Help us understand the problem. What is going on with this article?

[JAWS-UG CLI] IAM Managed Policy:#17-4 Customer Managed Policyの更新

More than 5 years have passed since last update.

前提条件

1. Policy Documentの編集(Versionの追加)

1.1. 新しいポリシーの作成

ポリシーファイルのファイル名を決めます。

command
FILE_NEW_MANAGED_POLICY_DOC="New_${IAM_MANAGED_POLICY_NAME}.json"
echo ${FILE_NEW_MANAGED_POLICY_DOC}
resut
New_S3_ManagedPolicy.json

ポリシーファイルを作成します。
(書き込みを禁止します。)

command
cat << EOF > ${FILE_NEW_MANAGED_POLICY_DOC}
{
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
              "s3:*"
            ],
            "Resource": "*"
          },
          {
            "Effect": "Deny",
            "Action": [
              "s3:Put*"
            ],
            "Resource": "*"
          }
        ]
}
EOF

JSONファイルを作成したら、フォーマットが壊れてないか必ず確認します。

commnad
jsonlint -q ${FILE_NEW_MANAGED_POLICY_DOC}
result
(戻り値なし)

1.2. ポリシーの変更

変数の確認

commnad
cat << ETX
        IAM_MANAGED_POLICY_ARN: ${IAM_MANAGED_POLICY_ARN}
        FILE_NEW_MANAGED_POLICY_DOC: ${FILE_NEW_MANAGED_POLICY_DOC}
ETX
result
        IAM_MANAGED_POLICY_ARN: arn:aws:iam::************:policy/jawsug-cli/S3_ManagedPolicy
        FILE_NEW_MANAGED_POLICY_DOC: New_S3_ManagedPolicy.json

現状を確認

command
aws iam get-policy --policy-arn ${IAM_MANAGED_POLICY_ARN}
result
{
    "Policy": {
        "PolicyName": "S3_ManagedPolicy",
        "CreateDate": "2015-04-11T15:24:39Z",
        "AttachmentCount": 1,
        "IsAttachable": true,
        "PolicyId": "A********************",
        "DefaultVersionId": "v1",
        "Path": "/jawsug-cli/",
        "Arn": "arn:aws:iam::************:policy/jawsug-cli/S3_ManagedPolicy",
        "UpdateDate": "2015-04-11T15:24:39Z"
    }
}

ポリシーを更新
(ただし、適用はしない)

command
aws iam create-policy-version --policy-arn ${IAM_MANAGED_POLICY_ARN} --policy-document file://${FILE_NEW_MANAGED_POLICY_DOC}
result
{
    "PolicyVersion": {
        "CreateDate": "2015-03-28T13:06:44.682Z",
        "VersionId": "v2",
        "IsDefaultVersion": false
    }
}

現状を確認
(DefaultVersionIdが変わっていないことに注目してください。)

command
aws iam get-policy --policy-arn ${IAM_MANAGED_POLICY_ARN}
result
{
    "Policy": {
        "PolicyName": "S3_ManagedPolicy",
        "CreateDate": "2015-04-11T15:24:39Z",
        "AttachmentCount": 1,
        "IsAttachable": true,
        "PolicyId": "A********************",
        "DefaultVersionId": "v1",
        "Path": "/jawsug-cli/",
        "Arn": "arn:aws:iam::************:policy/jawsug-cli/S3_ManagedPolicy",
        "UpdateDate": "2015-04-11T15:31:14Z"
    }
}

2. Default Versionの変更

2.1. Default Versionの変更

変数の確認

commnad
cat << ETX
        IAM_MANAGED_POLICY_ARN: ${IAM_MANAGED_POLICY_ARN}
ETX
result
        IAM_MANAGED_POLICY_ARN: arn:aws:iam::************:policy/jawsug-cli/S3_ManagedPolicy

Default Versionを変更

commnad
aws iam set-default-policy-version --policy-arn ${IAM_MANAGED_POLICY_ARN} --version-id "v2"
result
(戻り値なし)

現状を確認
(DefaultVersionIdが変わったことに注目してください。)

command
aws iam get-policy --policy-arn ${IAM_MANAGED_POLICY_ARN}
result
{
    "Policy": {
        "PolicyName": "S3_ManagedPolicy",
        "CreateDate": "2015-04-11T15:24:39Z",
        "AttachmentCount": 1,
        "IsAttachable": true,
        "PolicyId": "A********************",
        "DefaultVersionId": "v2",
        "Path": "/jawsug-cli/",
        "Arn": "arn:aws:iam::************:policy/jawsug-cli/S3_ManagedPolicy",
        "UpdateDate": "2015-04-11T15:33:33Z"
    }
}

