1. role作成→AWSのサービス→EC2
ロール名称: test-AssumeRole-for-tester
{ "Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Principal": {
"Service": [
"ec2.amazonaws.com"
]
}
}
]
}
$ aws --profile assume-ec2-fullaccess-user ec2 describe-instances
"Statement": [
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Principal": {
"Service": [
"ec2.amazonaws.com"
]
}
}
]
}
2. 対象ユーザ→インラインポリシ追加→
サービス選択→sts
アクション追加→assume→ AssumeRole
リソース→role→ARNの追加→arn:aws:iam::99999999999:role/test-AssumeRole-for-tester→追加
ポリシー名前:test-inline-AssumeRole-tester →ポリシ作成
3. ロールをアカウントに変更
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::999999999999999:user/tester"
},
"Action": "sts:AssumeRole"
}
]
}
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::999999999999999:user/tester"
},
"Action": "sts:AssumeRole"
}
]
}
$ aws sts assume-role --role-arn arn:aws:iam::999999999999:role/test-assume-role-s3FullAccess --role-session-name s3accessSitai --duration-second 900 --profile tester
$ vi .aws/config
[default]
output = json
region = ap-northeast-1
[profile tester]
output = json
region = ap-northeast-1
[profile s3-full-access-man]
output = json
region = ap-northeast-1
$ vi .aws/credentials
[s3-full-access-man]
aws_access_key_id = xxxxxx
aws_secret_access_key = yyyyyyy
aws_session_token = zzzzzzzz
$ aws --profile tester s3 ls
An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied
$ aws --profile assume-s3-fullaccess-user s3 ls
0 件のコメント:
コメントを投稿