AWS のログイン情報を取得する
AWS と連携するには、Incredibuild Cloud のアクティベート時にいくつかのログイン情報が必要です。
-
Role ARN - 新しいロールの作成時に自動的に生成される、ロールのAmazon Resource Name (ARN)です。Amazon Resource Names (ARN)の詳細については、「AWS ドキュメント」を参照してください。
-
External ID- 新しいロールのTrust Relationships 設定に、条件として入力するExternal IDです。External ID の詳細については、「AWS のドキュメント」を参照してください。
上記のログイン情報を作成する手順は次の通りです。
注意: この手順では、管理者アクセス ポリシーとプログラム的アクセス タイプを持つ IAM ユーザーが必要です。手順は 2021 年 11 月現在のものです。
AWS ポリシーの作成
-
AWS Management Console上で、[Find Services] に「IAM」と入力します。
-
IAM ページで、[Policies] オプションをクリックします。
-
Policies ページで、[Create policy] ボタンをクリックします。
-
最初のCreate policy ページで、[JSON]タブをクリックします。
-
お使いの環境に応じて、以下のコードを入力してください。
-
クラウドVMにカスタムロールを添付したい場合は、以下のカスタムVMロールオプションを使用し、AWSで作成したロールを指定します。また、Cloud Settings でロールを指定する必要があります。
-
プライベートポリシーでは、コードの一部をお客様のアカウント情報に置き換える必要があります。
-
どちらを使用するのかわからない場合は、カスタム VM ロールを使用したパブリック ネットワーク用のポリシーを使用する必要があります。
-
Private Link を使用する場合は、ec2:DescribeVpcEndpoints の権限も追加してください。
カスタムVMロールを使用しないパブリックネットワークのためのポリシー
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"servicequotas:ListServices",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DeleteSubnet",
"ec2:DescribeInstances",
"ec2:RequestSpotInstances",
"ec2:CreateVpc",
"ec2:RequestSpotFleet",
"ec2:AttachInternetGateway",
"ec2:DescribeSpotInstanceRequests",
"servicequotas:GetServiceQuota",
"ec2:ModifySubnetAttribute",
"ec2:DescribeInternetGateways",
"ec2:ModifySpotFleetRequest",
"ec2:DescribeNetworkInterfaces",
"ec2:StartInstances",
"ec2:CreateRoute",
"ec2:CreateInternetGateway",
"ec2:CreateSecurityGroup",
"ec2:DeleteInternetGateway",
"ec2:ModifyInstanceAttribute",
"ec2:DescribeRouteTables",
"servicequotas:ListServiceQuotas",
"ec2:DescribeCapacityReservations",
"ec2:TerminateInstances",
"ec2:DescribeLaunchTemplates",
"ec2:CreateTags",
"ec2:RunInstances",
"ec2:CreateFleet",
"ec2:DetachInternetGateway",
"ec2:StopInstances",
"ec2:DescribeSecurityGroups",
"ec2:CreateLaunchTemplateVersion",
"ec2:RevokeSecurityGroupIngress",
"ec2:DescribeImages",
"ec2:CancelSpotInstanceRequests",
"ec2:CreateLaunchTemplate",
"ec2:DescribeSecurityGroupRules",
"ec2:DescribeVpcs",
"ec2:DeleteSecurityGroup",
"ec2:DeleteVpc",
"ec2:CreateSubnet",
"ec2:DescribeSubnets",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInstanceTypeOfferings"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/spot.amazonaws.com/*",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "spot.amazonaws.com"
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/ec2fleet.amazonaws.com/*",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "ec2fleet.amazonaws.com"
}
}
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"iam:AttachRolePolicy",
"iam:PutRolePolicy"
],
"Resource": "arn:aws:iam::*:role/aws-service-role/ec2fleet.amazonaws.com/*"
}
]
}カスタムVMロールを使用しないプライベートネットワークのためのポリシー
「youraccountnumber 」と 「vpcid 」は、お客様のアカウント情報に置き換えてください。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Subnets",
"Effect": "Allow",
"Action": [
"ec2:DescribeSubnets"
],
"Resource": "*"
},
{
"Sid": "Vpc",
"Effect": "Allow",
"Action": [
"ec2:DescribeInternetGateways",
"ec2:DescribeVpcs"
],
"Resource": "*"
},
{
"Sid": "Images",
"Effect": "Allow",
"Action": [
