In AWS, Instance Profiles act as containers for IAM roles, enabling EC2 instances to assume the permissions defined in the role. This integration allows secure and seamless access to AWS services without embedding credentials in application code. Below is an advanced, detailed, step-by-step guide for creating and associating an Instance Profile with a role in AWS.
1. Prerequisites
1. IAM Permissions: Ensure you have permissions to create IAM roles, policies, and EC2 resources.
2. AWS CLI or SDK: Installed and configured for programmatic interaction with AWS.
2. Create an IAM Role
1. Access IAM Console:
Navigate to the IAM Dashboard in the AWS Management Console.
2. Create a New Role:
Click Roles and select Create Role.
Choose AWS Service as the trusted entity type.
Select EC2 as the use case to allow the role to be used by EC2 instances.
3. Attach Policies to the Role:
Attach an appropriate policy based on the access required. For example, to allow access to S3:
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: “s3:*”,
“Resource”: “*”
}
]
}
4. Name and Create the Role:
Provide a descriptive name (e.g., EC2S3AccessRole) and click Create Role.
3. Create an Instance Profile
1. Access the Instance Profiles Section:
Under the IAM Dashboard, go to Roles and locate the role you just created.
2. Associate the Role with an Instance Profile:
By default, a role is automatically assigned an instance profile. Verify by navigating to the role and ensuring an Instance Profile ARN is visible.
If not, create the instance profile using the CLI:
aws iam create-instance-profile –instance-profile-name MyInstanceProfile
aws iam add-role-to-instance-profile –instance-profile-name MyInstanceProfile –role-name EC2S3AccessRole
4. Assign the Instance Profile to an EC2 Instance
1. Launch or Modify an EC2 Instance:
When launching a new instance, under the Advanced Details section, select the instance profile from the IAM Role dropdown.
For an existing instance, modify its IAM role:
aws ec2 associate-iam-instance-profile –instance-id i-1234567890abcdef0 –iam-instance-profile Name=MyInstanceProfile
2. Validate the Assignment:
SSH into the EC2 instance and verify the role is applied using the metadata service:
curl http://169.254.169.254/latest/meta-data/iam/info
5. Test the Role
1. Access AWS Services from EC2:
Test access to the resources granted by the attached policy. For example, list S3 buckets:
aws s3 ls
2. Ensure Secure Access:
Confirm no credentials are hardcoded in the instance or application. The role securely handles access.
Conclusion
Instance profiles simplify secure access for EC2 instances, eliminating the need for embedded credentials. By combining IAM roles and instance profiles, AWS provides a robust mechanism for managing permissions in a scalable and secure manner.
The article above is rendered by integrating outputs of 1 HUMAN AGENT & 3 AI AGENTS, an amalgamation of HGI and AI to serve technology education globally.