Using Amazon EC2 instance metadata as credentials in the Amazon CLI - Amazon Command Line Interface
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

This documentation is for Version 1 of the Amazon CLI only. For documentation related to Version 2 of the Amazon CLI, see the Version 2 User Guide.

Using Amazon EC2 instance metadata as credentials in the Amazon CLI

When you run the Amazon CLI from within an Amazon Elastic Compute Cloud (Amazon EC2) instance, you can simplify providing credentials to your commands. Each Amazon EC2 instance contains metadata that the Amazon CLI can directly query for temporary credentials. When an IAM role is attached to the instance, the Amazon CLI automatically and securely retrieves the credentials from the instance metadata.

To disable this service, use the AWS_EC2_METADATA_DISABLED environment variable.

Prerequisites

To use Amazon EC2 credentials with the Amazon CLI, you need to complete the following:

Configuring a profile for Amazon EC2 metadata

To specify that you want to use the credentials available in the hosting Amazon EC2 instance profile, use the following syntax in the named profile in your configuration file. See the following steps for more instructions.

[profile profilename] role_arn = arn:aws-cn:iam::123456789012:role/rolename credential_source = Ec2InstanceMetadata region = region
  1. Create a profile in your configuration file.

    [profile profilename]
  2. Add your IAM arn role that has access to the resources needed.

    role_arn = arn:aws-cn:iam::123456789012:role/rolename
  3. Specify Ec2InstanceMetadata as your credential source.

    credential_source = Ec2InstanceMetadata
  4. Set your Region.

    region = region

Example

The following example assumes the marketingadminrole role and uses the us-west-2 Region in an Amazon EC2 instance profile named marketingadmin.

[profile marketingadmin] role_arn = arn:aws-cn:iam::123456789012:role/marketingadminrole credential_source = Ec2InstanceMetadata region = us-west-2