AWS Command Line Interface
User Guide

The AWS Documentation website is getting a new look!
Try it now and let us know what you think. Switch to the new look >>

You can return to the original look by selecting English in the language selector above.

Instance Metadata

When you run the AWS CLI from within an Amazon EC2 instance, you can simplify providing credentials to your commands. Each Amazon EC2 instance contains metadata that the AWS CLI can directly query for temporary credentials. To provide these, create an AWS Identity and Access Management (IAM) role that has access to the resources needed, and attach that role to the Amazon EC2 instance when you launch it.

Launch the instance and check to see if the AWS CLI is already installed (it comes preinstalled on Amazon Linux). If necessary, install the AWS CLI. You must still configure a default Region to avoid having to specify it in every command.

To specify in a named profile that you want to use the credentials available in the hosting Amazon EC2 instance profile, specify the following line in the configuration file:

credential_source = Ec2InstanceMetadata

The following example shows how to assume the marketingadminrole role by referencing it in an Amazon EC2 instance profile:

[profile marketingadmin] role_arn = arn:aws:iam::123456789012:role/marketingadminrole credential_source = Ec2InstanceMetadata

You can set the Region and default output format by running aws configure without specifying credentials by pressing Enter twice to skip the first two prompts.

$ aws configure AWS Access Key ID [None]: ENTER AWS Secret Access Key [None]: ENTER Default region name [None]: us-west-2 Default output format [None]: json

When an IAM role is attached to the instance, the AWS CLI automatically and securely retrieves the credentials from the instance metadata. For more information, see Granting Applications That Run on Amazon EC2 Instances Access to AWS Resources in the IAM User Guide.