How do I attach or replace an instance profile on an Amazon Elastic Compute Cloud (Amazon EC2) instance?
Resolution
Follow these instructions to attach or replace an instance profile on an EC2 instance.
Note:
- If you created the AWS Identity and Access Management (IAM) role using the AWS Management Console and choose EC2 as the AWS service, then the instance profile and role names are the same.
- If you created the IAM role using the AWS Command Line Interface (AWS CLI), then you must also create the instance profile using the AWS CLI. The IAM role name and instance profile name can be different.
- If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.
- You must have permission to launch EC2 instances and permission to pass IAM roles. For more information, see Permissions required for using roles with Amazon EC2.
AWS Management Console
- Open the Amazon EC2 console, and then choose Instances.
- Choose the instance that you want to attach an IAM role to.
- Check the IAM role under the Details pane to confirm if an IAM role is attached to the Amazon EC2 instance. If an IAM role is attached, then be sure that changing the role attached to this Amazon EC2 instance doesn't affect your applications or access to AWS services. Note: The EC2 instance permissions change based on the IAM role attached, and applications running on the instance can be affected.
- Choose Actions, Security, and then choose Modify IAM role.
Note: Amazon EC2 uses an instance profile as a container for an IAM role. For more information, see Instance profiles.
- In the Choose IAM role dropdown list, choose the instance profile that you want to attach.
- Choose Save.
For more information, see Creating an IAM role (Console).
AWS Command Line Interface (AWS CLI)
Add the role to an instance profile before attaching the instance profile to the EC2 instance.
1. If you haven't already created an instance profile, then run the following AWS CLI command:
aws iam create-instance-profile --instance-profile-name EXAMPLEPROFILENAME
2. Run the following AWS CLI command to add the role to the instance profile:
$ aws iam add-role-to-instance-profile --instance-profile-name EXAMPLEPROFILENAME --role-name EXAMPLEROLENAME
3. Run the following AWS CLI command to attach the instance profile to the EC2 instance:
$ aws ec2 associate-iam-instance-profile --iam-instance-profile Name=EXAMPLEPROFILENAME --instance-id i-012345678910abcde
Note: If you have an instance profile associated with the EC2 instance, then the associate-iam-instance-profile command fails. To resolve this issue, run the describe-iam-instance-profile-associations command to get the associated instance ID. Then, do one of the following:
Run the replace-iam-instance-profile-association command to replace the instance profile.
-or-
Run the disassociate-iam-instance-profile command to detach the instance profile, and then rerun the associate-iam-instance-profile command.
4. Run the following AWS CLI command to verify that the IAM role is attached to the instance:
$ aws ec2 describe-iam-instance-profile-associations --filters Name=instance-id,Values=i-012345678910abcde
Related information
Using an IAM role to grant permissions to applications running on Amazon EC2 instances
Using instance profiles
Troubleshooting IAM and Amazon EC2