"ec2:DescribeImages"
],
"Resource": "*"
},
{
"Sid": "Tags",
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": "*"
},
{
"Sid": "LaunchTemplatesRead",
"Effect": "Allow",
"Action": [
"ec2:DescribeLaunchTemplates"
],
"Resource": "*"
},
{
"Sid": "LaunchTemplatesCreate",
"Effect": "Allow",
"Action": [
"ec2:CreateLaunchTemplate"
],
"Resource": "*"
},
{
"Sid": "LaunchTemplatesUpdate",
"Effect": "Allow",
"Action": [
"ec2:CreateLaunchTemplateVersion"
],
"Resource": "*"
},
{
"Sid": "InstancesRead",
"Effect": "Allow",
"Action": [
"ec2:DescribeCapacityReservations",
"ec2:DescribeInstances",
"ec2:DescribeSpotInstanceRequests",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInstanceTypeOfferings"
],
"Resource": "*"
},
{
"Sid": "InstancesCreate",
"Effect": "Allow",
"Action": [
"ec2:RunInstances",
"ec2:CreateFleet",
"ec2:RequestSpotFleet",
"ec2:RequestSpotInstances"
],
"Resource": "*"
},
{
"Sid": "InstancesWrite",
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"ec2:ModifyInstanceAttribute",
"ec2:ModifySpotFleetRequest",
"ec2:CancelSpotInstanceRequests"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ec2:ResourceTag/resourceGroup": "*cloud-rg"
}
}
},
{
"Sid": "SecurityGroupsRead",
"Effect": "Allow",
"Action": [
"ec2:DescribeSecurityGroups"
],
"Resource": "*"
},
{
"Sid": "SecurityGroupCreate",
"Effect": "Allow",
"Action": [
"ec2:CreateSecurityGroup"
],
"Resource": [
"arn:aws:ec2:*:<youraccountnumber>:vpc/<yourvpcid>",
"arn:aws:ec2:*:<youraccountnumber>:security-group/*"
]
},
{
"Sid": "SecurityGroupDelete",
"Effect": "Allow",
"Action": [
"ec2:DeleteSecurityGroup"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ec2:ResourceTag/resourceGroup": "*cloud-rg"
}
}
},
{
"Sid": "SecurityGroupsRulesRead",
"Effect": "Allow",
"Action": [
"ec2:DescribeSecurityGroupRules"
],
"Resource": "*"
},
{
"Sid": "SecurityGroupsRulesWrite",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ec2:ResourceTag/resourceGroup": "*cloud-rg"
}
}
},
{
"Sid": "Quotas",
"Effect": "Allow",
"Action": [
"servicequotas:ListServices",
"servicequotas:GetServiceQuota",
"servicequotas:ListServiceQuotas"
],
"Resource": "*"
},
{
"Sid": "SpotServiceLinkedRole",
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/spot.amazonaws.com/*",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "spot.amazonaws.com"
}
}
},
{
"Sid": "Ec2FleetServiceLinkedRole",
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/ec2fleet.amazonaws.com/*",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "ec2fleet.amazonaws.com"
}
}
}
]
}カスタムVMロールを使用したパブリックネットワークのためのポリシー
「Account-Id」、「RoleName1」、「RoleName2」を、アカウントID、および、カスタムVMロールの名前に置き換えてください。ロールは1つ、もしくは、いくつでも指定することができます。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"servicequotas:ListServices",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DeleteSubnet",
"ec2:DescribeInstances",
"ec2:RequestSpotInstances",
"ec2:CreateVpc",
"ec2:RequestSpotFleet",
"ec2:AttachInternetGateway",
"ec2:DescribeSpotInstanceRequests",
"servicequotas:GetServiceQuota",
"ec2:ModifySubnetAttribute",
"ec2:DescribeInternetGateways",
"ec2:ModifySpotFleetRequest",
"ec2:DescribeNetworkInterfaces",
"ec2:StartInstances",
