This documentation is for Version 1 of the Amazon CLI only. For documentation related to Version 2 of the Amazon CLI, see the Version 2 User Guide.
Using Amazon EC2 instance metadata as credentials in the Amazon CLI
When you run the Amazon CLI from within an Amazon Elastic Compute Cloud (Amazon EC2) instance, you can simplify providing credentials to your commands. Each Amazon EC2 instance contains metadata that the Amazon CLI can directly query for temporary credentials. When an IAM role is attached to the instance, the Amazon CLI automatically and securely retrieves the credentials from the instance metadata.
To disable this service, use the AWS_EC2_METADATA_DISABLED environment variable.
Prerequisites
To use Amazon EC2 credentials with the Amazon CLI, you need to complete the following:
-
Install and configure the Amazon CLI. For more information, see Installing, updating, and uninstalling the Amazon CLI and Authentication and access credentials for the Amazon CLI.
-
You understand configuration files and named profiles. For more information, see Configuration and credential file settings in the Amazon CLI.
-
You've created an Amazon Identity and Access Management (IAM) role that has access to the resources needed, and attached that role to the Amazon EC2 instance when you launch it. For more information, see IAM policies for Amazon EC2 in the Amazon EC2 User Guide and Granting Applications That Run on Amazon EC2 Instances Access to Amazon Resources in the IAM User Guide.
Configuring a profile for Amazon EC2 metadata
To specify that you want to use the credentials available in the hosting Amazon EC2 instance profile, use the following syntax in the named profile in your configuration file. See the following steps for more instructions.
[profile
profilename
] role_arn =arn:aws-cn:iam::123456789012:role/rolename
credential_source = Ec2InstanceMetadata region =region
-
Create a profile in your configuration file.
[profile
profilename
] -
Add your IAM arn role that has access to the resources needed.
role_arn =
arn:aws-cn:iam::123456789012:role/rolename
-
Specify
Ec2InstanceMetadata
as your credential source.credential_source = Ec2InstanceMetadata
-
Set your Region.
region =
region
Example
The following example assumes the
role and uses the
marketingadminrole
Region in an Amazon EC2 instance
profile named us-west-2
.marketingadmin
[profile
marketingadmin
] role_arn =arn:aws-cn:iam::123456789012:role/marketingadminrole
credential_source = Ec2InstanceMetadata region =us-west-2