- Newest
- Most votes
- Most comments
Okay. I also faced the same issue and the issue seems to be the below,
Previously when I create IAM Role from the Console by selecting EC2 or ECS, IAM will create both IAM role and an IAM instance profile. Now ( After new IAM Console, may be from Jan 2022), when I create IAM Role from the Console, it is only creating the IAM role and not the instance profile.
I did below from CLI, to overcome this,
aws iam create-instance-profile --instance-profile-name ecsInstanceRole --profile <my_profile>
aws iam add-role-to-instance-profile --instance-profile-name ecsInstanceRole --role-name ecsInstanceRole --profile <my_profile>
Does you role have an EC2 service principal listed within the trust policy?
Hi, good question.
There are a few components that will need to be configured for an EC2 to use IAM.
-
The proper permissions via IAM Policies (like the 2 Managed Policies you have).
-
The proper trust relationship for what can use the IAM Role (See Role Trust Policy). This is not a Managed Policy. See https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html. This will need to trust ec2.amazonaws.com
-
Lastly, if you're using EC2, an IAM Instance Profile as well. See https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html for how to manage Instance Profiles.
Some of these steps don't need to be via CLI - there are instructions for how to do the steps above via console as well.
Thanks, think I got the trust relationship correct by replacing ssm.amazonaws.com with ec2.amazonaws.com, but the steps relating to instance profile are just well beyond me! Surely it can be done by console? Since I haven't even created the EC2 instance yet (won't go past selection of IAM role), perhaps I can start again so that it creates an instance as well with the same name? Not sure why it didn't do this anyway?
After endlessly going round in circles, I followed this guide: https://aws-labs.net/winlab0-buildinfra/adminad.html If does not require any IAM instance profile and the trick seems to be the "name" of the role. Very silly, but using the name they use works! Thanks for your help, I just felt it could not be so complicated!
WTF, the last hint by msutherland25 also helped in my case. The role did finally show up in the console after I chose a role name that ends with 'EC2'... Is this a feature or a bug??
Relevant content
- Accepted Answerasked 4 months ago
- asked 7 months ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 3 months ago
Thanks, I already looked at this link which just gets even more complicated with commnd line stuff! Surely it is possible to assign the correct managed policies without resorting to command line? It says that you must assign two specific managed policies but gives no clue as to what other managed policies are needed? I am just trying to create a windows server EC2 that can be attached to the AWS Active Directory domain so that I can then manage groups and users. Must it be so complicated? Thanks
Look at the Trust Relationships tab on your role. Does it list ec2 as an identity provider?
I have followed this link: https://docs.aws.amazon.com/directoryservice/latest/admin-guide/launching_instance.html but it just doesn't work! It is my AWS account and I'm logged-in with full permissions. It only says to add these two managed policies?
Rob, under Trust Relationships it has Trusted entities The identity provider(s) ssm.amazonaws.com
After endlessly going round in circles, I followed this guide: https://aws-labs.net/winlab0-buildinfra/adminad.html If does not require any IAM instance profile and the trick seems to be the "name" of the role. Very silly, but using the name they use works! Thanks for your help, I just felt it could not be so complicated!