Doc AWS SDK 예제 GitHub 리포지토리에서 더 많은 SDK 예제를 사용할 수 있습니다. [AWS](https://github.com/awsdocs/aws-doc-sdk-examples)
기계 번역으로 제공되는 번역입니다. 제공된 번역과 원본 영어의 내용이 상충하는 경우에는 영어 버전이 우선합니다.
# AWS SDK 또는 CLI와 `CreateInstanceProfile` 함께 사용
다음 코드 예시는 `CreateInstanceProfile`의 사용 방법을 보여 줍니다.
작업 예제는 대규모 프로그램에서 발췌한 코드이며 컨텍스트에 맞춰 실행해야 합니다. 다음 코드 예제에서는 컨텍스트 내에서 이 작업을 확인할 수 있습니다.
+ [복원력이 뛰어난 서비스 구축 및 관리](iam_example_cross_ResilientService_section.md)
------
#### [ .NET ]
**SDK for .NET**
GitHub에 더 많은 내용이 있습니다. [AWS 코드 예 리포지토리](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/cross-service/ResilientService/AutoScalerActions#code-examples)에서 전체 예를 찾고 설정 및 실행하는 방법을 배워보세요.
```
///
/// Create a policy, role, and profile that is associated with instances with a specified name.
/// An instance's associated profile defines a role that is assumed by the
/// instance.The role has attached policies that specify the AWS permissions granted to
/// clients that run on the instance.
///
/// Name to use for the policy.
/// Name to use for the role.
/// Name to use for the profile.
/// Path to a policy file for SSM.
/// AWS Managed policies to be attached to the role.
/// The Arn of the profile.
public async Task CreateInstanceProfileWithName(
string policyName,
string roleName,
string profileName,
string ssmOnlyPolicyFile,
List? awsManagedPolicies = null)
{
var assumeRoleDoc = "{" +
"\"Version\": \"2012-10-17\"," +
"\"Statement\": [{" +
"\"Effect\": \"Allow\"," +
"\"Principal\": {" +
"\"Service\": [" +
"\"ec2.amazonaws.com\"" +
"]" +
"}," +
"\"Action\": \"sts:AssumeRole\"" +
"}]" +
"}";
var policyDocument = await File.ReadAllTextAsync(ssmOnlyPolicyFile);
var policyArn = "";
try
{
var createPolicyResult = await _amazonIam.CreatePolicyAsync(
new CreatePolicyRequest
{
PolicyName = policyName,
PolicyDocument = policyDocument
});
policyArn = createPolicyResult.Policy.Arn;
}
catch (EntityAlreadyExistsException)
{
// The policy already exists, so we look it up to get the Arn.
var policiesPaginator = _amazonIam.Paginators.ListPolicies(
new ListPoliciesRequest()
{
Scope = PolicyScopeType.Local
});
// Get the entire list using the paginator.
await foreach (var policy in policiesPaginator.Policies)
{
if (policy.PolicyName.Equals(policyName))
{
policyArn = policy.Arn;
}
}
if (policyArn == null)
{
throw new InvalidOperationException("Policy not found");
}
}
try
{
await _amazonIam.CreateRoleAsync(new CreateRoleRequest()
{
RoleName = roleName,
AssumeRolePolicyDocument = assumeRoleDoc,
});
await _amazonIam.AttachRolePolicyAsync(new AttachRolePolicyRequest()
{
RoleName = roleName,
PolicyArn = policyArn
});
if (awsManagedPolicies != null)
{
foreach (var awsPolicy in awsManagedPolicies)
{
await _amazonIam.AttachRolePolicyAsync(new AttachRolePolicyRequest()
{
PolicyArn = $"arn:aws:iam::aws:policy/{awsPolicy}",
RoleName = roleName
});
}
}
}
catch (EntityAlreadyExistsException)
{
Console.WriteLine("Role already exists.");
}
string profileArn = "";
try
{
var profileCreateResponse = await _amazonIam.CreateInstanceProfileAsync(
new CreateInstanceProfileRequest()
{
InstanceProfileName = profileName
});
// Allow time for the profile to be ready.
profileArn = profileCreateResponse.InstanceProfile.Arn;
Thread.Sleep(10000);
await _amazonIam.AddRoleToInstanceProfileAsync(
new AddRoleToInstanceProfileRequest()
{
InstanceProfileName = profileName,
RoleName = roleName
});
}
catch (EntityAlreadyExistsException)
{
Console.WriteLine("Policy already exists.");
var profileGetResponse = await _amazonIam.GetInstanceProfileAsync(
new GetInstanceProfileRequest()
{
InstanceProfileName = profileName
});
profileArn = profileGetResponse.InstanceProfile.Arn;
}
return profileArn;
}
```
+ API 세부 정보는 *AWS SDK for .NET API 참조*의 [CreateInstanceProfile](https://docs.aws.amazon.com/goto/DotNetSDKV3/iam-2010-05-08/CreateInstanceProfile)을 참조하세요.
