AWS Identity and Access Management
User Guide

Using Instance Profiles

An instance profile is a container for an IAM role that you can use to pass role information to an EC2 instance when the instance starts.

Managing Instance Profiles (Console)

If you use the AWS Management Console to create a role for Amazon EC2, the console automatically creates an instance profile and gives it the same name as the role. When you then use the Amazon EC2 console to launch an instance with an IAM role, you can select a role to associate with the instance. In the console, the list that's displayed is actually a list of instance profile names. The console does not create an instance profile for a role that is not associated with Amazon EC2.

Managing Instance Profiles (AWS CLI or AWS API)

If you manage your roles from the AWS CLI or the AWS API, you create roles and instance profiles as separate actions. Because roles and instance profiles can have different names, you must know the names of your instance profiles as well as the names of roles they contain. That way you can choose the correct instance profile when you launch an EC2 instance.

Note

An instance profile can contain only one IAM role, although a role can be included in multiple instance profiles. This limit of one role per instance profile cannot be increased. You can remove the existing role and then add a different role to an instance profile. You must then wait for the change to appear across all of AWS because of eventual consistency. To force the change, you must disassociate the instance profile and then associate the instance profile, or you can stop your instance and then restart it.

Managing Instance Profiles (AWS CLI)

You can use the following AWS CLI commands to work with instance profiles in an AWS account.

You can also attach a role to an already running EC2 instance by using the following commands. For more information, see IAM Roles for Amazon EC2.

Managing Instance Profiles (AWS API)

You can call the following AWS API operations to work with instance profiles in an AWS account.

You can also attach a role to an already running EC2 instance by calling the following operations. For more information, see IAM Roles for Amazon EC2.