"ec2:CreateRoute",
"ec2:CreateInternetGateway",
"ec2:CreateSecurityGroup",
"ec2:DeleteInternetGateway",
"ec2:ModifyInstanceAttribute",
"ec2:DescribeRouteTables",
"servicequotas:ListServiceQuotas",
"ec2:DescribeCapacityReservations",
"ec2:TerminateInstances",
"ec2:DescribeLaunchTemplates",
"ec2:CreateTags",
"ec2:RunInstances",
"ec2:CreateFleet",
"ec2:DetachInternetGateway",
"ec2:StopInstances",
"ec2:DescribeSecurityGroups",
"ec2:CreateLaunchTemplateVersion",
"ec2:RevokeSecurityGroupIngress",
"ec2:DescribeImages",
"ec2:CancelSpotInstanceRequests",
"ec2:CreateLaunchTemplate",
"ec2:DescribeSecurityGroupRules",
"ec2:DescribeVpcs",
"ec2:DeleteSecurityGroup",
"ec2:DeleteVpc",
"ec2:CreateSubnet",
"ec2:DescribeIamInstanceProfileAssociations",
"ec2:DescribeSubnets",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInstanceTypeOfferings"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/spot.amazonaws.com/*",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "spot.amazonaws.com"
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/ec2fleet.amazonaws.com/*",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "ec2fleet.amazonaws.com"
}
}
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"iam:AttachRolePolicy",
"iam:PutRolePolicy"
],
"Resource": "arn:aws:iam::*:role/aws-service-role/ec2fleet.amazonaws.com/*"
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::<Account-Id>:role/<RoleName1>",
"arn:aws:iam::<Account-Id>:role/<RoleName2>"
]
},
{
"Sid": "VisualEditor4",
"Effect": "Allow",
"Action": [
"ec2:DisassociateIamInstanceProfile",
"ec2:AssociateIamInstanceProfile"
],
"Resource": "",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/incredibuild": "1"
}
}
}
]
}カスタムVMロールを使用したプライベートネットワークのためのポリシー
「youraccountnumber 」と 「vpcid 」は、お客様のアカウント情報に置き換えてください。
「Account-Id」、「RoleName1」、「RoleName2」を、アカウントID、および、カスタムVMロールの名前に置き換えてください。ロールは1つ、もしくは、いくつでも指定することができます。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Subnets",
"Effect": "Allow",
"Action": [
"ec2:DescribeSubnets"
],
"Resource": "*"
},
{
"Sid": "Vpc",
"Effect": "Allow",
"Action": [
"ec2:DescribeInternetGateways",
"ec2:DescribeVpcs"
],
"Resource": "*"
},
{
"Sid": "Images",
"Effect": "Allow",
"Action": [
"ec2:DescribeImages"
],
"Resource": "*"
},
{
"Sid": "Tags",
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": "*"
},
{
"Sid": "LaunchTemplatesRead",
"Effect": "Allow",
"Action": [
"ec2:DescribeLaunchTemplates"
],
"Resource": "*"
},
{
"Sid": "LaunchTemplatesCreate",
"Effect": "Allow",
"Action": [
"ec2:CreateLaunchTemplate"
],
"Resource": "*"
},
{
"Sid": "LaunchTemplatesUpdate",
"Effect": "Allow",
"Action": [
"ec2:CreateLaunchTemplateVersion"
],
"Resource": "*"
},
{
"Sid": "InstancesRead",
"Effect": "Allow",
"Action": [
"ec2:DescribeCapacityReservations",
"ec2:DescribeInstances",
"ec2:DescribeSpotInstanceRequests",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInstanceTypeOfferings"
],
"Resource": "*"
},
{
"Sid": "InstancesCreate",
"Effect": "Allow",
"Action": [
"ec2:RunInstances",
"ec2:CreateFleet",
"ec2:RequestSpotFleet",
"ec2:RequestSpotInstances"
],
"Resource": "*"
},
{
"Sid": "InstancesWrite",