------
#### [ CLI ]
**AWS CLI**
**인스턴스 프로파일 생성**
다음 `create-instance-profile` 명령은 이름이 `Webserver`인 인스턴스 프로파일을 생성합니다.
```
aws iam create-instance-profile \
--instance-profile-name Webserver
```
출력:
```
{
"InstanceProfile": {
"InstanceProfileId": "AIPAJMBYC7DLSPEXAMPLE",
"Roles": [],
"CreateDate": "2015-03-09T20:33:19.626Z",
"InstanceProfileName": "Webserver",
"Path": "/",
"Arn": "arn:aws:iam::123456789012:instance-profile/Webserver"
}
}
```
인스턴스 프로파일에 역할을 추가하려면 `add-role-to-instance-profile` 명령을 사용합니다.
자세한 내용은 *AWS IAM 사용 설명서*의 [IAM 역할을 사용하여 Amazon EC2 인스턴스에서 실행되는 애플리케이션에 권한 부여](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html)를 참조하세요.
+ API 세부 정보는 **AWS CLI 명령 참조의 [CreateInstanceProfile](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-instance-profile.html)을 참조하세요.
------
#### [ JavaScript ]
**SDK for JavaScript (v3)**
GitHub에 더 많은 내용이 있습니다. [AWS 코드 예 리포지토리](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/cross-services/wkflw-resilient-service#code-examples)에서 전체 예를 찾고 설정 및 실행하는 방법을 배워보세요.
```
const { InstanceProfile } = await iamClient.send(
new CreateInstanceProfileCommand({
InstanceProfileName: NAMES.ssmOnlyInstanceProfileName,
}),
);
await waitUntilInstanceProfileExists(
{ client: iamClient },
{ InstanceProfileName: NAMES.ssmOnlyInstanceProfileName },
);
```
+ API 세부 정보는 *AWS SDK for JavaScript API 참조*의 [CreateInstanceProfile](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/iam/command/CreateInstanceProfileCommand)을 참조하세요.
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**예제 1: 이 예제는 `ProfileForDevEC2Instance`라는 새 IAM 인스턴스 프로파일을 생성합니다. `Add-IAMRoleToInstanceProfile` 명령을 별도로 실행하여 인스턴스에 권한을 제공하는 기존 IAM 역할과 인스턴스 프로파일을 연결해야 합니다. 마지막으로 EC2 인스턴스를 시작할 때 인스턴스 프로파일을 EC2 인스턴스에 연결합니다. 이를 수행하려면 `InstanceProfile_Arn` 또는 `InstanceProfile_Name` 파라미터와 함께 `New-EC2Instance` cmdlet을 사용합니다.**
```
New-IAMInstanceProfile -InstanceProfileName ProfileForDevEC2Instance
```
**출력:**
```
Arn : arn:aws:iam::123456789012:instance-profile/ProfileForDevEC2Instance
CreateDate : 4/14/2015 11:31:39 AM
InstanceProfileId : DYMFXL556EY46EXAMPLE1
InstanceProfileName : ProfileForDevEC2Instance
Path : /
Roles : {}
```
+ API 세부 정보는 **AWS Tools for PowerShell Cmdlet 참조(V4)의 [CreateInstanceProfile](https://docs.aws.amazon.com/powershell/v4/reference)을 참조하세요.
**Tools for PowerShell V5**
**예제 1: 이 예제는 `ProfileForDevEC2Instance`라는 새 IAM 인스턴스 프로파일을 생성합니다. `Add-IAMRoleToInstanceProfile` 명령을 별도로 실행하여 인스턴스에 권한을 제공하는 기존 IAM 역할과 인스턴스 프로파일을 연결해야 합니다. 마지막으로 EC2 인스턴스를 시작할 때 인스턴스 프로파일을 EC2 인스턴스에 연결합니다. 이를 수행하려면 `InstanceProfile_Arn` 또는 `InstanceProfile_Name` 파라미터와 함께 `New-EC2Instance` cmdlet을 사용합니다.**
```
New-IAMInstanceProfile -InstanceProfileName ProfileForDevEC2Instance
```
**출력:**
```
Arn : arn:aws:iam::123456789012:instance-profile/ProfileForDevEC2Instance
CreateDate : 4/14/2015 11:31:39 AM
InstanceProfileId : DYMFXL556EY46EXAMPLE1
InstanceProfileName : ProfileForDevEC2Instance
Path : /
Roles : {}
```
+ API 세부 정보는 *AWS Tools for PowerShell Cmdlet 참조(V5)*의 [CreateInstanceProfile](https://docs.aws.amazon.com/powershell/v5/reference)을 참조하세요.
