IAMのはじめかた

(@junya) Thursday, October 28, 2010

http://twitter.com/#!/KenTamagawa/status/25887602080 Thursday, October 28, 2010

http://aws.amazon.com/iam/ Thursday, October 28, 2010

Thursday, October 28, 2010

$ unzip IAMCli.zip $ export JAVA_HOME=/path/to/java_home $ export AWS_IAM_HOME=/path/to/IAMCli-1.1.0 $ export PATH=$AWS_IAM_HOME/bin:$PATH $ echo 'AWSAccessKeyId=***' > account-key $ echo 'AWSSecretKey=***' >> account-key $ chmod 600 account-key $ export AWS_CREDENTIAL_FILE=account-key Thursday, October 28, 2010

$ iam-usercreate -u bob -k AKIAEEX5JT45QCZA7MSO Jp7hKRgZ+GPEoVRrdvuufYh4D23GnQLTPvthvHbN $ iam-userlistbypath arn:aws:iam::111122223333:user/bob Thursday, October 28, 2010

$ openssl genrsa -out bob.pk.pem 1024 $ openssl req -new -x509 -out bob.cert.pem -key bob.pk.pem -days 365 $ iam-useraddcert -f bob.cert.pem -u bob $ iam-userlistcerts -u bob NDUQVOYX6OVFIXGS2VERXMGNRDWE6PU4 Active Thursday, October 28, 2010

bob@ $ ec2-describe-instances Client.UnauthorizedOperation: You are not authorized to perform this operation. Thursday, October 28, 2010

$ iam-useraddpolicy -u bob -p Bob_Instance_Policy -e Allow -a ec2:DescribeInstances -a ec2:StartInstances -a ec2:StopInstances -r '*' Thursday, October 28, 2010

$ iam-userlistpolicies -u bob -p Bob_Instance_Policy {"Version":"2008-10-17","Statement": [{"Effect":"Allow","Action": ["ec2:DescribeInstances","ec2:StartInst ances","ec2:StopInstances"],"Resource": ["*"]}]} Thursday, October 28, 2010

bob@ $ ec2-describe-instances ( ) bob@ $ ec2-terminate-instances i-00000001 Client.UnauthorizedOperation: You are not authorized to perform this operation. Thursday, October 28, 2010

$ vi policy.json { "Statement": [ { "Effect": "Allow", "Action": "ec2:*", "Resource": "*", "Condition": { "IpAddress": { "aws:SourceIp": [ "10.1.2.0/24", "10.1.3.0/24" ] } } } ] } Thursday, October 28, 2010

$ iam-useruploadpolicy -u bob -p Bob_Instance_Policy -f policy.json http://www.jsonlint.com/ Thursday, October 28, 2010

bob@other $ ec2-describe-instances Client.UnauthorizedOperation: You are not authorized to perform this operation. Thursday, October 28, 2010

{ "Statement": [ { "Effect": "Allow", "Action": "s3:*", "Resource": ["arn:aws:s3:::GeneratedPDF"] } ] } Thursday, October 28, 2010

$ iam-userlistkeys -u bob AKIAEEX5JT45QCZA7MSO Active $ iam-usermodkey -u bob -k AKIAEEX5JT45QCZA7MSO -s Inactive $ iam-userlistkeys -u bob AKIAEEX5JT45QCZA7MSO Inactive Thursday, October 28, 2010

IAM YES YES EC2 YES RDS YES S3 YES YES SimpleDB YES YES SNS YES YES SQS YES VPC YES Auto Scaling YES ELB YES Thursday, October 28, 2010

CLI - AWS Identity and Access Management http://docs.amazonwebservices.com/IAM/latest/CLIReference/Commands.html - AWS IAM Getting Started Guide http://docs.amazonwebservices.com/IAM/latest/GettingStartedGuide/ - Working with Users and Groups http://docs.amazonwebservices.com/IAM/latest/UserGuide/index.html? Using_WorkingWithGroupsAndUsers.html - Working with Users and Groups http://docs.amazonwebservices.com/IAM/latest/UserGuide/ExampleIAMPolicies.html EC2 - Working with Users and Groups http://docs.amazonwebservices.com/IAM/latest/UserGuide/UsingWithEC2.html Thursday, October 28, 2010

http://slidesha.re/bxNw4E Cloudworks http://cloudworks.jp/ Thursday, October 28, 2010

http://blog.dateofrock.com	1716
http://aws.typepad.com	636
http://www.cloudworks.jp	135
http://webcache.googleusercontent.com	44
http://journal.sooey.com	18
http://coderwall.com	10
http://mqbrokeraccess.appspot.com	5
http://s.deeeki.com	3
http://www.typepad.com	2
url_unknown	2
https://cybozulive.com	1
http://aws.typepad.com.14feb-youth.com	1
http://aws.typepad.com.14feb-youth.com	1
http://feeds.feedburner.com	1

IAMのはじめかた

by Junya Ogura on Oct 28, 2010

Accessibility

Categories

Tags

Upload Details

Usage Rights

14 Embeds 2,575

Statistics

IAMのはじめかた — Presentation Transcript