Bootstrap FreeKB - Amazon Web Services (AWS) - Associate an Instance Profile with an EC2 Instance
Amazon Web Services (AWS) - Associate an Instance Profile with an EC2 Instance


This assumes you have already configured the aws command line tool. If not, check out my article on Getting Started with the AWS CLI.

The aws iam list-instance-profiles command can be used to list the Instance Profiles you have created. Something like this should be returned. Notice in this example that Roles is an empty list. This means no roles have been attached to the instance profile, so at this point, the instance profile is useless, it doesn't grant any permissions.

~]$ aws iam list-instance-profiles
{
    "InstanceProfiles": [
        {
            "Path": "/",
            "InstanceProfileName": "my-instance-profile",
            "InstanceProfileId": "AIPA2MITL76GNDM4CZFIM",
            "Arn": "arn:aws:iam::123456789012:instance-profile/my-instance-profile",
            "CreateDate": "2024-01-26T02:20:03+00:00",
            "Roles": []
        }
    ]
}

 

The aws iam add-role-to-instance-profile command can be used to attach a role to the instance profile. For example, one of the most common roles to attach is AmazonSSMManagedInstanceCore so that AWS Systems Manager (ssm.amazonaws.com) can assume the AmazonSSMManagedInstanceCore role. This assumes you are created a role with a Trust Policy that allows ssm.amazonaws.com to assume the role and has the AmazonSSMManagedInstanceCore Permission Policy attached to the Role.

aws iam add-role-to-instance-profile --role-name AmazonSSMManagedInstanceCore --instance-profile-name my-instance-profile

 

Now the instance profile is associated wtih the AmazonSSMManagedInstanceCore Role.

 ~]$ aws iam list-instance-profiles
{
    "InstanceProfiles": [
        {
            "Path": "/",
            "InstanceProfileName": "my-instance-profile",
            "InstanceProfileId": "AIPA2MITL76GNDM4CZFIM",
            "Arn": "arn:aws:iam::123456789012:instance-profile/my-instance-profile",
            "CreateDate": "2024-01-26T02:20:03+00:00",
            "Roles": [
                {
                    "Path": "/",
                    "RoleName": "AmazonSSMManagedInstanceCore",
                    "RoleId": "AROA2MITL76GFBRM2ISVB",
                    "Arn": "arn:aws:iam::123456789012:role/AmazonSSMManagedInstanceCore",
                    "CreateDate": "2024-05-28T04:19:17+00:00",
                    "AssumeRolePolicyDocument": {
                        "Version": "2012-10-17",
                        "Statement": [
                            {
                                "Sid": "Statement1",
                                "Effect": "Allow",
                                "Principal": {
                                    "Service": "ssm.amazonaws.com"
                                },
                                "Action": "sts:AssumeRole"
                            }
                        ]
                    }
                }
            ]
        }
    ]
}

 

The aws iam list-instance-profiles command can be used to list the Instance Profiles you have created. Something like this should be returned.

~]$ aws iam list-instance-profiles
{
    "InstanceProfiles": [
        {
            "Path": "/",
            "InstanceProfileName": "my-instance-profile",
            "InstanceProfileId": "AIPA2MITL76GNDM4CZFIM",
            "Arn": "arn:aws:iam::123456789012:instance-profile/my-instance-profile",
            "CreateDate": "2024-01-26T02:20:03+00:00",
             "Roles": [
                {
                    "Path": "/",
                    "RoleName": "test",
                    "RoleId": "AROA2MITL76GF46NSCA6E",
                    "Arn": "arn:aws:iam::123456789012:role/my-role",
                    "CreateDate": "2024-01-26T02:13:17+00:00",
                    "AssumeRolePolicyDocument": {
                        "Version": "2012-10-17",
                        "Statement": [
                            {
                                "Effect": "Allow",
                                "Principal": {
                                    "AWS": "arn:aws:iam::123456789012:user/johndoe"
                                },
                                "Action": "sts:AssumeRole",
                                "Condition": {}
                            }
                        ]
                    }
                }
            ]
        }
    ]
}

 

An EC2 instance can only be associated with one instance profile, so you may want to first use the aws ec2 describe-iam-instance-profile-associations command to determine if the EC2 instance is associated with an instance profile.

~]$ aws ec2 describe-iam-instance-profile-associations
{
    "IamInstanceProfileAssociations": [
        {
            "AssociationId": "iip-assoc-04a03786337a32660",
            "InstanceId": "i-0a3ea97aa2383de58",
            "IamInstanceProfile": {
                "Arn": "arn:aws:iam::123456789012:instance-profile/my-instance-profile",
                "Id": "AIPA2MITL76GNDM4CZFIM"
            },
            "State": "associated"
        }
    ]
}

 

Assuming the EC2 instance is NOT associated wtih an instance profile, the  aws ec2 associate-iam-instance-profile command can be used to associate the instance profile with your EC2 instances.

~]$ aws ec2 associate-iam-instance-profile --instance-id i-abc123def456gh789 --iam-instance-profile Name=my-instance-profile
{
    "IamInstanceProfileAssociation": {
        "AssociationId": "iip-assoc-04a03786337a32660",
        "InstanceId": "i-abc123def456gh789",
        "IamInstanceProfile": {
            "Arn": "arn:aws:iam::123456789012:instance-profile/my-instance-profile",
            "Id": "AIPA2MITL76GNDM4CZFIM"
        },
        "State": "associated"
    }
}

 




Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee



Comments


Add a Comment


Please enter 5d20ce in the box below so that we can be sure you are a human.