------
#### [ Python ]
**SDK for Python(Boto3)**
GitHub에 더 많은 내용이 있습니다. [AWS 코드 예 리포지토리](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/iam#code-examples)에서 전체 예를 찾고 설정 및 실행하는 방법을 배워보세요.
이 예제에서는 정책, 역할, 인스턴스 프로파일을 생성하고 이를 모두 연결합니다.
```
class AutoScalingWrapper:
"""
Encapsulates Amazon EC2 Auto Scaling and EC2 management actions.
"""
def __init__(
self,
resource_prefix: str,
inst_type: str,
ami_param: str,
autoscaling_client: boto3.client,
ec2_client: boto3.client,
ssm_client: boto3.client,
iam_client: boto3.client,
):
"""
Initializes the AutoScaler class with the necessary parameters.
:param resource_prefix: The prefix for naming AWS resources that are created by this class.
:param inst_type: The type of EC2 instance to create, such as t3.micro.
:param ami_param: The Systems Manager parameter used to look up the AMI that is created.
:param autoscaling_client: A Boto3 EC2 Auto Scaling client.
:param ec2_client: A Boto3 EC2 client.
:param ssm_client: A Boto3 Systems Manager client.
:param iam_client: A Boto3 IAM client.
"""
self.inst_type = inst_type
self.ami_param = ami_param
self.autoscaling_client = autoscaling_client
self.ec2_client = ec2_client
self.ssm_client = ssm_client
self.iam_client = iam_client
sts_client = boto3.client("sts")
self.account_id = sts_client.get_caller_identity()["Account"]
self.key_pair_name = f"{resource_prefix}-key-pair"
self.launch_template_name = f"{resource_prefix}-template-"
self.group_name = f"{resource_prefix}-group"
# Happy path
self.instance_policy_name = f"{resource_prefix}-pol"
self.instance_role_name = f"{resource_prefix}-role"
self.instance_profile_name = f"{resource_prefix}-prof"
# Failure mode
self.bad_creds_policy_name = f"{resource_prefix}-bc-pol"
self.bad_creds_role_name = f"{resource_prefix}-bc-role"
self.bad_creds_profile_name = f"{resource_prefix}-bc-prof"
def create_instance_profile(
self,
policy_file: str,
policy_name: str,
role_name: str,
profile_name: str,
aws_managed_policies: Tuple[str, ...] = (),
) -> str:
"""
Creates a policy, role, and profile that is associated with instances created by
this class. An instance's associated profile defines a role that is assumed by the
instance. The role has attached policies that specify the AWS permissions granted to
clients that run on the instance.
:param policy_file: The name of a JSON file that contains the policy definition to
create and attach to the role.
:param policy_name: The name to give the created policy.
:param role_name: The name to give the created role.
:param profile_name: The name to the created profile.
:param aws_managed_policies: Additional AWS-managed policies that are attached to
the role, such as AmazonSSMManagedInstanceCore to grant
use of Systems Manager to send commands to the instance.
:return: The ARN of the profile that is created.
"""
assume_role_doc = {
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {"Service": "ec2.amazonaws.com"},
"Action": "sts:AssumeRole",
}
],
}
policy_arn = self.create_policy(policy_file, policy_name)
self.create_role(role_name, assume_role_doc)
self.attach_policy(role_name, policy_arn, aws_managed_policies)
try:
profile_response = self.iam_client.create_instance_profile(
InstanceProfileName=profile_name
)
waiter = self.iam_client.get_waiter("instance_profile_exists")
waiter.wait(InstanceProfileName=profile_name)
time.sleep(10) # wait a little longer
profile_arn = profile_response["InstanceProfile"]["Arn"]
self.iam_client.add_role_to_instance_profile(
InstanceProfileName=profile_name, RoleName=role_name
)
log.info("Created profile %s and added role %s.", profile_name, role_name)
except ClientError as err:
if err.response["Error"]["Code"] == "EntityAlreadyExists":
prof_response = self.iam_client.get_instance_profile(
InstanceProfileName=profile_name
)
profile_arn = prof_response["InstanceProfile"]["Arn"]
log.info(
"Instance profile %s already exists, nothing to do.", profile_name
)
log.error(f"Full error:\n\t{err}")
return profile_arn
```
+ API 세부 정보는 *AWS SDK for Python (Boto3) API 참조*의 [CreateInstanceProfile](https://docs.aws.amazon.com/goto/boto3/iam-2010-05-08/CreateInstanceProfile)를 참조하세요.
------