I created an IAM role, but the role doesn't appear in the drop-down list when I launch an instance. What do I do?

Last updated: 2019-04-16

I created a new AWS Identity and Access Management (IAM) role, but I can't find the role in the drop-down list when I launch an instance.

Resolution

The drop-down list includes instance profiles and not IAM roles, but you can add an IAM role to an instance profile. You must choose the instance profile that has the required IAM role added to it.

Follow these steps to create a new IAM role linked to an instance profile. Then, choose the instance profile from the drop-down list when you launch your instance. Create a new IAM role linked to an instance profile using either the IAM console or the AWS Command Line Interface (AWS CLI).

Using the IAM console

1.    Open the IAM console.

2.    In the navigation pane, choose Roles, and then choose Create role.

3.    Choose EC2 as the AWS service, select EC2 as your use case, and then choose Next: Permissions.

4.    Choose the Policy name for your use case, choose Next: Tags, and then choose Next: Review.

5.    Enter a Role name, and then choose Create role.

Selecting EC2 as your use case creates a trust relationship for Amazon Elastic Compute Cloud (Amazon EC2). Your EC2 use case also creates an instance profile, gives it the same name as the IAM role, and adds the IAM role to the same Instance profile. If EC2 isn't selected when the IAM role is created, instance profile and trust relationships aren't created for Amazon EC2.

Using the AWS CLI

Important: Before you begin, you must have the AWS CLI installed and configured.

1.    Create a file named Test-Role-Trust-Policy.json and paste the following policy in the file:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

2.    Create an IAM role by running the following command:

$ aws iam create-role --role-name Test-Role --assume-role-policy-document file://Test-Role-Trust-Policy.json

3.    Create an instance profile by running the following command:

$ aws iam create-instance-profile --instance-profile-name Webserver

4.    Add an IAM role to the instance profile by running the following command:

aws iam add-role-to-instance-profile --role-name Test-Role --instance-profile-name Webserver

For an existing IAM role for EC2, you must add the EC2 service principal into its existing trust policy. For more information, see Specifying a Principal.

Note: If the IAM roles and instance profiles have different names, you must select the instance profile that has the required IAM role added to it when launching an EC2 instance. The IAM role will not be listed in the drop-down list.