1
00:00:00,340 --> 00:00:02,640
‫Okay. So let's practice using IAM roles

2
00:00:02,640 --> 00:00:04,070
‫for our EC2 Instance.

3
00:00:04,070 --> 00:00:06,840
‫So at first, I'm going to connect to my EC2 Instance.

4
00:00:06,840 --> 00:00:09,700
‫You can SSH, or you can use EC2 Instance Connect

5
00:00:09,700 --> 00:00:10,790
‫if you wanted to.

6
00:00:10,790 --> 00:00:12,270
‫I will use EC2 Instance Connect

7
00:00:12,270 --> 00:00:14,360
‫because it's just going to be in my web browser

8
00:00:14,360 --> 00:00:16,060
‫and a little bit simpler.

9
00:00:16,060 --> 00:00:17,800
‫So back into my instance

10
00:00:17,800 --> 00:00:20,040
‫with EC2 Instance Connect right here.

11
00:00:20,040 --> 00:00:21,740
‫And we are in our Instance.

12
00:00:21,740 --> 00:00:22,770
‫So as we can see,

13
00:00:22,770 --> 00:00:25,570
‫we are ec2-user@ and the private IP.

14
00:00:25,570 --> 00:00:28,600
‫So regardless if you're using EC2 Instance Connects

15
00:00:28,600 --> 00:00:31,040
‫or SSH through your terminal, or whatever,

16
00:00:31,040 --> 00:00:31,940
‫through PuTTY.

17
00:00:31,940 --> 00:00:34,980
‫Then if you see this, we are at the same stage, okay?

18
00:00:34,980 --> 00:00:37,540
‫So now you can just do some Linux commands.

19
00:00:37,540 --> 00:00:38,930
‫For example, ping Google,

20
00:00:38,930 --> 00:00:41,580
‫and you can get some information out of Google.

21
00:00:41,580 --> 00:00:43,760
‫And I will do Control + C to go out of it

22
00:00:43,760 --> 00:00:46,750
‫or issue any kind of Linux commands you want.

23
00:00:46,750 --> 00:00:48,540
‫Okay, you don't need to know the next command

24
00:00:48,540 --> 00:00:49,373
‫going into the exam,

25
00:00:49,373 --> 00:00:51,940
‫but this is just a Linux terminal available

26
00:00:51,940 --> 00:00:54,090
‫to you right now in the cloud.

27
00:00:54,090 --> 00:00:57,050
‫So we'll type clear to clear the screen

28
00:00:57,050 --> 00:01:00,340
‫and next we have to run some IAM commands.

29
00:01:00,340 --> 00:01:03,580
‫So the cool thing is that's the Amazon Linux AMI

30
00:01:03,580 --> 00:01:06,960
‫we're using right now comes with the aid of a CLI.

31
00:01:06,960 --> 00:01:08,880
‫And so, as you can see, it is installed.

32
00:01:08,880 --> 00:01:11,200
‫So what we can do is start using some commands.

33
00:01:11,200 --> 00:01:14,720
‫For example, aws iam list users.

34
00:01:14,720 --> 00:01:17,570
‫And if we do so, it says unable to look at credentials.

35
00:01:17,570 --> 00:01:21,140
‫You can configure credentials by using aws configure.

36
00:01:21,140 --> 00:01:23,650
‫So we could indeed run aws configure

37
00:01:23,650 --> 00:01:27,070
‫to configure the credentials and specify an Access ID

38
00:01:27,070 --> 00:01:29,030
‫a Secret Access key, and a region name.

39
00:01:29,030 --> 00:01:32,570
‫But this is a really, really, really bad idea.

40
00:01:32,570 --> 00:01:36,180
‫And the reason is that if we run aws configure

41
00:01:36,180 --> 00:01:40,660
‫and enter our personal details onto this EC2 Instance,

42
00:01:40,660 --> 00:01:42,970
‫then anyone else in our accounts

43
00:01:42,970 --> 00:01:45,230
‫could again connect to our EC2 Instance.

44
00:01:45,230 --> 00:01:47,877
‫For example, using EC2 Instance Connect

45
00:01:47,877 --> 00:01:51,160
‫and retrieve the value of these credentials in our instance,

46
00:01:51,160 --> 00:01:52,500
‫which is not what we want.

47
00:01:52,500 --> 00:01:54,370
‫This is something that's really, really bad.

48
00:01:54,370 --> 00:01:57,800
‫And so as a rule of thumb, never, ever, ever

49
00:01:57,800 --> 00:02:00,580
‫enter your IAM APA key.

50
00:02:00,580 --> 00:02:02,970
‫So the Access Key ID and the Secret Access key

51
00:02:02,970 --> 00:02:04,520
‫into an EC2 Instance.

