■former2のdocker版を使ってみる。
Web版は以下。
ReadOnlyAccessとはいえ、エラーは出るしアクセスキーとシークレットキーを必要とするので、
まずはdocker版から確認してみる。
https://former2.com/
■IAMグループ「former2」を作成して、「ReadOnlyAccess」のAWS1管理ポリシーを付与
ユーザやグループに適用する前にAWSが用意するポリシー名を検索してみる。
https://labunix.hateblo.jp/entry/20201223/1608723093
$ ./aws-policy-search ^readonly
ReadOnlyAccess
$ aws iam get-policy --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess | \
sed -e 's/[A-Z0-9][A-Z0-9][A-Z0-9][A-Z0-9]/XXXX/g'
{
"Policy": {
"PolicyName": "ReadOnlyAccess",
"PolicyId": "XXXXXXXXXXXXXXXXXXXXQ",
"Arn": "arn:aws:iam::aws:policy/ReadOnlyAccess",
"Path": "/",
"DefaultVersionId": "v74",
"AttachmentCount": 1,
"PermissionsBoundaryUsageCount": 0,
"IsAttachable": true,
"Description": "Provides read-only access to AWS services and resources.",
"CreateDate": "XXXX-02-XXXX8:39:48+00:00",
"UpdateDate": "XXXX-03-XXXX1:35:15+00:00"
}
}
$ aws iam create-group --group-name former2
$ aws iam list-groups | jq '.Groups[] | select( .GroupName | test("former2"))' | \
sed -e 's/[A-Z0-9][A-Z0-9][A-Z0-9][A-Z0-9]/XXXX/g'
{
"Path": "/",
"GroupName": "former2",
"GroupId": "XXXXXXXXXXXXXXXXXXXXR",
"Arn": "arn:aws:iam::XXXXXXXXXXXX:group/former2",
"CreateDate": "XXXX-04-XXXX9:09:02+00:00"
}
$ aws iam attach-group-policy --group-name former2 \
--policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess
$ aws iam list-attached-group-policies --group-name former2
{
"AttachedPolicies": [
{
"PolicyName": "ReadOnlyAccess",
"PolicyArn": "arn:aws:iam::aws:policy/ReadOnlyAccess"
}
]
}
■以下3つのユーザを作成し、「former2」グループに追加する。
former2-local :ローカルのdocker用
former2-aws :AWS上のdocker用
former2-web :former2公式サイト用
$ aws iam create-user --user-name former2-local --tags Key=CFn,Value=
$ echo -e "former2-aws\nformer2-web" | awk '{print "aws iam create-user --user-name "$1}' | sh
$ aws iam list-users | jq -r '.Users[] | select( .UserName | test("former2*"))' \
| sed -e 's/[A-Z0-9][A-Z0-9]/XX/g'
{
"Path": "/",
"UserName": "former2-aws",
"UserId": "XXXXXXXXXXXXXXXXXXXXO",
"Arn": "arn:aws:iam::XXXXXXXXXXXX:user/former2-aws",
"CreateDate": "XXXX-XX-XXXX9:XX:XX+XX:XX"
}
{
"Path": "/",
"UserName": "former2-local",
"UserId": "XXXXXXXXXXXXXXXXXXXXI",
"Arn": "arn:aws:iam::XXXXXXXXXXXX:user/former2-local",
"CreateDate": "XXXX-XX-XXXX9:XX:XX+XX:XX"
}
{
"Path": "/",
"UserName": "former2-web",
"UserId": "XXXXXXXXXXXXXXXXXXXXX",
"Arn": "arn:aws:iam::XXXXXXXXXXXX:user/former2-web",
"CreateDate": "XXXX-XX-XXXX9:XX:XX+XX:XX"
}
$ aws iam add-user-to-group --user-name former2-local --group-name former2
$ echo -e "former2-aws\nformer2-web" | \
awk '{print "aws iam add-user-to-group --user-name "$1" --group-name former2"}' | sh
$ echo -e "former2-local\nformer2-aws\nformer2-web" | \
awk '{print "echo -n \042"$1"\t\042;aws iam list-groups-for-user --user-name",$1,"| jq -r \047.Groups[].GroupName\047"}' | sh
former2-local former2
former2-aws former2
former2-web former2
■プログラムによるアクセスのためにアクセスキーを作成
$ echo -e "former2-local\nformer2-aws\nformer2-web" | \