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"ec2:ModifyInstanceAttribute",
"ec2:ModifySpotFleetRequest",
"ec2:CancelSpotInstanceRequests"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ec2:ResourceTag/resourceGroup": "*cloud-rg"
}
}
},
{
"Sid": "SecurityGroupsRead",
"Effect": "Allow",
"Action": [
"ec2:DescribeSecurityGroups"
],
"Resource": "*"
},
{
"Sid": "SecurityGroupCreate",
"Effect": "Allow",
"Action": [
"ec2:CreateSecurityGroup"
],
"Resource": [
"arn:aws:ec2:*:<youraccountnumber>:vpc/<yourvpcid>",
"arn:aws:ec2:*:<youraccountnumber>:security-group/*"
]
},
{
"Sid": "SecurityGroupDelete",
"Effect": "Allow",
"Action": [
"ec2:DeleteSecurityGroup"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ec2:ResourceTag/resourceGroup": "*cloud-rg"
}
}
},
{
"Sid": "SecurityGroupsRulesRead",
"Effect": "Allow",
"Action": [
"ec2:DescribeSecurityGroupRules"
],
"Resource": "*"
},
{
"Sid": "SecurityGroupsRulesWrite",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ec2:ResourceTag/resourceGroup": "*cloud-rg"
}
}
},
{
"Sid": "Quotas",
"Effect": "Allow",
"Action": [
"servicequotas:ListServices",
"servicequotas:GetServiceQuota",
"servicequotas:ListServiceQuotas"
],
"Resource": "*"
},
{
"Sid": "SpotServiceLinkedRole",
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/spot.amazonaws.com/*",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "spot.amazonaws.com"
}
}
},
{
"Sid": "Ec2FleetServiceLinkedRole",
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/ec2fleet.amazonaws.com/*",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "ec2fleet.amazonaws.com"
}
}
},
{
"Sid": "GetAndPassRole",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::<Account-Id>:role/<RoleName1>",
"arn:aws:iam::<Account-Id>:role/<RoleName2>"
]
},
{
"Sid": "AssociateAndDisassociateIamProfile",
"Effect": "Allow",
"Action": [
"ec2:DisassociateIamInstanceProfile",
"ec2:AssociateIamInstanceProfile"
],
"Resource": "",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/incredibuild": "1"
}
}
},
{
"Sid": "IamInstanceProfileRulesRead",
"Effect": "Allow",
"Action": [
"ec2:DescribeIamInstanceProfileAssociations"
],
"Resource": "*"
}
]
} -
-
名前 を定義し、[Create Policy] をクリックして、ポリシーを完成させます。名前は後のステップで必要になります。
AWS ロールの作成
-
[Roles] >[Create Role にアクセスしてください。
-
最初のページで、エンティティの種類として[AWS service] を、共通のユースケースとして[EC2] を選択します。
-
2 ページ目で、以前に作成したカスタム ポリシーを見つけるために、[Filter policies]ボックスを使用し、そのチェック ボックスをクリックします。
-
[任意] 次のページで新規作成するロールにタグを追加できます。
-
4ページ目で、新しいロールの名前を入力し、[Create role]をクリックします。
-
Roles ページで、新しく作成したロールを配置しますロールのチェックボックスをオンにして、ロール名をクリックして開きます。
-
新しいロールのSummary ページで、[Trust relationships]タブをクリックします。次に、[Edit trust relationship]ボタンをクリックします。
-
Edit Trust Relationship ページで、既存のコンテンツを削除し、次のコードに置き換えます。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::827268715074:user/incrediCloud" },
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "<New_String_for_Your_External_ID>" }
}
}
]
}
「New_String_for_Your_External_ID 」の代わりに、特殊文字を含まない任意の一意な文字列 を入力してください。この文字列は Incredibuild をアクティベーションする際に必要となります。
-
Policy Documentペインに固有のExternal IDを入力した後、[Update Trust Policy]ボタンをクリックします。作成したロールのSummary ページに戻ります。このSummary ページでは、 Incredibuild Cloud を有効化するために必要なログイン情報を低い権限で確認することができます。
