Skip to content

Instantly share code, notes, and snippets.

@akira345

akira345/sts_sample02.rb

Created December 16, 2017 12:53
Show Gist options
  • Save akira345/eebd805c30031d68056b9472c034e215 to your computer and use it in GitHub Desktop.
Save akira345/eebd805c30031d68056b9472c034e215 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
sts_sample02.rb
# -*- coding: utf-8 -*-
#
# STS動作確認サンプルその2
# 要 AWS SDK for Ruby V3
require 'aws-sdk-core'
require 'aws-sdk-ec2'
require 'aws-sdk-s3'
require 'yaml'
require 'pp'
config = YAML.load(File.read("config.yml"))
Aws.config[:credentials] = Aws::Credentials.new(config['access_key_id'],config['secret_access_key'])
ec2 = Aws::EC2::Client.new(region:config['region'])
assue_role_arn = "arn:aws:iam::XXXXXXXXXX:role/S3_ReadOnly_Role" #取得したいIAMロール
pp "EC2アクセス"
ret = ec2.describe_instances({})
ret.reservations[0].instances.each do |instance|
pp instance.instance_id
pp instance.tags
end
# S3へアクセスするために一時アカウントをGetする。
role_credentials = Aws::AssumeRoleCredentials.new(
duration_seconds: 900, #有効期限は15分
client: Aws::STS::Client.new(region: config['region']),
role_arn: assue_role_arn,
role_session_name: "GetS3Role"
)
pp "S3へアクセス"
# STSからの一時アカウントでアクセス
s3 = Aws::S3::Client.new(region:config['region'],credentials: role_credentials)
ret = s3.list_buckets({})
pp ret.buckets[0].name
pp "File"
ret = s3.list_objects({
bucket: ret.buckets[0].name,
max_keys: 2,
})
pp ret.contents[0].key
Raw
sts_sample03.rb
# -*- coding: utf-8 -*-
#
# STS動作確認サンプルその3
# 要 AWS SDK for Ruby V3
require 'aws-sdk-core'
require 'aws-sdk-ec2'
require 'aws-sdk-s3'
require 'yaml'
require 'pp'
config = YAML.load(File.read("config.yml"))
Aws.config[:credentials] = Aws::Credentials.new(config['access_key_id'],config['secret_access_key'])
ec2 = Aws::EC2::Client.new(region:config['region'])
assue_role_arn = "arn:aws:iam::XXXXXXXXXX:role/S3_ReadOnly_Role" #取得したいIAMロール
pp "EC2アクセス"
ret = ec2.describe_instances({})
ret.reservations[0].instances.each do |instance|
pp instance.instance_id
pp instance.tags
end
# 与えられたロールから権限を絞る
policy = <<"EOL"
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": [
"*"
]
}
]
}
EOL
role_credentials = Aws::AssumeRoleCredentials.new(
duration_seconds: 900, #有効期限は15分
client: Aws::STS::Client.new(region: config['region']),
policy: policy,
role_arn: assue_role_arn,
role_session_name: "GetS3Role"
)
pp "S3へアクセス"
# STSからの一時アカウントでアクセス
s3 = Aws::S3::Client.new(region:config['region'],credentials: role_credentials)
ret = s3.list_buckets({})
pp ret.buckets[0].name
pp "File"
ret = s3.list_objects({
bucket: ret.buckets[0].name,
max_keys: 2,
})
pp ret.contents[0].key
Raw
sts_sample_01.rb
# -*- coding: utf-8 -*-
#
# STS動作確認サンプルその1
# 要 AWS SDK for Ruby V3
require 'aws-sdk-core'
require 'aws-sdk-ec2'
require 'aws-sdk-s3'
require 'yaml'
require 'pp'
config = YAML.load(File.read("config.yml"))
Aws.config[:credentials] = Aws::Credentials.new(config['access_key_id'],config['secret_access_key'])
ec2 = Aws::EC2::Client.new(region:config['region'])
assue_role_arn = "arn:aws:iam::XXXXXXXXXX:role/S3_ReadOnly_Role" #取得したいIAMロール
pp "EC2アクセス"
ret = ec2.describe_instances({})
ret.reservations[0].instances.each do |instance|
pp instance.instance_id
pp instance.tags
end
pp "S3へアクセス"
# STSを使わず、IAMでアクセス
s3 = Aws::S3::Client.new(region:config['region'])
ret = s3.list_buckets({})
pp ret.buckets[0].name
pp "File"
ret = s3.list_objects({
bucket: ret.buckets[0].name,
max_keys: 2,
})
pp ret.contents[0].key
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment