{StorageGateway}Amazon S3 ファイルゲートウェイを作成してアクティベートする

AWSStorage Gateway は、オンプレミスのソフトウェアアプライアンスをクラウドベースのストレージと接続し、
お客様のオンプレミスの IT 環境と、AWSストレージインフラストラクチャ。
このサービスを使用して、データをAWS クラウドは、データのセキュリティを維持するために役立つ、スケーラブルで費用効率が高いストレージを提供します。

前提：
デフォルトセキュリティグループ

インバウンド
172.31.0.0/16 全トラフィック許可
0.0.0.0/0 SSH許可
0.0.0.0/0 RDP許可

アウトバウンド
0.0.0.0/0 全トラフィック許可

このセキュリティグループを
Linuxクライアント、Windowsクライアント、VPCエンドポイント、Gatewayに適用

AZは1Aを使用

VPCはデフォルトを使用

GatewayをEC2インスタンスで作成する場合の要件:
m4 または m5 インスタンスタイプ
インスタンスサイズ xlarge
追加ディスク 150 GiB

-- 1. コマンド等のインストール

-- 1.1 aws cli version 2 インストール

curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
aws --version

-- 1.2 jqインストール
sudo yum -y install jq

-- 2. SMBクライアント用windows server EC2インスタンスの作成

Windows_Server-2019-Japanese-Full-Base-2022.05.25
ami-0435c37fc34c6f16c
t3.small (2vCPU 2GiB)

aws ec2 run-instances \
--image-id ami-0435c37fc34c6f16c \
--instance-type t3.small \
--key-name key1 \
--tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=windows-client}]' \
--subnet-id subnet-11111111111111111 \
--associate-public-ip-address

-- 3. Storage Gateway用EC2インスタンスの作成

aws-storage-gateway-1653687664
ami-03e1dde7bbeb57eef
m5.xlarge (4vCPU 16GiB)

aws ec2 run-instances \
--image-id ami-03e1dde7bbeb57eef \
--instance-type m5.xlarge \
--key-name key1 \
--tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=gateway}]' \
--subnet-id subnet-11111111111111111 \
--associate-public-ip-address \
--block-device-mappings '[
{
"DeviceName": "/dev/sdb",
"Ebs": {
"DeleteOnTermination": true,
"VolumeSize": 150
}
}
]'

aws ec2 describe-instances

-- 4. VPCエンドポイント作成

aws ec2 create-vpc-endpoint \
--vpc-endpoint-type Interface \
--vpc-id vpc-22222222222222222 \
--service-name com.amazonaws.ap-northeast-1.storagegateway \
--subnet-ids "subnet-33333333333333333" "subnet-11111111111111111" "subnet-44444444444444444" \
--security-group-ids "sg-55555555555555555" \
--private-dns-enabled

aws ec2 describe-vpc-endpoints

-- 5. Storage Gatewayのアクティベーション

aws ec2 describe-vpc-endpoints

アクティベーションURLの作成
接続先はgatewayのプライベートIPを使用する

ACTIVATION_URL="http://172.31.47.183/?gatewayType=FILE_S3&activationRegion=ap-northeast-1&vpcEndpoint=vpce-66666666666666666-77777777.storagegateway.ap-northeast-1.vpce.amazonaws.com&no_redirect"

ACTIVATION_KEY=$(curl "${ACTIVATION_URL}")
echo ${ACTIVATION_KEY}

aws storagegateway activate-gateway \
--activation-key ${ACTIVATION_KEY} \
--gateway-name gw01 \
--gateway-timezone "GMT+9:00" \
--gateway-region ap-northeast-1 \
--gateway-type FILE_S3

aws storagegateway list-gateways

aws storagegateway describe-gateway-information \
--gateway-arn arn:aws:storagegateway:ap-northeast-1:999999999999:gateway/sgw-88888888

GatewayStateがRUNNINGになるまで待つ

-- 6. ローカルディスクの設定

aws storagegateway list-gateways

aws storagegateway list-local-disks \
--gateway-arn arn:aws:storagegateway:ap-northeast-1:999999999999:gateway/sgw-88888888

aws storagegateway add-cache \
--gateway-arn arn:aws:storagegateway:ap-northeast-1:999999999999:gateway/sgw-88888888 \
--disk-ids /dev/nvme1n1

aws storagegateway list-local-disks \
--gateway-arn arn:aws:storagegateway:ap-northeast-1:999999999999:gateway/sgw-88888888

-- 7. NFS共有設定
-- 7.1 S3 バケットを作成する

aws s3 ls

aws s3 mb s3://bucket123

-- 7.2 IAMポリシー作成

vim policy01.json

{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetAccelerateConfiguration",
"s3:GetBucketLocation",
"s3:GetBucketVersioning",
"s3:ListBucket",
"s3:ListBucketVersions",
"s3:ListBucketMultipartUploads"
],
"Resource": "arn:aws:s3:::bucket123",
"Effect": "Allow"
},
{
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:ListMultipartUploadParts",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::bucket123/*",
"Effect": "Allow"
}
]
}

aws iam create-policy \
--policy-name policy01 \
--policy-document file://policy01.json

-- 7.3 IAMロール作成
vim role01.json

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "storagegateway.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceArn": "arn:aws:storagegateway:ap-northeast-1:999999999999:gateway/sgw-88888888",
"aws:SourceAccount": "999999999999"
}
}
}
]
}

aws iam create-role \
--role-name role01 \
--assume-role-policy-document file://role01.json

-- 7.4 ポリシーをロールにアタッチ
aws iam attach-role-policy \
--policy-arn arn:aws:iam::999999999999:policy/policy01 \
--role-name role01

-- 7.5 ファイル共有の作成

aws storagegateway create-nfs-file-share \
--client-token 12345 \
--nfs-file-share-defaults '{
"FileMode": "0666",
"DirectoryMode": "0777",
"GroupId": 65534,
"OwnerId": 65534
}' \
--gateway-arn arn:aws:storagegateway:ap-northeast-1:999999999999:gateway/sgw-88888888 \
--no-kms-encrypted \
--role arn:aws:iam::999999999999:role/role01 \
--location-arn arn:aws:s3:::bucket123 \
--default-storage-class S3_STANDARD \
--object-acl bucket-owner-full-control \
--client-list '[
"0.0.0.0/0"
]' \
--squash RootSquash \
--no-read-only \
--guess-mime-type-enabled \
--no-requester-pays \
--file-share-name bucket123 \
--bucket-region ap-northeast-1

aws storagegateway list-file-shares

aws storagegateway describe-nfs-file-shares \
--file-share-arn-list arn:aws:storagegateway:ap-northeast-1:999999999999:share/share-AAAAAAAA

-- 7.6 動作確認

mkdir nfstest

sudo mount -t nfs -o nolock,hard 172.31.47.183:/bucket123 nfstest
df -h

touch ./nfstest/testfile

ll nfstest

cat ./nfstest/testfile
echo test > ./nfstest/testfile
cat ./nfstest/testfile

sudo umount /home/ec2-user/nfstest
df -h

-- 8. SMB共有設定

-- 8.1 S3 バケットを作成する

※NFSと同じバケットは使用不可

aws s3 ls

aws s3 mb s3://bucket456

-- 8.2 IAMポリシー作成

vim policy02.json

{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetAccelerateConfiguration",
"s3:GetBucketLocation",
"s3:GetBucketVersioning",
"s3:ListBucket",
"s3:ListBucketVersions",
"s3:ListBucketMultipartUploads"
],
"Resource": "arn:aws:s3:::bucket456",
"Effect": "Allow"
},
{
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:ListMultipartUploadParts",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::bucket456/*",
"Effect": "Allow"
}
]
}

aws iam create-policy \
--policy-name policy02 \
--policy-document file://policy02.json

-- 8.3 IAMロール作成
vim role02.json

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "storagegateway.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "999999999999",
"aws:SourceArn": "arn:aws:storagegateway:ap-northeast-1:999999999999:gateway/sgw-88888888"
}
}
}
]
}

aws iam create-role \
--role-name role02 \
--assume-role-policy-document file://role02.json

-- 8.4 ポリシーをロールにアタッチ
aws iam attach-role-policy \
--policy-arn arn:aws:iam::999999999999:policy/policy02 \
--role-name role02

-- 8.5 ファイル共有の作成

aws storagegateway set-smb-guest-password \
--gateway-arn arn:aws:storagegateway:ap-northeast-1:999999999999:gateway/sgw-88888888 \
--password 'password'

aws storagegateway create-smb-file-share \
--client-token 6789a \
--gateway-arn arn:aws:storagegateway:ap-northeast-1:999999999999:gateway/sgw-88888888 \
--no-kms-encrypted \
--role arn:aws:iam::999999999999:role/role02 \
--location-arn arn:aws:s3:::bucket456 \
--default-storage-class S3_STANDARD \
--object-acl bucket-owner-full-control \
--no-read-only \
--guess-mime-type-enabled \
--no-requester-pays \
--no-smbacl-enabled \
--no-access-based-enumeration \
--authentication GuestAccess \
--case-sensitivity ClientSpecified \
--file-share-name bucket456 \
--bucket-region ap-northeast-1 \
--oplocks-enabled

aws storagegateway list-file-shares

aws storagegateway describe-smb-file-shares \
--file-share-arn-list arn:aws:storagegateway:ap-northeast-1:999999999999:share/share-BBBBBBBB

-- 8.6 動作確認

net use Z: \\172.31.47.183\bucket456 /user:sgw-88888888\smbguest

notepad Z:\testfile.txt

-- 9. クリーンアップ

-- Gatewayの削除
aws storagegateway list-gateways

aws storagegateway delete-gateway \
--gateway-arn arn:aws:storagegateway:ap-northeast-1:999999999999:gateway/sgw-88888888

-- バケットの削除

aws s3 ls

aws s3 rb s3://bucket123 --force
aws s3 rb s3://bucket456 --force

-- VPCエンドポイントの削除

aws ec2 describe-vpc-endpoints

aws ec2 delete-vpc-endpoints \
--vpc-endpoint-ids vpce-66666666666666666

-- EC2インスタンスの削除

aws ec2 describe-instances

aws ec2 terminate-instances --instance-ids i-ccccccccccccccccc

aws ec2 terminate-instances --instance-ids i-ddddddddddddddddd

-- IAMロールの削除
aws iam list-roles | grep role01
aws iam list-roles | grep role02

aws iam detach-role-policy \
--role-name role01 \
--policy-arn arn:aws:iam::999999999999:policy/policy01

aws iam detach-role-policy \
--role-name role02 \
--policy-arn arn:aws:iam::999999999999:policy/policy02

aws iam delete-role --role-name role01
aws iam delete-role --role-name role02

-- IAMポリシーの削除
aws iam list-policies | grep policy01
aws iam list-policies | grep policy02

aws iam delete-policy \
--policy-arn arn:aws:iam::999999999999:policy/policy01

aws iam delete-policy \
--policy-arn arn:aws:iam::999999999999:policy/policy02