Instance identity roles - Amazon Elastic Compute Cloud
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Instance identity roles

Each instance that you launch has an instance identity role that represents its identity. An instance identity role is a type of IAM role. Amazon services and features that are integrated to use the instance identity role can use it to identify the instance to the service.

The instance identity role credentials are accessible from the Instance Metadata Service (IMDS) at /identity-credentials/ec2/security-credentials/ec2-instance. The credentials consist of an Amazon temporary access key pair and a session token. They are used to sign Amazon Sigv4 requests to the Amazon services that use the instance identity role. The credentials are present in the instance metadata regardless of whether a service or feature that makes use of instance identity roles is enabled on the instance.

Instance identity roles are automatically created when an instance is launched, have no role-trust policy document, and are not subject to any identity or resource policy.

Supported services

The following Amazon services use the instance identity role:

  • Amazon EC2EC2 Instance Connect uses the instance identity role to update the host keys for a Linux instance.

  • Amazon GuardDutyRuntime Monitoring uses the instance identity role to allow the runtime agent to send security telemetry to the GuardDuty VPC endpoint.

  • Amazon Security Token Service (Amazon STS) – Instance identity role credentials can be used with the Amazon STS GetCallerIdentity action.

  • Amazon Systems Manager – When using Default Host Management Configuration, Amazon Systems Manager uses the identity provided by the instance identity role to register EC2 instances. After identifying your instance, Systems Manager can pass your AWSSystemsManagerDefaultEC2InstanceManagementRole IAM role to your instance.

Instance identity roles can’t be used with other Amazon services or features because they do not have an integration with instance identity roles.

Instance identity role ARN

The instance identity role ARN takes the following format:


For example:


For more information about ARNs, see Amazon Resource Names (ARNs) in the IAM User Guide.