52
00:02:04,520 --> 00:02:06,840
‫This is horrible and if you see someone doing it,

53
00:02:06,840 --> 00:02:08,950
‫please show them this video.

54
00:02:08,950 --> 00:02:12,060
‫Instead, what we have to do is use IAM rules.

55
00:02:12,060 --> 00:02:13,610
‫So if you remember,

56
00:02:13,610 --> 00:02:17,410
‫when we were in the management console and we were in IAM,

57
00:02:17,410 --> 00:02:19,500
‫we had created an IAM role.

58
00:02:19,500 --> 00:02:21,080
‫So let's go back into the Roles.

59
00:02:21,080 --> 00:02:23,660
‫We had this demo role for EC2

60
00:02:23,660 --> 00:02:27,010
‫that had one policy attached called IAMReadOnlyAccess.

61
00:02:27,010 --> 00:02:29,160
‫So we are going to attach this role

62
00:02:29,160 --> 00:02:33,430
‫onto our EC2 Instance to provide it with credentials.

63
00:02:33,430 --> 00:02:35,120
‫Okay, so how do we do this?

64
00:02:35,120 --> 00:02:37,160
‫For this, we can go into Security.

65
00:02:37,160 --> 00:02:38,160
‫And as you can see,

66
00:02:38,160 --> 00:02:41,420
‫there is no IAM Role right now onto our instance.

67
00:02:41,420 --> 00:02:44,300
‫So what we can do is go back to our Instances,

68
00:02:44,300 --> 00:02:48,950
‫Action, Security, and then Modify IAM role.

69
00:02:48,950 --> 00:02:50,550
‫Here we have to choose an IAM role.

70
00:02:50,550 --> 00:02:54,800
‫So we have DemoRoleForEC2 and click on Save

71
00:02:54,800 --> 00:02:56,920
‫to attach this IAM role into our Instance.

72
00:02:56,920 --> 00:02:58,610
‫So if you go back to Security,

73
00:02:58,610 --> 00:03:00,323
‫now the IAM role attached to Instance

74
00:03:00,323 --> 00:03:02,140
‫DemoRoleForEC2.

75
00:03:02,140 --> 00:03:04,220
‫So the effect of this is that now

76
00:03:04,220 --> 00:03:09,220
‫if we do aws iam list users and press Enter,

77
00:03:09,460 --> 00:03:12,260
‫where we are getting a response around the users from IAM.

78
00:03:12,260 --> 00:03:15,720
‫So as we can see, we did not run the command aws configure.

79
00:03:15,720 --> 00:03:18,560
‫We just attached an IAM role and ran this command.

80
00:03:18,560 --> 00:03:19,760
‫And it works.

81
00:03:19,760 --> 00:03:22,800
‫And as a proof, if we go into this role

82
00:03:22,800 --> 00:03:27,680
‫and detach this permission, so now it's gone,

83
00:03:27,680 --> 00:03:32,100
‫and run the command again, we're getting an access denied.

84
00:03:32,100 --> 00:03:35,370
‫So the role is really linked now to the EC2 Instance.

85
00:03:35,370 --> 00:03:38,380
‫And this is how we provide AWS credentials

86
00:03:38,380 --> 00:03:40,150
‫to our EC2 Instances only,

87
00:03:40,150 --> 00:03:42,490
‫only through IAM roles, okay?

88
00:03:42,490 --> 00:03:45,290
‫So if we go back to IAM

89
00:03:45,290 --> 00:03:47,400
‫and we attach a policy to this role

90
00:03:47,400 --> 00:03:49,900
‫and go back to IAMReadOnlyAccess,

91
00:03:49,900 --> 00:03:53,783
‫attach this policy and then rerun the command,

92
00:03:55,730 --> 00:03:56,570
‫we get an access denied

93
00:03:56,570 --> 00:03:58,910
‫because sometimes it can take a little bit of time

94
00:03:58,910 --> 00:04:02,027
‫to propagate the changes from IAM into AWS.

95
00:04:02,027 --> 00:04:04,240
‫But if we run it one more time,

96
00:04:04,240 --> 00:04:06,470
‫we're getting the output we expect,

97
00:04:06,470 --> 00:04:07,500
‫which is what we want.

98
00:04:07,500 --> 00:04:08,690
‫So this is very important

99
00:04:08,690 --> 00:04:10,180
‫for you to understand this,

100
00:04:10,180 --> 00:04:13,490
‫use IAM roles for your EC2 Instances.

101
00:04:13,490 --> 00:04:16,200
‫So this is hopefully good for you.

102
00:04:16,200 --> 00:04:17,490
‫I hope you like this hands-on

103
00:04:17,490 --> 00:04:19,440
‫and I will see you in the next lecture.