IAM role for applications that run on Amazon EC2 instances
Applications that run on Amazon EC2 instances need credentials to access other Amazon Web Services services. To provide these credentials in a secure way, use an IAM role. The role supplies temporary permissions that the application can use when it accesses other Amazon resources. The role's permissions determine what the application is allowed to do.
For instances in an Auto Scaling group, you must create a launch template or launch configuration and choose an instance profile to associate with the instances. An instance profile is a container for an IAM role that allows Amazon EC2 to pass the IAM role to an instance when the instance is launched. First, create an IAM role that has all of the permissions required to access the Amazon resources. Then, create the instance profile and assign the role to it.
Note
As a best practice, we strongly recommend that you create the role so that it has the minimum permissions to other Amazon Web Services services that your application requires.
Prerequisites
Create the IAM role that your application running on Amazon EC2 can assume. Choose the appropriate permissions so that the application that is subsequently given the role can make the specific API calls that it needs.
If you use the IAM console instead of the Amazon CLI or one of the Amazon SDKs, the console creates an instance profile automatically and gives it the same name as the role to which it corresponds.
To create an IAM role (console)
Open the IAM console at https://console.amazonaws.cn/iam/
. -
In the navigation pane on the left, choose Roles.
-
Choose Create role.
-
For Select trusted entity, choose Amazon service.
-
For your use case, choose EC2 and then choose Next.
-
If possible, select the policy to use for the permissions policy or choose Create policy to open a new browser tab and create a new policy from scratch. For more information, see Creating IAM policies in the IAM User Guide. After you create the policy, close that tab and return to your original tab. Select the check box next to the permissions policies that you want the service to have.
-
(Optional) Set a permissions boundary. This is an advanced feature that is available for service roles. For more information, see Permissions boundaries for IAM entities in the IAM User Guide.
-
Choose Next.
-
On the Name, review, and create page, for Role name, enter a role name to help you identify the purpose of this role. This name must be unique within your Amazon Web Services account. Because other Amazon resources might reference the role, you can't edit the name of the role after it has been created.
-
Review the role, and then choose Create role.
IAM permissions
Use an IAM identity-based policy to control access to your new IAM role.
The iam:PassRole
permission is needed on the IAM identity (user
or role) that creates or updates an Auto Scaling group using a launch template that
specifies an instance profile.
The following example policy grants permissions to pass only IAM roles whose
name begins with
. qateam-
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws-cn:iam::
account-id
:role/qateam-*
", "Condition": { "StringEquals": { "iam:PassedToService": [ "ec2.amazonaws.com", "ec2.amazonaws.com.cn" ] } } } ] }
Important
For information about how Amazon EC2 Auto Scaling validates permissions for the
iam:PassRole
action for an Auto Scaling group that uses a launch
template, see Permissions validation for
ec2:RunInstances and iam:PassRole.
Create a launch template
When you create the launch template using the Amazon Web Services Management Console, in the Advanced details section, select the role from IAM instance profile. For more information, see Create a launch template using advanced settings.
When you create the launch template using the create-launch-template command from the Amazon CLI, specify the instance profile name of your IAM role as shown in the following example.
aws ec2 create-launch-template --launch-template-name
my-lt-with-instance-profile
--version-descriptionversion1
\ --launch-template-data '{"ImageId":"ami-04d5cc9b88example
","InstanceType":"t2.micro
","IamInstanceProfile":{"Name":"my-instance-profile
"}}'
See also
For more information to help you start learning about and using IAM roles for Amazon EC2, see:
-
IAM roles for Amazon EC2 in the Amazon EC2 User Guide
-
Using instance profiles and Using an IAM role to grant permissions to applications running on Amazon EC2 instances in the IAM User Guide