \
        --role-name ${IAM_ROLE_NAME} \
        --assume-role-policy-document file://${FILE_ROLE_DOC}

結果(例)

      {
        "Role": {
          "AssumeRolePolicyDocument": {
              "Version": "2012-10-17",
              "Statement": [
                  {
                      "Action": "sts:AssumeRole",
                      "Sid": "",
                      "Effect": "Allow",
                      "Principal": {
                          "Service": "ec2.amazonaws.com"
                      }
                  }
              ]
          },
          "RoleId": "AROAJOMDKX4MPARLRM5CO",
          "CreateDate": "2015-10-23T02:05:55.750Z",
          "RoleName": "aws-opsworks-ec2-role",
          "Path": "/",
          "Arn": "arn:aws:iam::XXXXXXXXXXXX:role/aws-opsworks-ec2-role"
        }
      }

コマンド

aws iam get-role \
         --role-name ${IAM_ROLE_NAME}

結果(例)

      {
        "Role": {
          "AssumeRolePolicyDocument": {
              "Version": "2012-10-17",
              "Statement": [
                  {
                      "Action": "sts:AssumeRole",
                      "Principal": {
                          "Service": "ec2.amazonaws.com"
                      },
                      "Effect": "Allow",
                      "Sid": ""
                  }
              ]
          },
          "RoleId": "AROAJOMDKX4MPARLRM5CO",
          "CreateDate": "2015-10-23T02:05:55Z",
          "RoleName": "aws-opsworks-ec2-role",
          "Path": "/",
          "Arn": "arn:aws:iam::XXXXXXXXXXXX:role/aws-opsworks-ec2-role"
        }
      }

完了

You get articles that match your needs
You can efficiently read back useful information
You can use dark theme

What you can do with signing up