Use credentials for Amazon EC2 instance metadata - AWS Command Line Interface

Use credentials for Amazon EC2 instance metadata

When you run the AWS CLI from within an Amazon Elastic Compute Cloud (Amazon EC2) instance, you can simplify providing credentials to your commands. Each Amazon EC2 instance contains metadata that the AWS CLI can directly query for temporary credentials. When an IAM role is attached to the instance, the AWS CLI automatically and securely retrieves the credentials from the instance metadata.

To disable this service, use the AWS_EC2_METADATA_DISABLED environment variable.

Prerequisites

To use Amazon EC2 credentials with the AWS CLI, you need to complete the following:

Configuring a profile for Amazon EC2 metadata

To specify that you want to use the credentials available in the hosting Amazon EC2 instance profile, use the following syntax in the named profile in your configuration file. See the following steps for more instructions.

[profile profilename] role_arn = arn:aws:iam::123456789012:role/rolename credential_source = Ec2InstanceMetadata region = region
  1. Create a profile in your configuration file.

    [profile profilename]
  2. Add your IAM arn role that has access to the resources needed.

    role_arn = arn:aws:iam::123456789012:role/rolename
  3. Specify Ec2InstanceMetadata as your credential source.

    credential_source = Ec2InstanceMetadata
  4. Set your Region.

    region = region

Example

The following example assumes the marketingadminrole role and uses the us-west-2 Region in an Amazon EC2 instance profile named marketingadmin.

[profile marketingadmin] role_arn = arn:aws:iam::123456789012:role/marketingadminrole credential_source = Ec2InstanceMetadata region = us-west-2