1 00:00:06,371 --> 00:00:08,412 - Okay, so now let's take a look at a demo 2 00:00:08,412 --> 00:00:09,912 of creating roles. 3 00:00:12,643 --> 00:00:13,484 You can see here 4 00:00:13,484 --> 00:00:15,899 I'm logged into the Amazon console. 5 00:00:15,899 --> 00:00:18,847 I'm in the IAM service, 6 00:00:18,847 --> 00:00:22,297 and I've clicked over here into the roles section. 7 00:00:22,297 --> 00:00:25,816 You can see that I don't have any roles yet. 8 00:00:25,816 --> 00:00:26,649 Now again, 9 00:00:26,649 --> 00:00:28,403 roles come in a number of different flavors. 10 00:00:28,403 --> 00:00:32,456 They can be used to attach to an EC2 virtual machine. 11 00:00:32,456 --> 00:00:36,250 They can be used by other AWS services. 12 00:00:36,250 --> 00:00:39,333 They can be used for cross-account access. 13 00:00:39,333 --> 00:00:43,237 So, picking up where we talked about the last example, 14 00:00:43,237 --> 00:00:44,935 the last used case of using 15 00:00:44,935 --> 00:00:46,962 a role for an EC2 instance. 16 00:00:46,962 --> 00:00:49,011 I'm gonna create a new role, 17 00:00:49,011 --> 00:00:51,565 and perhaps I have an application, 18 00:00:51,565 --> 00:00:54,811 my web application or some kind of an API 19 00:00:54,811 --> 00:00:57,848 running on an EC2 virtual machine. 20 00:00:57,848 --> 00:00:59,622 That particular application 21 00:00:59,622 --> 00:01:02,507 needs access to S3, 22 00:01:02,507 --> 00:01:04,729 Amazon Simple Storage Service. 23 00:01:04,729 --> 00:01:06,896 So I'm gonna call this one 24 00:01:08,233 --> 00:01:09,400 myApplication. 25 00:01:15,160 --> 00:01:16,546 Again, you can see that we have 26 00:01:16,546 --> 00:01:19,636 all these different types of service roles. 27 00:01:19,636 --> 00:01:23,523 Roles for various types of AWS services. 28 00:01:23,523 --> 00:01:26,337 We have roles for cross-account access, 29 00:01:26,337 --> 00:01:28,083 and roles for identity providers, 30 00:01:28,083 --> 00:01:31,477 or a way to use federated users for your organization. 31 00:01:31,477 --> 00:01:32,320 In this example, 32 00:01:32,320 --> 00:01:34,757 we want to use a service role. 33 00:01:34,757 --> 00:01:37,428 I want to use the very first one, the EC2. 34 00:01:37,428 --> 00:01:40,739 It says that it, "allows EC2 instances 35 00:01:40,739 --> 00:01:44,517 "to call AWS services on your behalf." 36 00:01:44,517 --> 00:01:48,560 Again, this is a way that we can get our EC2 instances 37 00:01:48,560 --> 00:01:51,573 access to various other Amazon resources 38 00:01:51,573 --> 00:01:55,779 without having to embed credentials such as access keys 39 00:01:55,779 --> 00:01:57,385 into our environment variables 40 00:01:57,385 --> 00:01:58,754 or into our code. 41 00:01:58,754 --> 00:02:01,999 That's exactly what we don't want to do. 42 00:02:01,999 --> 00:02:06,146 So, here I wanna filter by S3, 43 00:02:06,146 --> 00:02:07,981 and just as an example, 44 00:02:07,981 --> 00:02:10,408 I'm going to choose S3 full access. 45 00:02:10,408 --> 00:02:13,201 This is not necessarily how we might do it in production, 46 00:02:13,201 --> 00:02:14,651 but just for the sake of this demo 47 00:02:14,651 --> 00:02:17,401 I wanna give this particular application 48 00:02:17,401 --> 00:02:19,484 access to S3. 49 00:02:20,462 --> 00:02:22,902 In fact, let's do S3 read-only access. 50 00:02:22,902 --> 00:02:25,620 That way our application is perhaps 51 00:02:25,620 --> 00:02:27,583 pulling information out of S3 52 00:02:27,583 --> 00:02:29,619 rather than writing. 53 00:02:29,619 --> 00:02:34,437 So, I'm gonna choose that policy and click next. 54 00:02:34,437 --> 00:02:36,573 Now we have created a role. 55 00:02:36,573 --> 00:02:38,943 We've attached a policy to that role. 56 00:02:38,943 --> 00:02:41,753 I'm gonna go ahead and finalize that. 57 00:02:41,753 --> 00:02:44,920 You can see now that we have our role. 58 00:02:47,125 --> 00:02:51,292 You can see that our role is allowed to read from S3. 59 00:02:53,253 --> 00:02:56,493 We can see that the trust relationship says that 60 00:02:56,493 --> 00:03:00,660 this role is trusting the EC2 service. 61 00:03:01,941 --> 00:03:05,113 Now, when we go to launch EC2 instances 62 00:03:05,113 --> 00:03:06,946 or virtual machines, 63 00:03:06,946 --> 00:03:11,498 we can apply this role at the time we launch that machine, 64 00:03:11,498 --> 00:03:13,487 and then any application, 65 00:03:13,487 --> 00:03:15,054 and that's important to know, 66 00:03:15,054 --> 00:03:17,352 any application 67 00:03:17,352 --> 00:03:19,460 running on that virtual machine 68 00:03:19,460 --> 00:03:23,756 will be able to read from S3. 69 00:03:23,756 --> 00:03:27,075 If you log-in to the operating system of that machine 70 00:03:27,075 --> 00:03:28,681 and use the CLI tools, 71 00:03:28,681 --> 00:03:30,764 you can get access to S3. 72 00:03:30,764 --> 00:03:34,457 If your application that is deployed to that machine 73 00:03:34,457 --> 00:03:35,937 uses the SDK, 74 00:03:35,937 --> 00:03:38,270 it can get access to S3. 75 00:03:39,768 --> 00:03:43,935 So that is creating roles for use in EC2.