IAM role for applications that run on Amazon EC2 instances - Amazon EC2 Auto Scaling
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

IAM role for applications that run on Amazon EC2 instances

Applications that run on Amazon EC2 instances need credentials to access other Amazon Web Services services. To provide these credentials in a secure way, use an IAM role. The role supplies temporary permissions that the application can use when it accesses other Amazon resources. The role's permissions determine what the application is allowed to do.

For instances in an Auto Scaling group, you must create a launch template or launch configuration and choose an instance profile to associate with the instances. An instance profile is a container for an IAM role that allows Amazon EC2 to pass the IAM role to an instance when the instance is launched. First, create an IAM role that has all of the permissions required to access the Amazon resources. Then, create the instance profile and assign the role to it.

Note

As a best practice, we strongly recommend that you create the role so that it has the minimum permissions to other Amazon Web Services services that your application requires.

Prerequisites

Create the IAM role that your application running on Amazon EC2 can assume. Choose the appropriate permissions so that the application that is subsequently given the role can make the specific API calls that it needs.

If you use the IAM console instead of the Amazon CLI or one of the Amazon SDKs, the console creates an instance profile automatically and gives it the same name as the role to which it corresponds.

To create an IAM role (console)
  1. Open the IAM console at https://console.amazonaws.cn/iam/.

  2. In the navigation pane on the left, choose Roles.

  3. Choose Create role.

  4. For Select trusted entity, choose Amazon service.

  5. For your use case, choose EC2 and then choose Next.

  6. If possible, select the policy to use for the permissions policy or choose Create policy to open a new browser tab and create a new policy from scratch. For more information, see Creating IAM policies in the IAM User Guide. After you create the policy, close that tab and return to your original tab. Select the check box next to the permissions policies that you want the service to have.

  7. (Optional) Set a permissions boundary. This is an advanced feature that is available for service roles. For more information, see Permissions boundaries for IAM entities in the IAM User Guide.

  8. Choose Next.

  9. On the Name, review, and create page, for Role name, enter a role name to help you identify the purpose of this role. This name must be unique within your Amazon Web Services account. Because other Amazon resources might reference the role, you can't edit the name of the role after it has been created.

  10. Review the role, and then choose Create role.

IAM permissions

Use an IAM identity-based policy to control access to your new IAM role. The iam:PassRole permission is needed on the IAM identity (user or role) that creates or updates an Auto Scaling group using a launch template that specifies an instance profile.

The following example policy grants permissions to pass only IAM roles whose name begins with qateam-.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws-cn:iam::account-id:role/qateam-*", "Condition": { "StringEquals": { "iam:PassedToService": [ "ec2.amazonaws.com", "ec2.amazonaws.com.cn" ] } } } ] }
Important

For information about how Amazon EC2 Auto Scaling validates permissions for the iam:PassRole action for an Auto Scaling group that uses a launch template, see Permissions validation for ec2:RunInstances and iam:PassRole.

Create a launch template

When you create the launch template using the Amazon Web Services Management Console, in the Advanced details section, select the role from IAM instance profile. For more information, see Create a launch template using advanced settings.

When you create the launch template using the create-launch-template command from the Amazon CLI, specify the instance profile name of your IAM role as shown in the following example.

aws ec2 create-launch-template --launch-template-name my-lt-with-instance-profile --version-description version1 \ --launch-template-data '{"ImageId":"ami-04d5cc9b88example","InstanceType":"t2.micro","IamInstanceProfile":{"Name":"my-instance-profile"}}'

See also

For more information to help you start learning about and using IAM roles for Amazon EC2, see: