1
00:00:00,683 --> 00:00:01,912
‫Okay, so sometimes

2
00:00:01,912 --> 00:00:03,275
‫we just want to make sure we have the permissions

3
00:00:03,275 --> 00:00:04,200
‫and we can't really look

4
00:00:04,200 --> 00:00:07,291
‫at the IAM policies for whatever reason.

5
00:00:07,291 --> 00:00:08,825
‫We actually don't want to run the command.

6
00:00:08,825 --> 00:00:11,414
‫We just want to make sure we have the permissions.

7
00:00:11,414 --> 00:00:14,710
‫And some AWS CLI commands such as the EC2 commands,

8
00:00:14,710 --> 00:00:16,792
‫they can become quite expensive if they succeed.

9
00:00:16,792 --> 00:00:18,843
‫Because, say we wanted to create an EC2 instance,

10
00:00:18,843 --> 00:00:20,468
‫and we actually create it,

11
00:00:20,468 --> 00:00:23,177
‫we just wanted to try whether or not it worked.

12
00:00:23,177 --> 00:00:25,842
‫So, these commands, but not all commands

13
00:00:25,842 --> 00:00:29,006
‫may contain a minus minus dry-run option.

14
00:00:29,006 --> 00:00:31,590
‫And that option is to simulate API calls.

15
00:00:31,590 --> 00:00:33,211
‫If you don't have the permissions,

16
00:00:33,211 --> 00:00:34,773
‫you'll get a denied exception and then you know.

17
00:00:34,773 --> 00:00:36,289
‫But if you have the permissions,

18
00:00:36,289 --> 00:00:38,765
‫you will just not run the command.

19
00:00:38,765 --> 00:00:40,647
‫So, let's go ahead and practice this.

20
00:00:40,647 --> 00:00:42,141
‫So, let's say we want to see

21
00:00:42,141 --> 00:00:44,321
‫whether or not our EC2 instance,

22
00:00:44,321 --> 00:00:48,355
‫with this IAM role, can create other EC2 instances.

23
00:00:48,355 --> 00:00:49,767
‫That would be something fun to test, right?

24
00:00:49,767 --> 00:00:51,718
‫But we actually don't want to create another EC2 instance,

25
00:00:51,718 --> 00:00:54,943
‫we just want to make sure that it can create EC2 instances.

26
00:00:54,943 --> 00:00:56,308
‫So let's have a look,

27
00:00:56,308 --> 00:00:57,851
‫and look at the command.

28
00:00:57,851 --> 00:01:01,304
‫So, for this it's called AWS EC2 run-instances.

29
00:01:01,304 --> 00:01:02,891
‫And as you can see, I'm running this command

30
00:01:02,891 --> 00:01:05,391
‫straight from my EC2 instance.

31
00:01:06,491 --> 00:01:08,450
‫I'll make sure to run help,

32
00:01:08,450 --> 00:01:10,342
‫because I wanna get help with this command.

33
00:01:10,342 --> 00:01:12,402
‫And this command is quite a long one,

34
00:01:12,402 --> 00:01:13,680
‫you can read the whole documentation,

35
00:01:13,680 --> 00:01:15,796
‫it's also available online.

36
00:01:15,796 --> 00:01:18,044
‫But for this I'll make it super simple for you:

37
00:01:18,044 --> 00:01:20,417
‫we're going to need a few parameters

38
00:01:20,417 --> 00:01:23,560
‫and we'll also add the dry-run parameter

39
00:01:23,560 --> 00:01:25,771
‫just to test the command.

40
00:01:25,771 --> 00:01:28,238
‫So let's do the dry-run,

41
00:01:28,238 --> 00:01:30,547
‫and this is the first thing I'm going to specify,

42
00:01:30,547 --> 00:01:32,395
‫because I want to make sure that whatever I do next,

43
00:01:32,395 --> 00:01:34,955
‫it is going to be a dry-run.

44
00:01:34,955 --> 00:01:38,211
‫Now, we have to specify an image-id.

45
00:01:38,211 --> 00:01:40,497
‫An image-id is basically the AMI ID,

46
00:01:40,497 --> 00:01:43,347
‫and for this we can just go to our EC2 instance,

47
00:01:43,347 --> 00:01:45,614
‫click on the AMI ID that's already running,

48
00:01:45,614 --> 00:01:49,146
‫and we can just get the AMI ID all the way from here.

49
00:01:49,146 --> 00:01:51,006
‫We'll copy this whole thing,

50
00:01:51,006 --> 00:01:52,089
‫and paste it.

51
00:01:53,173 --> 00:01:54,614
‫Right here.

52
00:01:54,614 --> 00:01:56,855
‫The next thing we have to do is to specify

53
00:01:56,855 --> 00:01:58,326
‫the instance type.

54
00:01:58,326 --> 00:02:02,928
‫And for the instance type, I will choose a t2.micro.

55
00:02:02,928 --> 00:02:03,991
‫Now, this looks all right,

56
00:02:03,991 --> 00:02:05,262
‫this is enough to run this command,

57
00:02:05,262 --> 00:02:07,433
‫so I'll just click on Enter.

58
00:02:07,433 --> 00:02:12,433
‫And we get "An error occurred (UnauthorizedOperation)".

59
00:02:12,436 --> 00:02:15,738
‫So we are not authorized to perform this operation.

60
00:02:15,738 --> 00:02:18,201
‫That's because we set up the dry-run command,

61
00:02:18,201 --> 00:02:20,126
‫and so, basically, using this dry-run,

62
00:02:20,126 --> 00:02:21,932
‫you were able to test whether or not

63
00:02:21,932 --> 00:02:24,305
‫you have the authorization to do a thing.

64
00:02:24,305 --> 00:02:25,605
‫Now, let's make something fun

65
00:02:25,605 --> 00:02:29,012
‫and give ourselves the right to run instances.

66
00:02:29,012 --> 00:02:30,811
‫So I'll go back to IAM,

67
00:02:30,811 --> 00:02:33,264
‫I'll attach the policy that was managed from us before,

68
00:02:33,264 --> 00:02:35,144
‫so let me just find it.

69
00:02:35,144 --> 00:02:37,702
‫It is right here, I'll attach it.

70
00:02:37,702 --> 00:02:40,058
‫And I will go and edit this policy,

71
00:02:40,058 --> 00:02:44,571
‫so I'll go to policies, and right here, I'll click on it,

72
00:02:44,571 --> 00:02:46,977
‫and I will edit this policy.

73
00:02:46,977 --> 00:02:48,302
‫And using the visual editor

74
00:02:48,302 --> 00:02:50,568
‫I will add additional permissions,

75
00:02:50,568 --> 00:02:53,808
‫I'll choose a service that will be EC2.

76
00:02:53,808 --> 00:02:55,857
‫So let's scroll down, EC2 is right here.

77
00:02:55,857 --> 00:02:57,649
‫Now, we need to specify the permission.

78
00:02:57,649 --> 00:02:58,934
‫So if we go back to this command,

79
00:02:58,934 --> 00:03:00,766
‫we can see that the thing it tried to run

80
00:03:00,766 --> 00:03:02,886
‫is called RunInstances.

81
00:03:02,886 --> 00:03:05,672
‫So let's go to Write, because it is a write action,

82
00:03:05,672 --> 00:03:06,792
‫and if we scroll down,

83
00:03:06,792 --> 00:03:09,946
‫we can see that the RunInstances is right here.

84
00:03:09,946 --> 00:03:12,447
‫Let's go back up to roll this whole menu.

85
00:03:12,447 --> 00:03:15,392
‫So now we have the Write instance, one is selected,

86
00:03:15,392 --> 00:03:17,089
‫and as you can see I only chose

87
00:03:17,089 --> 00:03:19,320
‫the one operation I need to do,

88
00:03:19,320 --> 00:03:22,576
‫I did not over-privilege my EC2 instance, okay?

89
00:03:22,576 --> 00:03:27,576
‫Giving roles the minimum privilege they need to run is key.

90
00:03:27,674 --> 00:03:29,203
‫Now, for the resources, it says

91
00:03:29,203 --> 00:03:31,072
‫"You chose actions that require image resource type,

92
00:03:31,072 --> 00:03:32,107
‫"et cetera, et cetera."

93
00:03:32,107 --> 00:03:35,473
‫To make it very simple, I will just say "All resources",

94
00:03:35,473 --> 00:03:37,811
‫and it will have a star right here.

95
00:03:37,811 --> 00:03:41,021
‫Now, I can review the policy, and as you can see now,

96
00:03:41,021 --> 00:03:44,398
‫I have my EC2 that has Limited Write access

97
00:03:44,398 --> 00:03:46,260
‫for all resources.

98
00:03:46,260 --> 00:03:47,386
‫Save the changes.

99
00:03:47,386 --> 00:03:49,916
‫And we can also look at the JSON document.

100
00:03:49,916 --> 00:03:53,709
‫And, as we can see now, we get an Allow on EC2:RunInstances

101
00:03:53,709 --> 00:03:55,436
‫for all Resources.

102
00:03:55,436 --> 00:03:57,687
‫So, my policy has been applied,

103
00:03:57,687 --> 00:04:02,687
‫and now if I go back to my EC2 console, from my EC2 machine,

104
00:04:02,704 --> 00:04:04,588
‫and try to run this command,

105
00:04:04,588 --> 00:04:08,364
‫this time I get an error called a "DryRunOperation".

106
00:04:08,364 --> 00:04:10,738
‫And it says, "Request would have succeeded,

107
00:04:10,738 --> 00:04:13,080
‫"but the DryRun flag is set".

108
00:04:13,080 --> 00:04:14,653
‫So that's perfect!

109
00:04:14,653 --> 00:04:17,648
‫From this DryRun operation we ensured

110
00:04:17,648 --> 00:04:21,706
‫that we had the rights to perform a RunInstance operation,

111
00:04:21,706 --> 00:04:23,125
‫but it actually didn't succeed

112
00:04:23,125 --> 00:04:26,007
‫because I have set up the dry-run flag.

113
00:04:26,007 --> 00:04:29,499
‫And so we get this DryRunOperation exception.

114
00:04:29,499 --> 00:04:33,188
‫And so that's good, this is how we test our API calls,

115
00:04:33,188 --> 00:04:36,044
‫for some API calls it's important to dry-run flag.

116
00:04:36,044 --> 00:04:38,595
‫As you can see, if they're denied, we get the

117
00:04:38,595 --> 00:04:41,060
‫"UnAuthorizedOperation", if they are allowed, we get the

118
00:04:41,060 --> 00:04:42,448
‫"DryRunOperation".

119
00:04:42,448 --> 00:04:46,495
‫But in no cases was this new instance being run,

120
00:04:46,495 --> 00:04:47,812
‫so that's helpful.

121
00:04:47,812 --> 00:04:49,995
‫So this is all for this lecture,

122
00:04:49,995 --> 00:04:52,563
‫in the next lecture we are going to try to understand

123
00:04:52,563 --> 00:04:54,897
‫what the hell this error message means.

124
00:04:54,897 --> 00:04:56,554
‫So see you in the next lecture.