Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to AWS CLIでAssumeRole
Similar to AWS CLIでAssumeRole (20)
More from Tetsunori Nishizawa
More from Tetsunori Nishizawa (8)
Recently uploaded
Recently uploaded (9)
AWS CLIでAssumeRole
- 4. Temporary Security Credentialの種類 種別 説明 権限 GetSessionToken 自身の権限で一時認証 自身の権限と同じ クロスアカウント不可 MFA利用可 GetFederationToken 信頼ユーザで一時認証 自身の権限内で規定 クロスアカウント不可 MFA利用不可 AssumeRole IAMロールとマッピング IAMロールで規定 クロスアカウント可 MFA利用可 (参考)http://docs.aws.amazon.com/ja_jp/STS/latest/UsingSTS/Welcome.html#AccessingSTS
- 5. Temporary Security Credentialの取得 Security Token Service(STS)から取得 取得したTokenは有効期限が切れるまで無効 化できない(STSはTokenを払い出すところ だけやる) (参考)http://docs.aws.amazon.com/ja_jp/STS/latest/UsingSTS/DisablingTokenPermissions.html
- 9. AWS CLIでGetSessionToken (コマンド) $ aws sts get-session-token (結果) { "Credentials": { "SecretAccessKey": "yyyyyyyy", "SessionToken": "zzzzzzzzzzzz", "Expiration": "2015-05-25T19:00:00Z", "AccessKeyId": "xxxx" } } ※KeyやTokenは実際にはもっと長い
- 11. 期限付き認証の使い方 取得した期限付き認証を使いたい人に渡す 環境変数で指定 export AWS_ACCESS_KEY_ID=xxxx export AWS_SECRET_ACCESS_KEY=yyyyyyyy export AWS_SESSION_TOKEN=zzzzzzzzzzzz configファイルで指定も可能 [profile temp-profile] aws_access_key_id=xxxx aws_secret_access_key=yyyyyyyy aws_session_token=zzzzzzzzzzzz ※credentialに記載の場合は"profile"は不要 (参考)http://docs.aws.amazon.com/ja_jp/cli/latest/userguide/cli-chap-getting-started.html
- 12. (蛇足)期限付き認証ワンライナー aws sts get-session-token ¦ awk ' $1 == ""AccessKeyId":" { gsub(/"/,""); gsub(/,/,""); print "export AWS_ACCESS_KEY_ID="$2 } $1 == ""SecretAccessKey":" { gsub(/"/,""); gsub(/,/,""); print "export AWS_SECRET_ACCESS_KEY="$2 } $1 == ""SessionToken":" { gsub(/"/,""); gsub(/,/,""); print "export AWS_SESSION_TOKEN="$2 } '
- 17. AWS CLIでGetFederationToken (コマンド) $ FED_USER=feduser $ POLICY_FILE=policy.json $ aws sts get-federation-token --name ${FED_USER} --policy file://./${POLICY_FILE} ポリシーを定義したjson は事前に作成しておく
- 18. (結果) { "FederatedUser": { "FederatedUserId": "111122223333:feduser", "Arn": "arn:aws:sts::111122223333:federated-user/feduser" }, "Credentials": { "SecretAccessKey": "yyyyyyyy", "SessionToken": "zzzzzzzzzzzz", "Expiration": "2015-05-22T00:41:22Z", "AccessKeyId": "xxxx" }, "PackedPolicySize": 5 } ※KeyやTokenは実際にはもっと長い
- 22. AssumeRole
- 23. AssumeRoleのイメージ STSにIAM ロールを要求 Tokenと一緒 にIAMロール 権限を付与 Trusted Entity Assumed Role Assumed Roleは元のTrusted Entityとは別人 arn:aws:iam::111122223333:user/ IAM-User-AssumeTest arn:aws:sts::222233334444:assumed-role/ IAM-Role-AssumeTest/AssumeTest-Session
- 25. IAMロールのポイント IAMロールは、Role Policyと AssumeRolePolicyDocument(Trust Relationship)の2要素で構成される AssumeRolePolicyDocumentで許可された Trusted Entityと組み合わせてRole Policy権 限で動作する
- 27. Principal設定例 "Principal": {"AWS": "111122223333"} "Principal": {"AWS": "arn:aws:iam::111122223333:root"} "Principal": {"AWS": "arn:aws:iam::111122223333:user/iam-user"} "Principal": {"AWS": "arn:aws:iam::111122223333:role/iam-role"} "Principal": {"Service": "ec2.amazonaws.com"} "Principal": {"Federated": "www.amazon.com"} (参考)http://docs.aws.amazon.com/ja_jp/IAM/latest/UserGuide/AccessPolicyLanguage_ElementDescriptions.html#Principal