awk '{print "aws iam create-access-key --user-name "$1" > "$1".access-key"}' | sh
$ ls *.access-key | \
awk '{print "cat "$1" | jq -r -c \047.AccessKey | [ .UserName, .AccessKeyId, .SecretAccessKey ]\047"}' | sh | \
awk -F\" '{OFS="\042";gsub("[A-Z0-9]","X",$4);gsub("[A-Za-z0-9]","X",$6);print $0}'
["former2-aws","XXXXXXXXXXXXXXXXXXXX","XXXXX/XXXXXXXXXX+XXXXX/XXXXXXXXXXXXXXXXX"]
["former2-local","XXXXXXXXXXXXXXXXXXXX","+XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"]
["former2-web","XXXXXXXXXXXXXXXXXXXX","XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX+XX"]
■今回は使わないが、コンソールからアクセスするパスワードが必要なら以下で設定
※コンソールへのログインはパスワードを必要とするため、
「ユーザーはコンソールへの管理アクセスを許可されていません」の状態
$ username="XXXXXX";password="XXXXXX"; \
aws iam create-login-profile \
--user-name ${username} \
--password ''${password}'' \
--password-reset-required
■dockerの関連パッケージの確認
Install Docker and Docker Compose on Debian 10 Buster
https://computingforgeeks.com/install-docker-and-docker-compose-on-debian-10-buster/
$ dpkg -l | awk '$1 ~ /ii/&& $2 ~ /docker/{print $2,$3,$4}'
docker.io 18.09.1+dfsg1-7.1+deb10u3 amd64
golang-docker-credential-helpers 0.6.1-2 amd64
python3-docker 3.4.1-4 all
python3-dockerpty 0.4.1-1 all
python3-dockerpycreds 0.3.0-1 all
■former2の公式のdockerイメージは無い。
$ docker search former2
NAME DESCRIPTION STARS OFFICIAL AUTOMATED
former2/former2 0
packetchef/former2_local 0
nyatasu/former2 0
■fomer2のdockerイメージをgitから取得、80から8000に待ち受けポートを変更して起動
※docker-composeは使わない。
$ git clone https://github.com/iann0036/former2.git
$ cd former2;ls *.yml | awk '{print "echo \042["$0"]\042;cat "$0}' | sh
[docker-compose.yml]
version: '3'
services:
former2:
image: nginx:1.17.8-alpine
ports:
- "127.0.0.1:80:80"
volumes:
- .:/usr/share/nginx/html
$ cat Dockerfile
FROM nginx:1.15
COPY . /usr/share/nginx/html
$ docker build -t former2_local:1.0 .
Sending build context to Docker daemon 221.2MB
Step 1/2 : FROM nginx:1.15
1.15: Pulling from library/nginx
743f2d6c1f65: Pull complete
6bfc4ec4420a: Pull complete
688a776db95f: Pull complete
Digest: sha256:23b4dcdf0d34d4a129755fc6f52e1c6e23bb34ea011b315d87e193033bcd1b68
Status: Downloaded newer image for nginx:1.15
---> 53f3fd8007f7
Step 2/2 : COPY . /usr/share/nginx/html
---> 2a6d7d477ed4
Successfully built 2a6d7d477ed4
Successfully tagged former2_local:1.0
$ docker images -a
REPOSITORY TAG IMAGE ID CREATED SIZE
former2_local 1.0 2a6d7d477ed4 3 seconds ago 326MB
nginx 1.15 53f3fd8007f7 23 months ago 109MB
$ host_port=8000; docker run --name former2 -p $host_port:80 -d former2_local:1.0
bfe622d207ea3a2e8cdd4ab90731e21755eacb94da12660f8b65aaa824785db8
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
bfe622d207ea former2_local:1.0 "nginx -g 'daemon of…" 7 seconds ago Up 5 seconds 0.0.0.0:8000->80/tcp former2
■余談、どうしても「127.0.0.1:8000」とかにして、
他ホストから一時アクセスをする場合はsocatを使う。
8080で待ち受けて127.0.0.1:8000に渡す例
※終了時は[Ctrl]+[c]で止める。
$ socat TCP4-LISTEN:8080,fork TCP4:127.0.0.1:8000
■Chrome用の機能拡張[Former2 Helper]をインストール
アクセスキーとシークレットキーで認証
CFn用に出力が終わったら後片付け
