Qiita Teams that are logged in
You are not logged in to any team

Log in to Qiita Team
Community
OrganizationAdvent CalendarQiitadon (β)
Service
Qiita JobsQiita ZineQiita Blog
Help us understand the problem. What is going on with this article?

[JAWS-UG CLI] IAM Managed Policy:#17-3 Customer Managed Policyの作成

More than 5 years have passed since last update.

前提条件

1. Managed Policyの作成

1.1. Managed Policyの名前の決定

ポリシー名を決定します。

commnad
IAM_MANAGED_POLICY_NAME="S3_ManagedPolicy"

ARNでポリシーを指定するため、AWSアカウントIDを確認します。

commnad
AWS_ACCOUNT_ID=`aws iam get-user --user-name ${IAM_USER_NAME} | jq -r .[].Arn | awk -F':' '{print $5}'`
echo ${AWS_ACCOUNT_ID}
result
************

同じ名前のポリシーが無いことを確認

commnad
IAM_MANAGED_POLICY_ARN="arn:aws:iam::"${AWS_ACCOUNT_ID}":policy"${PATH_NAME}${IAM_MANAGED_POLICY_NAME}
commnad
aws iam get-policy --policy-arn ${IAM_MANAGED_POLICY_ARN}
result
A client error (NoSuchEntity) occurred when calling the GetPolicy operation: Policy arn:aws:iam::************:policy/S3_Managed does not exist.

1.2. Policy Documentの作成

ポリシーファイルのファイル名を決めます。

command
FILE_MANAGED_POLICY_DOC="${IAM_MANAGED_POLICY_NAME}.json"
echo ${FILE_MANAGED_POLICY_DOC}
resut
S3_ManagedPolicy.json

ポリシーファイルを作成します。

command
cat << EOF > ${FILE_MANAGED_POLICY_DOC}
{
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "s3:*"
            ],
            "Resource": "*"
          }
        ]
}
EOF

JSONファイルを作成したら、フォーマットが壊れてないか必ず確認します。

commnad
jsonlint -q ${FILE_MANAGED_POLICY_DOC}
result
(戻り値無し)

1.3. ポリシーの作成

変数の確認

commnad
cat << ETX
        PATH_NAME: ${PATH_NAME}
        IAM_MANAGED_POLICY_NAME: ${IAM_MANAGED_POLICY_NAME}
        FILE_MANAGED_POLICY_DOC: ${FILE_MANAGED_POLICY_DOC}
ETX
result
        IAM_MANAGED_POLICY_NAME: S3_Managed
        FILE_MANAGED_POLICY_DOC: S3_Managed.json

ポリシーを作成

command
aws iam create-policy --policy-name ${IAM_MANAGED_POLICY_NAME} --path ${PATH_NAME} --policy-document file://${FILE_MANAGED_POLICY_DOC}
result
{
    "Policy": {
        "PolicyName": "S3_ManagedPolicy",
        "CreateDate": "2015-04-11T15:24:39.031Z",
        "AttachmentCount": 0,
        "IsAttachable": true,
        "PolicyId": "A********************",
        "DefaultVersionId": "v1",
        "Path": "/jawsug-cli/",
        "Arn": "arn:aws:iam::************:policy/jawsug-cli/S3_ManagedPolicy",
        "UpdateDate": "2015-04-11T15:24:39.031Z"
    }
}

1.4. Customer Managed PolicyをIAM Groupにアタッチ

変数の確認

command
cat << ETX
        IAM_GROUP_NAME: ${IAM_GROUP_NAME}
        IAM_MANAGED_POLICY_ARN: ${IAM_MANAGED_POLICY_ARN}
ETX
result
        IAM_GROUP_NAME: IAM_limited
        IAM_MANAGED_POLICY_ARN: arn:aws:iam::************:policy/jawsug-cli/S3_ManagedPolicy

Customer Managed PolicyをIAM Groupにアタッチ

commnad
aws iam attach-group-policy --group-name ${IAM_GROUP_NAME} --policy-arn ${IAM_MANAGED_POLICY_ARN}
result
(戻り値無し)

IAMグループにAWS Managed Policyがアタッチされたことを確認します。

commnad
aws iam list-attached-group-policies --group-name ${IAM_GROUP_NAME}
result
{
    "AttachedPolicies": [
        {
            "PolicyName": "S3_ManagedPolicy",
            "PolicyArn": "arn:aws:iam::************:policy/jawsug-cli/S3_ManagedPolicy"
        }
    ],
    "IsTruncated": false
}

1.5. (おまけ)Policy Documentで指定したグループ以外に対してManaged Policyをアタッチできないことを確認

テスト用IAMグループの決定

commnad
IAM_TEST_GROUP_NAME="IAM_test"

同じ名前のIAMグループが存在しないことを確認します。

command
aws iam get-group --group-name ${IAM_TEST_GROUP_NAME}
result
A client error (NoSuchEntity) occurred when calling the GetGroup operation: The group with name IAM_test cannot be found.

変数の確認

commnad
cat << ETX
            IAM_TEST_GROUP_NAME: ${IAM_TEST_GROUP_NAME}
ETX
result
            IAM_TEST_GROUP_NAME: IAM_test

IAMグループを作成します。

commnad
aws iam create-group --group-name ${IAM_TEST_GROUP_NAME}
result
{
    "Group": {
        "Path": "/",
        "CreateDate": "2015-04-11T15:50:09.809Z",
        "GroupId": "A********************",
        "Arn": "arn:aws:iam::************:group/IAM_test",
        "GroupName": "IAM_test"
    }
}

Customer Managed PolicyをIAM Groupにアタッチ

commnad
aws iam attach-group-policy --group-name ${IAM_TEST_GROUP_NAME} --policy-arn ${IAM_MANAGED_POLICY_ARN}
result
A client error (AccessDenied) occurred when calling the AttachGroupPolicy operation: User: arn:aws:iam::698675364418:user/IAM_limited-JAWSUG_CLI_17-Coedo is not authorized to perform: iam:AttachGroupPolicy on resource: group IAM_test

テスト用グループを削除

command
aws iam delete-group --group-name ${IAM_TEST_GROUP_NAME}
result
(戻り値なし)

確認

command
aws iam get-group --group-name ${IAM_TEST_GROUP_NAME}
result
A client error (NoSuchEntity) occurred when calling the GetGroup operation: The group with name IAM_test cannot be found.

2. 動作確認

2.2. ファイルをアップロード

アップロードするファイル名を決定

command
FILE_LOCAL='test02.txt'
result
(戻り値なし)

アップロードするファイルを作成

command
touch ${FILE_LOCAL}
result
(戻り値なし)

ファイルをアップロード

command
aws s3 cp ${FILE_LOCAL} s3://${S3_BUCKET_NAME}/
result
upload: ./test02.txt to s3://jaws-ug-cli-17-handson/test02.txt

ファイルがアップロードされたことを確認

command
aws s3 ls s3://${S3_BUCKET_NAME}/
result
2015-04-04 11:47:23          0 test01.txt
2015-04-04 12:15:57          0 test02.txt
Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away