事前作業2.5. IAMポリシードキュメントの作成 (CloudShell: handson-Cloud9EnvironmentOwner-policy)¶

手順の目的¶

IAMポリシー"LogsStreamWrite"のポリシドキュメントを作成します。

設定値の指定¶

手順に必要な設定値を変数に格納をします。

1. ポリシードキュメント用ディレクトリ名¶

ポリシードキュメント用ディレクトリ名を指定します。

変数の設定:

DIR_IAM_POLICY_DOC="${HOME}/conf-handson-cloud9"

ディレクトリが存在することを確認し、存在しない場合は作成します。

コマンド:

ls -d ${DIR_IAM_POLICY_DOC} > /dev/null 2>&1 \
  || mkdir -p ${DIR_IAM_POLICY_DOC}

結果(例):

(出力なし)

2. IAMポリシードキュメント名¶

IAMポリシードキュメント名を指定します。

変数の設定:

IAM_POLICY_DOC_NAME='handson-Cloud9EnvironmentOwner-policy'

変数の設定:

FILE_IAM_POLICY_DOC="${DIR_IAM_POLICY_DOC}/${IAM_POLICY_DOC_NAME}.json" \
  && echo ${FILE_IAM_POLICY_DOC}

結果(例):

${HOME}/conf-handson-cloud9/handson-Cloud9EnvironmentOwner-policy.json

3. Cloud9環境名プレフィックス¶

Cloud9環境名プレフィックスを指定します。

変数の設定:

CLOUD9_ENVIRONMENT_NAME_PREFIX='handson'

4. IAMロール名¶

IAMロール名を指定します。

変数の設定:

IAM_ROLE_NAME='handson-cloud9-environment-role'

設定値の確認¶

各変数に正しい設定値が格納されていることを確認します。

変数の確認:

cat << END

  # 0. AWS_DEFAULT_REGION:"ap-northeast-1"
       AWS_DEFAULT_REGION="${AWS_DEFAULT_REGION}"

  # 1. DIR_IAM_POLICY_DOC:"${HOME}/conf-handson-cloud9"
       DIR_IAM_POLICY_DOC="${DIR_IAM_POLICY_DOC}"
  # 2. IAM_POLICY_DOC_NAME:"handson-Cloud9EnvironmentOwner-policy"
       IAM_POLICY_DOC_NAME="${IAM_POLICY_DOC_NAME}"
  # 3. CLOUD9_ENVIRONMENT_NAME_PREFIX:"handson"
       CLOUD9_ENVIRONMENT_NAME_PREFIX="${CLOUD9_ENVIRONMENT_NAME_PREFIX}"
  # 4. IAM_ROLE_NAME:"handson-cloud9-environment-role"
       IAM_ROLE_NAME="${IAM_ROLE_NAME}"

END

下段の変数が入っていない、もしくは上段と同等の値が入っていない場合は、それぞれの手順番号に戻って変数の設定を行います。

処理の実行¶

IAMロールのARNを取得します。

コマンド:

iam_role_arn=$( \
  aws iam get-role \
    --role-name ${IAM_ROLE_NAME} \
    --query 'Role.Arn' \
    --output text \
) \
  && echo ${iam_role_arn}

結果(例):

arn:aws:iam::XXXXXXXXXXXX:role/handson-cloud9/handson-cloud9-environment-role

IAMポリシードキュメントを作成します。

変数の確認:

cat << END

  # FILE_IAM_POLICY_DOC:"${HOME}/conf-handson-cloud9/handson-Cloud9EnvironmentOwner-policy.json"
    FILE_IAM_POLICY_DOC="${FILE_IAM_POLICY_DOC}"
  # CLOUD9_ENVIRONMENT_NAME_PREFIX:"handson"
    CLOUD9_ENVIRONMENT_NAME_PREFIX="${CLOUD9_ENVIRONMENT_NAME_PREFIX}"
  # iam_role_arn:"arn:aws:iam::XXXXXXXXXXXX:role/handson-cloud9/handson-cloud9-environment-role"
    iam_role_arn="${iam_role_arn}"

END

コマンド:

