How do I attach or replace an instance profile on an Amazon EC2 instance?
I want to attach or replace an instance profile on an Amazon Elastic Compute Cloud (Amazon EC2) instance.
Resolution
Follow these instructions to attach or replace an instance profile on an EC2 instance.
Note:
- You must have permission to launch EC2 instances and permission to pass AWS Identity and Access Management (IAM) roles. For more information, see Permissions required for using roles with Amazon EC2.
- You can use either the AWS Management Console or the AWS Command Line Interface (AWS CLI) to create the IAM role.
- If you use the AWS Management Console and choose EC2 as the service, then the instance profile and role names are identical.
- If you use the AWS CLI to create the IAM role, then you must also use the AWS CLI to create the instance profile. The IAM role name and instance profile name can be different.
- If you receive errors when you run AWS CLI commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.
AWS Management Console
Complete the following steps:
- Open the Amazon EC2 console, and then choose Instances.
- Select the instance that you want to attach an IAM role to.
- Under Details, check the IAM role to confirm that the role is attached to the instance. If an role is attached, then be sure that changes to the role don't affect your applications or access to AWS services.
Note: The instance permissions change based on the IAM role that's attached. Applications that run on the instance can be affected. - Choose Actions, Security, and then choose Modify IAM role.
Note: Amazon EC2 uses an instance profile as a container for an IAM role. For more information, see Instance profiles. - For Choose IAM role, choose the instance profile that you want to attach.
- Choose Save.
For more information, see Creating an IAM role (Console).
AWS CLI
Complete the following steps:
-
Run the create-instance-profile command to create an instance profile:
aws iam create-instance-profile --instance-profile-name EXAMPLEPROFILENAME -
Run the add-role-to-instance-profile command to add the role to the instance profile:
$ aws iam add-role-to-instance-profile --instance-profile-name EXAMPLEPROFILENAME --role-name EXAMPLEROLENAME -
Run the associate-iam-instance-profile command to attach the instance profile to the instance:
$ aws ec2 associate-iam-instance-profile --iam-instance-profile Name=EXAMPLEPROFILENAME --instance-id i-012345678910abcdeNote: If you associated an instance profile with the instance, then the associate-iam-instance-profile command fails. To resolve this issue, run the describe-iam-instance-profile-associations command to get the associated instance ID. Then, do one of the following:
Run the replace-iam-instance-profile-association command to replace the instance profile.
-or-
Run the disassociate-iam-instance-profile command to detach the instance profile, and then rerun the associate-iam-instance-profile command. -
Run the describe-iam-instance-profile-associations comand to verify that the IAM role is attached to the instance:
$ aws ec2 describe-iam-instance-profile-associations --filters Name=instance-id,Values=i-012345678910abcde
Related information
Using an IAM role to grant permissions to applications running on Amazon EC2 instances
Relevant content
- asked 10 months ago
- asked 3 years ago
- asked 9 months ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 10 months ago