■アクセスキーがいつ使われたか確認
※時刻はGMTなので、+9時間
$ aws iam get-access-key-last-used \
--access-key-id $(aws iam list-access-keys --user-name former2-local | jq -r '.AccessKeyMetadata[].AccessKeyId')
{
"UserName": "former2-local",
"AccessKeyLastUsed": {
"LastUsedDate": "2021-04-06T21:14:00+00:00",
"ServiceName": "globalaccelerator",
"Region": "us-west-2"
}
}
■アクセスキーを無効化してログイン出来ないことを確認
$ aws iam update-access-key --user-name former2-local --status Inactive \
--access-key-id $(aws iam list-access-keys --user-name former2-local | jq -r '.AccessKeyMetadata[].AccessKeyId')
$ aws iam list-access-keys --user-name former2-local | jq -r -c '.AccessKeyMetadata[] | [ .Status, .SecretAccessKey ]'
["Inactive",null]
■アクセスキーを再有効化するときは。
$ aws iam update-access-key --user-name former2-local --status Active \
--access-key-id $(aws iam list-access-keys --user-name former2-local | jq -r '.AccessKeyMetadata[].AccessKeyId')
■アクセスキーそのものを削除して再作成するには。
そもそもこれ以外に使わないようユーザ分けしたので他で使ってるなどありえないが、
共通手順の意味で、無効化のワンクッション入れての削除
※(再)作成は上述
$ aws iam update-access-key --user-name former2-local --status Inactive \
--access-key-id $(aws iam list-access-keys --user-name former2-local | jq -r '.AccessKeyMetadata[].AccessKeyId')
$ aws iam delete-access-key --user-name former2-local \
--access-key-id $(aws iam list-access-keys --user-name former2-local | jq -r '.AccessKeyMetadata[].AccessKeyId')
■dockerイメージの停止と削除
$ docker stop bfe622d207ea
$ docker rm bfe622d207ea
$ docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
$ docker images -a
REPOSITORY TAG IMAGE ID CREATED SIZE
former2_local 1.0 2a6d7d477ed4 33 minutes ago 326MB
nginx 1.15 53f3fd8007f7 23 months ago 109MB
$ docker rmi 2a6d7d477ed4 53f3fd8007f7
Untagged: former2_local:1.0
Deleted: sha256:2a6d7d477ed4e53e7da94dc43241a1fa99bc4b418a24145985bd6f91f96a4416
Deleted: sha256:9c6b7c88bcf423440d07c3db1ba5861cbc615ee8e8d1a2ac03f165cba23361fe
Untagged: nginx:1.15
Untagged: nginx@sha256:23b4dcdf0d34d4a129755fc6f52e1c6e23bb34ea011b315d87e193033bcd1b68
Deleted: sha256:53f3fd8007f76bd23bf663ad5f5009c8941f63828ae458cef584b5f85dc0a7bf
Deleted: sha256:50183b8336fcc9552a55c86895cdfdfb6f1bb349a951da638f22f645ce235926
Deleted: sha256:093a0ead7cedbef266292a1b08e478489ed6584170f0d82127c5ac9a10fd8303
Deleted: sha256:6270adb5794c6987109e54af00ab456977c5d5cc6f1bc52c1ce58d32ec0f15f4
■使わないアクセスキーは非アクティブ化
※former2-localのアクセスキーは削除したのでlist-access-keysで出てこない。
$ aws iam update-access-key --user-name former2-web --status Inactive \
--access-key-id $(aws iam list-access-keys --user-name former2-web | jq -r '.AccessKeyMetadata[].AccessKeyId')
$ aws iam update-access-key --user-name former2-aws --status Inactive \
--access-key-id $(aws iam list-access-keys --user-name former2-aws | jq -r '.AccessKeyMetadata[].AccessKeyId')
$ echo -e "former2-local\nformer2-web\nformer2-aws" | \
awk '{print "aws iam list-access-keys --user-name "$1" | jq -r -c \047.AccessKeyMetadata[] | [ .UserName, .Status ]\047"}' | sh
["former2-web","Inactive"]
["former2-aws","Inactive"]
