跳转至

panlm

iam

panlm/panlm.github.io

iam cmd¶

get role arn by name¶

aws iam get-role --role-name ${role_name} --query 'Role.Arn' --output text

get policy arn¶

aws iam list-policies --query 'Policies[*].[PolicyName,Arn]' --output text |grep CloudWatchAgentServerPolicy
aws iam get-policy --policy-arn arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy

create user¶

aws iam create-user --user-name cwagent-onprem
# attach user policy
aws iam attach-user-policy --user-name cwagent-onprem --policy-arn arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy
# create access key, save the output
aws iam create-access-key --user-name cwagent-onprem

attach role policy¶

../../others/file-storage-gateway-lab

create role¶

func-ec2-admin-role-create-¶

create admin role for ec2 and ecs

func-ec2-admin-role-create

# no dependency variable
# output ROLE_ARN / INSTANCE_PROFILE_ARN
function ec2-admin-role-create () {
    ROLE_NAME=ec2-admin-role-$(TZ=CST-8 date +%Y%m%d-%H%M)
    local TMP=$(mktemp --suffix .${ROLE_NAME})
    cat >${TMP} <<-EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": ["ec2.amazonaws.com", "ecs.amazonaws.com"]
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
EOF
    aws iam create-role --role-name ${ROLE_NAME} \
        --assume-role-policy-document file://${TMP} |tee ${TMP}.out.role
    aws iam attach-role-policy --role-name ${ROLE_NAME} \
        --policy-arn "arn:aws:iam::aws:policy/AdministratorAccess"
    aws iam create-instance-profile --instance-profile-name ${ROLE_NAME} |tee ${TMP}.out.instance-profile
    aws iam add-role-to-instance-profile --instance-profile-name ${ROLE_NAME} \
        --role-name ${ROLE_NAME}
    ROLE_ARN=$(cat ${TMP}.out.role |jq -r '.Role.Arn')
    INSTANCE_PROFILE_ARN=$(cat ${TMP}.out.instance-profile |jq -r '.InstanceProfile.Arn')
    echo "INSTANCE_PROFILE_ARN="${INSTANCE_PROFILE_ARN}
}

create role for firehose¶

../../EKS/solutions/logging/stream-k8s-control-panel-logs-to-s3

create role for api gateway¶

apigw-cmd

create role for account¶

../linux/granted-assume

create service-linked role¶

aws iam create-service-linked-role --aws-service-name SERVICE-NAME.amazonaws.com

assume-another-role-¶

account_id=$(aws sts get-caller-identity \
  --query 'Account' --output text)
role_arn=arn:aws:iam::${account_id}:role/eksworkshop-admin
tmp_file=/tmp/$$.1

aws sts assume-role --role-arn ${role_arn} \
  --duration-seconds 43200 \
  --role-session-name Session-$RANDOM |tee ${tmp_file}

export AWS_ACCESS_KEY_ID=$(cat ${tmp_file} |jq -r '.Credentials.AccessKeyId' )
export AWS_SECRET_ACCESS_KEY=$(cat ${tmp_file} |jq -r '.Credentials.SecretAccessKey' )
export AWS_SESSION_TOKEN=$(cat ${tmp_file} |jq -r '.Credentials.SessionToken' )
export AWS_DEFAULT_REGION=$(curl -s 169.254.169.254/latest/dynamic/instance-identity/document | jq -r '.region')

assume in credentials file¶

https://docs.aws.amazon.com/sdkref/latest/guide/feature-assume-role-credentials.html

[profile A]
source_profile = B
role_arn =  arn:aws:iam::123456789012:role/RoleA

[profile B]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

reference¶