AWS Official Blog

IAM roles for EC2 instances – Simplified Secure Access to AWS service APIs from EC2

by Jeff Barr | on | in AWS IAM | | Comments

Today’s guest blogger is Anders Samuelsson, a Senior Product Manager on the AWS Identity and Access Management team. Anders has great news for anyone who makes calls to AWS APIs using code that runs on an EC2 instance.

— Jeff;

Today we are introducing AWS Identity and Access management (IAM) roles for EC2 instances, a new feature that makes it even easier for you to securely access AWS service APIs from your EC2 instances. You can create an IAM role, assign it a set of permissions, launch EC2 instances with the IAM role, and then AWS access keys with the specified permissions are automatically made available on those EC2 instances.

This short video illustrates that it is easy to get started:

Until now, you had to securely get your AWS access keys out to your EC2 instances, which could be challenging when managing large or elastically scaling fleets. You also needed to figure out how to implement security best practices such as regularly rotating your keys. IAM roles for EC2 instances now take care of both of these for you automatically.

IAM roles for EC2 instances are available to be used with:

  • ALL EC2 instance types
  • Linux and Windows instances
  • ALL AMIs
  • Amazon VPC
  • Spot and Reserved Instances
  • North America, South America, Europe, and Asia Pacific regions

Auto Scaling and AWS CloudFormation have also added integration for roles, so that they can start EC2 instances with IAM roles on your behalf, and GovCloud support will be coming soon.

Lets take a look behind the scenes.

We have introduced a new IAM entity called a role. IAM roles allow applications in your EC2 instances to act on your behalf. Like an IAM user, you use the Access Policy Language to specify permissions. However unlike a user, a role cannot be used to directly call AWS service APIs. A role must be assumed by an entity – in this case an EC2 instance, in the future releases perhaps by an IAM user. To extend upon the AWS Hotel analogy that we referenced in a prior blog post to explain IAM users, a housekeeper named Sally might be provided an IAM user for her day-to-day responsibilities of cleaning guest rooms, but during yearly fire drills, she can assume the role of Safety Officer, which gives her different permissions (such as access to all rooms in the building, and use of walkie-talkies to coordinate with fire officials).

When you launch an EC2 instance with an IAM role, temporary AWS security credentials with permissions specified by the role will be securely provisioned to the instance and will be made available to your application via the EC2 Instance Metadata Service. The Metadata Service will make new temporary security credentials available prior to the expiration of the current active credentials, so that valid credentials are always available on the instance.

For enhanced security, the temporary security credentials are automatically rotated for you multiple times per day. If you are developing your application with the AWS SDK, all of this will be completely transparent to your application and you only need to make minor adjustments to your code to get started.

If you previously had something similar to the code below:

AWSCredentials creds = new BasicAWSCredentials (
CredentialProvider session = new STSSessionCredentialsProvider (creds ) ;
AmazonDynamoDB dynamo = new AmazonDynamoDBClient (session ) ;

With the latest AWS SDK that adds support for IAM roles, you can minimize this code to the following:

AmazonDynamoDB dynamo = new AmazonDynamoDBClient ( ) ;

And the AWS SDK takes care of the rest!  We have tried to remove as much muck as possible to enable you to just focus on developing your application. Make sure to visit the Working with Roles section in the Using IAM guide and Using IAM roles with Amazon EC2 Instances in the Amazon EC2 User Guide for additional information about this new and exciting feature.

— Anders