
This assumes you have already configured the aws command line tool. If not, check out my article on Getting Started with the AWS CLI.
- An IAM Policy allows certain actions (such create) on certain resources (such as EC2)
- An IAM User is typically a users account (such as john.doe) that contains an IAM Identity-Based Policy that allows certain actions (such as list) on certain resources (such S3)
- An IAM Role contains an IAM Policy that allows certain actions (such create) on certain resources (such as EC2). Let's say the Identity-Based Policy attached to john.doe does NOT allow "create S3"
- The Role that allows "create S3" could be attached to john.doe - or, john.doe could Assume the Role:
- Often, a Role will have two Policies:
The aws iam list-instance-profiles command can be used to list the Instance Profiles you have created. Something like this should be returned. Notice in this example that Roles is an empty list. This means no roles have been attached to the instance profile, so at this point, the instance profile is useless, it doesn't grant any permissions.
~]$ aws iam list-instance-profiles
{
"InstanceProfiles": [
{
"Path": "/",
"InstanceProfileName": "my-instance-profile",
"InstanceProfileId": "AIPA2MITL76GNDM4CZFIM",
"Arn": "arn:aws:iam::123456789012:instance-profile/my-instance-profile",
"CreateDate": "2024-01-26T02:20:03+00:00",
"Roles": []
}
]
}
The aws iam add-role-to-instance-profile command can be used to attach a role to the instance profile. For example, one of the most common roles to attach is AmazonSSMManagedInstanceCore so that AWS Systems Manager (ssm.amazonaws.com) can assume the AmazonSSMManagedInstanceCore role. This assumes you are created a role with a Trust Policy that allows ssm.amazonaws.com to assume the role and has the AmazonSSMManagedInstanceCore Permission Policy attached to the Role.
aws iam add-role-to-instance-profile --role-name AmazonSSMManagedInstanceCore --instance-profile-name my-instance-profile
Now the instance profile is associated wtih the AmazonSSMManagedInstanceCore Role.
~]$ aws iam list-instance-profiles
{
"InstanceProfiles": [
{
"Path": "/",
"InstanceProfileName": "my-instance-profile",
"InstanceProfileId": "AIPA2MITL76GNDM4CZFIM",
"Arn": "arn:aws:iam::123456789012:instance-profile/my-instance-profile",
"CreateDate": "2024-01-26T02:20:03+00:00",
"Roles": [
{
"Path": "/",
"RoleName": "AmazonSSMManagedInstanceCore",
"RoleId": "AROA2MITL76GFBRM2ISVB",
"Arn": "arn:aws:iam::123456789012:role/AmazonSSMManagedInstanceCore",
"CreateDate": "2024-05-28T04:19:17+00:00",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Principal": {
"Service": "ssm.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
}
]
}
]
}
The aws iam list-instance-profiles command can be used to list the Instance Profiles you have created. Something like this should be returned.
~]$ aws iam list-instance-profiles
{
"InstanceProfiles": [
{
"Path": "/",
"InstanceProfileName": "my-instance-profile",
"InstanceProfileId": "AIPA2MITL76GNDM4CZFIM",
"Arn": "arn:aws:iam::123456789012:instance-profile/my-instance-profile",
"CreateDate": "2024-01-26T02:20:03+00:00",
"Roles": [
{
"Path": "/",
"RoleName": "test",
"RoleId": "AROA2MITL76GF46NSCA6E",
"Arn": "arn:aws:iam::123456789012:role/my-role",
"CreateDate": "2024-01-26T02:13:17+00:00",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/johndoe"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
}
]
}
]
}
An EC2 instance can only be associated with one instance profile, so you may want to first use the aws ec2 describe-iam-instance-profile-associations command to determine if the EC2 instance is associated with an instance profile.
~]$ aws ec2 describe-iam-instance-profile-associations
{
"IamInstanceProfileAssociations": [
{
"AssociationId": "iip-assoc-04a03786337a32660",
"InstanceId": "i-0a3ea97aa2383de58",
"IamInstanceProfile": {
"Arn": "arn:aws:iam::123456789012:instance-profile/my-instance-profile",
"Id": "AIPA2MITL76GNDM4CZFIM"
},
"State": "associated"
}
]
}
Assuming the EC2 instance is NOT associated wtih an instance profile, the aws ec2 associate-iam-instance-profile command can be used to associate the instance profile with your EC2 instances.
~]$ aws ec2 associate-iam-instance-profile --instance-id i-abc123def456gh789 --iam-instance-profile Name=my-instance-profile
{
"IamInstanceProfileAssociation": {
"AssociationId": "iip-assoc-04a03786337a32660",
"InstanceId": "i-abc123def456gh789",
"IamInstanceProfile": {
"Arn": "arn:aws:iam::123456789012:instance-profile/my-instance-profile",
"Id": "AIPA2MITL76GNDM4CZFIM"
},
"State": "associated"
}
}
Did you find this article helpful?
If so, consider buying me a coffee over at