- 30. AssumeRolePolicyDocumentの設定例 { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:user/IAM-User-AssumeTest" }, "Action": "sts:AssumeRole" } ] } ExternalId(ユニークなキー)やMFA必須も設定可能 "Condition": { "StringEquals": { "sts:ExternalId": "TestExternalId" }, "Bool": { "aws:MultiFactorAuthPresent": true } }
- 31. AssumeRoleする側の設定例 $ IAM_USER_NAME=IAM-User-AssumeTest $ aws iam get-account-authorization-details --filter User --query "UserDetailList[?UserName==`${IAM_USER_NAME}`]" [ { "UserName": "IAM-User-AssumeTest", "GroupList": [], "CreateDate": "2015-05-13T01:12:40Z", "UserId": "AIDAIN5BGYGE4BGFZ6ZL6", "Path": "/", "AttachedManagedPolicies": [ { "PolicyName": "BeforeAssumeRole-Policy", "PolicyArn": "arn:aws:iam::111122223333:policy/BeforeAssumeRole-Policy" } ], "Arn": "arn:aws:iam::111122223333:user/IAM-User-AssumeTest" } ] 一応ManagedPolicyを 使ってみた
- 32. $ ATTACHED_USER_POLICY_NAME=`aws iam list-attached-user-policies --user-name ${IAM_USER_NAME} --query "AttachedPolicies[0].PolicyName" --output text` $ aws iam get-account-authorization-details --filter LocalManagedPolicy --query "Policies[?PolicyName==`${ATTACHED_USER_POLICY_NAME}`]" [ { "PolicyName": "BeforeAssumeRole-Policy", "CreateDate": "2015-05-14T03:03:33Z", "AttachmentCount": 1, "IsAttachable": true, "PolicyId": "ANPAJOUZGMVOPZZI3FLDW", "DefaultVersionId": "v1", "PolicyVersionList": [ { "CreateDate": "2015-05-14T03:03:33Z", "VersionId": "v1", "Document": { "Version": "2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::222233334444:role/IAM-Role-AssumeTest", "Effect": "Allow" } ] }, "IsDefaultVersion": true } ], "Path": "/", "Arn": "arn:aws:iam::111122223333:policy/BeforeAssumeRole-Policy", "UpdateDate": "2015-05-14T03:03:33Z" } ] AssumeRoleする権限のみ付与 { "Action": "sts: AssumeRole", "Resource": "arn:aws:iam::222233334444:role/ IAM-Role-AssumeTest", "Effect": "Allow" }
- 33. AssumeRoleされる側の設定例 $ IAM_ROLE_NAME=IAM-Role-AssumeTest $ aws iam get-account-authorization-details --filter Role --query "RoleDetailList[?RoleName==`${IAM_ROLE_NAME}`]" [ { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Principal": { "AWS": "arn:aws:iam::111122223333:user/IAM-User-AssumeTest" }, "Effect": "Allow", "Sid": "" } ] }, "RoleId": "AROAJAF2IVAI6NIZZ3X34", "CreateDate": "2015-05-14T04:07:58Z", "InstanceProfileList": [], "RoleName": "IAM-Role-AssumeTest", "Path": "/", "AttachedManagedPolicies": [ { "PolicyName": "AfterAssumeRole-Policy", "PolicyArn": "arn:aws:iam::222233334444:policy/AfterAssumeRole-Policy" } ], "RolePolicyList": [], "Arn": "arn:aws:iam::222233334444:role/IAM-Role-AssumeTest" } ] 前述の AssumeRolePolicyDocument 一応ManagedPolicyを 使ってみた