cat << EOF > ${FILE_IAM_POLICY_DOC}
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cloud9:ValidateEnvironmentName",
                "cloud9:UpdateUserSettings",
                "cloud9:GetUserSettings",
                "iam:GetUser",
                "iam:ListUsers",
                "ec2:DescribeIamInstanceProfileAssociations",
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceStatus",
                "ec2:DescribeSubnets",
                "ec2:DescribeVolumes",
                "ec2:DescribeVpcs"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloud9:CreateEnvironmentEC2",
                "cloud9:DeleteEnvironment"
            ],
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "cloud9:EnvironmentName": "${CLOUD9_ENVIRONMENT_NAME_PREFIX}-*",
                    "cloud9:InstanceType": [
                        "t2.*",
                        "t3.*",
                        "t3a.*",
                        "t4g.*"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloud9:GetUserPublicKey"
            ],
            "Resource": "*",
            "Condition": {
                "Null": {
                    "cloud9:UserArn": "true"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": "cloud9:DescribeEnvironmentMemberships",
            "Resource": "*",
            "Condition": {
                "Null": {
                    "cloud9:UserArn": "true",
                    "cloud9:EnvironmentId": "true"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": "iam:CreateServiceLinkedRole",
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "iam:AWSServiceName": "cloud9.amazonaws.com"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DisassociateIamInstanceProfile",
                "ec2:AssociateIamInstanceProfile"
            ],
            "Resource": "arn:aws:ec2:*:*:instance/*",
            "Condition": {
                "StringLike": {
                    "ec2:ResourceTag/Name": "aws-cloud9-${CLOUD9_ENVIRONMENT_NAME_PREFIX}-*"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
              "ec2:RebootInstances",
              "ec2:StopInstances",
              "ec2:StartInstances",
              "ec2:TerminateInstances"
            ],
            "Resource": "arn:aws:ec2:*:*:instance/*",
            "Condition": {
                "StringLike": {
                    "ec2:ResourceTag/Name": "aws-cloud9-${CLOUD9_ENVIRONMENT_NAME_PREFIX}-*"
                }
            }
        },
        {
            "Action": "iam:ListInstanceProfiles",
            "Effect": "Allow",
            "Resource": [
                "arn:aws:iam::*:instance-profile/*"
            ]
        },
        {
            "Action": "iam:PassRole",
            "Effect": "Allow",
            "Resource": [
                "${iam_role_arn}"
            ],
            "Condition": {
                "StringLike": {
                    "iam:PassedToService": [
                        "ec2.amazonaws.com"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ssm:StartSession"
            ],
            "Resource": [
                "arn:aws:ssm:*:*:document/*"
            ]
        }
    ]
}
EOF

cat ${FILE_IAM_POLICY_DOC}

結果(例):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cloud9:ValidateEnvironmentName",
                "cloud9:UpdateUserSettings",
                "cloud9:GetUserSettings",
                "iam:GetUser",
                "iam:ListUsers",
                "ec2:DescribeIamInstanceProfileAssociations",
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceStatus",
                "ec2:DescribeSubnets",
                "ec2:DescribeVolumes",
                "ec2:DescribeVpcs"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloud9:CreateEnvironmentEC2",
                "cloud9:DeleteEnvironment"
            ],
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "cloud9:EnvironmentName": "handson-*",
                    "cloud9:InstanceType": [
                        "t2.*",
                        "t3.*",
                        "t3a.*",
                        "t4g.*"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloud9:GetUserPublicKey"
            ],
            "Resource": "*",
            "Condition": {
                "Null": {
                    "cloud9:UserArn": "true"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": "cloud9:DescribeEnvironmentMemberships",
            "Resource": "*",
            "Condition": {
                "Null": {
                    "cloud9:UserArn": "true",
                    "cloud9:EnvironmentId": "true"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": "iam:CreateServiceLinkedRole",
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "iam:AWSServiceName": "cloud9.amazonaws.com"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DisassociateIamInstanceProfile",
                "ec2:AssociateIamInstanceProfile"
            ],
            "Resource": "arn:aws:ec2:*:*:instance/*",
            "Condition": {
                "StringLike": {
                    "ec2:ResourceTag/Name": "aws-cloud9-handson-*"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
              "ec2:RebootInstances",
              "ec2:StopInstances",
              "ec2:StartInstances",
              "ec2:TerminateInstances"
            ],
            "Resource": "arn:aws:ec2:*:*:instance/*",
            "Condition": {
                "StringLike": {
                    "ec2:ResourceTag/Name": "aws-cloud9-handson-*"
                }
            }
        },
        {
            "Action": "iam:ListInstanceProfiles",
            "Effect": "Allow",
            "Resource": [
                "arn:aws:iam::*:instance-profile/*"
            ]
        },
        {
            "Action": "iam:PassRole",
            "Effect": "Allow",
            "Resource": [
                "arn:aws:iam::XXXXXXXXXXXX:role/handson-cloud9/handson-cloud9-environment-role"
            ],
            "Condition": {
                "StringLike": {
                    "iam:PassedToService": [
                        "ec2.amazonaws.com"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ssm:StartSession"
            ],
            "Resource": [
                "arn:aws:ssm:*:*:document/*"
            ]
        }
    ]
}

JSONファイルを作成したら、フォーマットが壊れてないか必ず確認します。

コマンド:
cat ${FILE_IAM_POLICY_DOC} \
  |  python3 -m json.tool \
  > /dev/null
結果(例):
(出力なし)
注釈

エラーが出力されなければOKです。

完了確認¶

「IAMポリシードキュメント"${HOME}/conf-handson-cloud9/handson-Cloud9EnvironmentOwner-policy.json"が存在する。」ことを確認します。

コマンド:

ls ${FILE_IAM_POLICY_DOC}

結果(例):

${HOME}/conf-handson-cloud9/handson-Cloud9EnvironmentOwner-policy.json

事前作業2.5. IAMポリシードキュメントの作成 (CloudShell: handson-Cloud9EnvironmentOwner-policy)¶

手順の目的¶

設定値の指定¶

設定値の指定¶

1. ポリシードキュメント用ディレクトリ名¶

2. IAMポリシードキュメント名¶

3. Cloud9環境名プレフィックス¶

4. IAMロール名¶

設定値の確認¶

処理の実行¶

完了確認¶

手順の完了¶