Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Instance identity roles

Each instance that you launch has an instance identity role that represents its identity. An instance identity role is a type of IAM role. Amazon services and features that are integrated to use the instance identity role can use it to identify the instance to the service.

The instance identity role credentials are accessible from the Instance Metadata Service (IMDS) at /identity-credentials/ec2/security-credentials/ec2-instance. The credentials consist of an Amazon temporary access key pair and a session token. They are used to sign Amazon Sigv4 requests to the Amazon services that use the instance identity role. The credentials are present in the instance metadata regardless of whether a service or feature that makes use of instance identity roles is enabled on the instance.

Instance identity roles are automatically created when an instance is launched, have no role-trust policy document, and are not subject to any identity or resource policy.

Supported services

The following Amazon services use the instance identity role:

Instance identity roles can’t be used with other Amazon services or features because they do not have an integration with instance identity roles.

Instance identity role ARN

The instance identity role ARN takes the following format:

arn:aws-partition:iam::account-number:assumed-role/aws:ec2-instance/instance-id

For example:

arn:aws:iam::0123456789012:assumed-role/aws:ec2-instance/i-0123456789example

For more information about ARNs, see Amazon Resource Names (ARNs) in the IAM User Guide.