3. 動作確認

3.1. ファイルをアップロード

アップロードするファイル名を決定

command
FILE_LOCAL='test03.txt'
result
(戻り値なし)

アップロードするファイルを作成

command
touch ${FILE_LOCAL}
result
(戻り値なし)

ファイルをアップロード

command
aws s3 cp ${FILE_LOCAL} s3://${S3_BUCKET_NAME}/
result
upload failed: ./test03.txt to s3://jaws-ug-cli-17-handson/test03.txt A client error (AccessDenied) occurred when calling the PutObject operation: Access Denied

4. ロールバック

commnad
aws iam set-default-policy-version --policy-arn ${IAM_MANAGED_POLICY_ARN} --version-id "v1"
result
(戻り値なし)

現状を確認
(DefaultVersionIdが元に戻っていることに注目してください。)

command
aws iam get-policy --policy-arn ${IAM_MANAGED_POLICY_ARN}
result
{
    "Policy": {
        "PolicyName": "S3_ManagedPolicy",
        "CreateDate": "2015-04-11T15:24:39Z",
        "AttachmentCount": 1,
        "IsAttachable": true,
        "PolicyId": "A********************",
        "DefaultVersionId": "v1",
        "Path": "/jawsug-cli/",
        "Arn": "arn:aws:iam::************:policy/jawsug-cli/S3_ManagedPolicy",
        "UpdateDate": "2015-04-11T15:34:57Z"
    }
}

ファイルをアップロード

command
aws s3 cp ${FILE_LOCAL} s3://${S3_BUCKET_NAME}/
result
upload: ./test03.txt to s3://jaws-ug-cli-17-handson/test03.txt

5. (おまけ)Versionを5世代より多く保持できないことを確認

5.1. ポリシーの更新

以下のコマンドを3回繰り返し、保持できるバージョンを上限まで作成します

command
aws iam create-policy-version --policy-arn ${IAM_MANAGED_POLICY_ARN} --policy-document file://${FILE_NEW_MANAGED_POLICY_DOC}
result
{
    "PolicyVersion": {
        "CreateDate": "2015-03-28T13:06:44.682Z",
        "VersionId": "v3",
        "IsDefaultVersion": false
    }
}
command
aws iam create-policy-version --policy-arn ${IAM_MANAGED_POLICY_ARN} --policy-document file://${FILE_NEW_MANAGED_POLICY_DOC}
result
{
    "PolicyVersion": {
        "CreateDate": "2015-03-28T13:06:44.682Z",
        "VersionId": "v4",
        "IsDefaultVersion": false
    }
}
command
aws iam create-policy-version --policy-arn ${IAM_MANAGED_POLICY_ARN} --policy-document file://${FILE_NEW_MANAGED_POLICY_DOC}
result
{
    "PolicyVersion": {
        "CreateDate": "2015-03-28T13:06:44.682Z",
        "VersionId": "v5",
        "IsDefaultVersion": false
    }
}

上限以上のポリシーを作成

command
aws iam create-policy-version --policy-arn ${IAM_MANAGED_POLICY_ARN} --policy-document file://${FILE_NEW_MANAGED_POLICY_DOC}
result
A client error (LimitExceeded) occurred when calling the CreatePolicyVersion operation: A managed policy can have up to 5 versions. Before you create a new version, you must delete an existing version.

6. (おまけ)Groupに3つ以上のManaged Policyを割り当てることができないことを確認

6.1. AWS Managed Policiesを適用

command
AWS_Managed_Policy_ARN_1='arn:aws:iam::aws:policy/AmazonEC2ReportsAccess'
AWS_Managed_Policy_ARN_2='arn:aws:iam::aws:policy/AmazonRDSReadOnlyAccess'

2つ目のポリシーをアタッチ

command
aws iam attach-group-policy --group-name ${IAM_GROUP_NAME} --policy-arn ${AWS_Managed_Policy_ARN_1}
result
(戻り値なし)

3つ目のポリシーをアタッチ

command
aws iam attach-group-policy --group-name ${IAM_GROUP_NAME} --policy-arn ${AWS_Managed_Policy_ARN_2}
result
A client error (LimitExceeded) occurred when calling the AttachGroupPolicy operation: Cannot exceed quota for PoliciesPerGroup: 2

2つ目のポリシーをデタッチ

command
aws iam detach-group-policy --group-name ${IAM_GROUP_NAME} --policy-arn ${AWS_Managed_Policy_ARN_1}
result
(戻り値なし)
Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away