- 34. $ ATTACHED_ROLE_POLICY_NAME=`aws iam list-attached-role-policies --role-name ${IAM_ROLE_NAME} --query "AttachedPolicies[0].PolicyName" --output text` $ aws iam get-account-authorization-details --filter LocalManagedPolicy --query "Policies[?PolicyName==`${ATTACHED_ROLE_POLICY_NAME}`]" [ { "PolicyName": "AfterAssumeRole-Policy", "CreateDate": "2015-05-14T04:10:33Z", "AttachmentCount": 2, "IsAttachable": true, "PolicyId": "ANPAJTNO5P4GDC4GTFPC2", "DefaultVersionId": "v1", "PolicyVersionList": [ { "CreateDate": "2015-05-14T04:10:33Z", "VersionId": "v1", "Document": { "Version": "2012-10-17", "Statement": [ { "Action": "s3:*", "Resource": "*", "Effect": "Allow" } ] }, "IsDefaultVersion": true } ], "Path": "/", "Arn": "arn:aws:iam::222233334444:policy/AfterAssumeRole-Policy", "UpdateDate": "2015-05-14T04:10:33Z" } ] S3フルアクセス権限のみ付与する例 { "Action": "s3:*", "Resource": "*", "Effect": "Allow" }
- 35. AWS CLIでassume-role (コマンド) $ AWS_ID=222233334444 $ IAM_ROLE_NAME=IAM-Role-AssumeTest $ IAM_ROLE_ARN=arn:aws:iam::${AWS_ID}:role/${IAM_ROLE_NAME} $ ROLE_SESSION_NAME=AssumeTest-Session $ aws sts assume-role --role-arn ${IAM_ROLE_ARN} --role-session-name ${ROLE_SESSION_NAME} 任意のセッション名
- 36. (結果) { "AssumedRoleUser": { "AssumedRoleId": "AROAJAF2IVAI6NIZZ3X34:AssumeTest-Session", "Arn": "arn:aws:sts::222233334444:assumed-role/IAM-Role-AssumeTest/AssumeTest-Session" }, "Credentials": { "SecretAccessKey": yyyyyyyy", "SessionToken": "zzzzzzzzzzzz", "Expiration": "2015-05-25T19:00:00Z", "AccessKeyId": "xxxx" } }
- 39. (補足2)configファイル利用で 簡単にAssumeRole [profile assumed] role_arn = arn:aws:iam::222233334444:role/IAM-Role-AssumeTest source_profile = IAM-User-AssumeTest 上記設定で、Assumed Roleがprofileの1つ(--profile)として利用できる source_profileを指定する場合は、事前設定が必要 期限が切れても自動更新されるのでセキュリティに要注意 (参考)http://dev.classmethod.jp/cloud/aws/aws-cli-supports-assume-role-credentials-provider-and-mfa/
- 40. (補足3)Mangement Consoleでも AssumeRole(Switch Role) 元アカウントでManagement Consoleログインできる状 態で前述の設定をすると、Mangement Consoleでも Switch Roleできてしまう セキュリティに要注意 (参考)http://dev.classmethod.jp/cloud/aws/switching-to-a-iam-role/
- 42. (補足4) EC2インスタンスプロファイルも実装は同じ $ curl http://169.254.169.254/latest/meta-data/iam/security-credentials/EC2RoleTest { "Code" : "Success", "LastUpdated" : "2015-05-14T09:36:35Z", "Type" : "AWS-HMAC", "AccessKeyId" : "xxxx", "SecretAccessKey" : "yyyyyyyy", "Token" : "zzzzzzzzzzzz", "Expiration" : "2015-05-14T16:00:15Z" } CLIでIAMロールを作成する場合、Instance Profileは別途作成、ロールへの割当 が必要な点に注意 $ aws iam create-instance-profile --instance-profile-name ${INSTANCE_PROFILE_NAME} $ aws iam add-role-to-instance-profile --role-name ${IAM_ROLE_NAME} --instance-profile-name ${INSTANCE_PROFILE_NAME}
- 43. (補足5)期限付き認証で Mangement Consoleログインも可能 Assumed RoleとFederated User用にURLを作成して、 AWS Management Consoleにログインすることも可能 (参考)http://docs.aws.amazon.com/ja_jp/STS/latest/UsingSTS/STSMgmtConsole-manualURL.html (参考)http://www.infilic.co.jp/tech/?p=597