IAM Instance Profiles
Overview
When an EC2 instance is launched, you can give it a set of permissions using the AWS Identity and Access Management (IAM) instance profile. It enables the instance to use the permissions granted to the instance profile to access other required AWS resources like Amazon S3, Secrets Manager, etc. In this article, we will learn about creating and managing an AWS IAM instance profile.
What are IAM Instance Profiles?
An IAM instance profile is a way to grant access to resources that your EC2 instances require. An IAM instance profile can be chosen to be applied to an EC2 instance when it is launched. As a result, the instance can access AWS resources linked to its IAM instance profile. As an example, you could create an IAM instance profile with access rights to an S3 bucket and use that profile to launch an EC2 instance. Using the IAM instance profile's permissions, the EC2 instance would then be able to access the S3 bucket. This provides a simple and secure method of granting EC2 instance access to particular AWS resources without requiring us to manually manage the EC2 instance's associated credentials.
Steps to create IAM Instance Profile
The following steps highlight how to create an AWS IAM instance profile using the AWS CLI.
- Use the AWS CLI to run the following command to create an IAM role for the instance profile:
Replace "trust-policy.json" with the file containing the trust policy for the role. The trust policy determines which entities are allowed to assume the role. Example:
- To create an IAM policy that grants access to the resources that the instance will use, execute the command below:
Change "permissions-policy.json" with the file containing the policy's permissions policy. The actions that a role is permitted to take on resources are determined by the permissions policy.
- Attach the policy to the role by running the following command:
The policy ARN can be found in the output of the create-policy command. 4. Run the following command to create the instance profile:
- Run the following command to add the role to the instance profile:
The above steps will create an AWS IAM instance profile that can be attached to an EC2 instance during launch.
Managing Instance Profiles
Console
The AWS management console automatically creates an instance profile for the IAM role with the same name as the IAM role for the roles that are associated with the EC2 instances. There are no manual steps required to create an AWS IAM instance profile using the AWS console.
CLI
The following commands can be used to manage the AWS IAM instance profiles using the AWS CLI:
- Delete an instance profile
- To get information about an instance profile.
- To see a list of all the instance profiles in your AWS account:
- To remove a role from an instance profile:
API
The following commands can be used to manage the AWS IAM instance profiles using the AWS API using any available AWS SDK:
- CreateInstanceProfile:
Creates a new instance profile. - DeleteInstanceProfile:
Deletes an instance profile. - GetInstanceProfile:
Retrieves information about an instance profile - ListInstanceProfiles:
Lists all the instance profiles. - AddRoleToInstanceProfile:
Adds a role to an instance profile. - RemoveRoleFromInstanceProfile:
Removes a role from an instance profile.
Conclusion
- The AWS Identity and Access Management (IAM) instance profile is a useful tool for allowing individual EC2 instances to access certain AWS resources.
- This provides a secure way to allow an EC2 instance to access specific AWS resources without requiring you to manually manage credentials associated with the instance.
- It also means you don't need to manually manage each instance's associated credentials.
- For roles that are linked to EC2 instances, the AWS management console automatically creates an instance profile for the IAM role with the same name as the IAM role.
- Using the AWS console, an AWS IAM instance profile can be created automatically.
- The AWS IAM instance profiles can also be created and managed using the AWS CLI and API.