IAM Role for Applications That Run on Amazon EC2 Instances - Amazon EC2 Auto Scaling

IAM Role for Applications That Run on Amazon EC2 Instances

Applications that run on Amazon EC2 instances need credentials to access other AWS services. To provide these credentials in a secure way, use an IAM role. The role supplies temporary permissions that the application can use when it accesses other AWS resources. The role's permissions determine what the application is allowed to do.

Applications running on the instances can access temporary credentials for the role through the instance profile metadata. For more information, see Using an IAM Role to Grant Permissions to Applications Running on Amazon EC2 Instances in the IAM User Guide.

For instances in an Auto Scaling group, you must create a launch template or launch configuration and choose an instance profile to associate with the instances. An instance profile is a container for an IAM role that allows Amazon EC2 to pass the IAM role to an instance when the instance is launched. First, create an IAM role that has all of the permissions required to access the AWS resources. Then, create the instance profile and assign the role to it. For more information, see Using Instance Profiles in the IAM User Guide.

Note

When you use the IAM console to create a role for Amazon EC2, the console guides you through the steps for creating the role and automatically creates an instance profile with the same name as the IAM role.

For more information, see IAM Roles for Amazon EC2 in the Amazon EC2 User Guide for Linux Instances.

Prerequisites

Create the IAM role that your application running on Amazon EC2 can assume. Choose the appropriate permissions so that the application that is subsequently given the role can make the specific API calls that it needs.

Important

As a best practice, we strongly recommend that you create the role so that it has the minimum permissions to other AWS services that your application requires.

To create an IAM role

  1. Open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Roles, Create role.

  3. For Select type of trusted entity, choose AWS service.

  4. For Choose the service that will use this role, choose EC2 and the EC2 use case. Choose Next: Permissions.

  5. For Attach permissions policies, choose the AWS managed policies that contain the required permissions. Choose Next: Tags and then Next: Review.

  6. On the Review page, enter a name for the role and choose Create role.

The iam:PassRole permission is needed on the IAM user who creates or updates an Auto Scaling group using a launch template that specifies an instance profile, or who creates a launch configuration that specifies an instance profile. For an example policy, see Control Which IAM Roles Can Be Passed (Using PassRole).

Create a Launch Configuration

When you create the launch configuration using the AWS Management Console, on the Configure Details page, select the role from IAM role. For more information, see Creating a Launch Configuration.

When you create the launch configuration using the create-launch-configuration command from the AWS CLI, specify the name of the instance profile as shown in the following example.

aws autoscaling create-launch-configuration --launch-configuration-name my-lc-with-instance-profile \ --image-id ami-01e24be29428c15b2 --instance-type t2.micro \ --iam-instance-profile my-instance-profile

Create a Launch Template

When you create the launch template using the AWS Management Console, in the Advanced Details section, select the role from IAM instance profile. For more information, see Creating a Launch Template for an Auto Scaling Group.

When you create the launch template using the create-launch-template command from the AWS CLI, specify the name of the instance profile as shown in the following example.

aws ec2 create-launch-template --launch-template-name my-lt-with-instance-profile --version-description version1 \ --launch-template-data '{"ImageId":"ami-01e24be29428c15b2","InstanceType":"t2.micro","IamInstanceProfile":{"Name":"my-instance-profile"}}'