**This documentation is for Version 1 of the Amazon CLI only.**

We announced the upcoming end-of-support for the Amazon CLI version 1. We recommend that you migrate to the Amazon CLI version 2. For dates, additional details, and information on how to migrate, see the [announcement](https://amazonaws-china.com/blogs/developer/cli-v1-maintenance-mode-announcement/). For documentation related to Version 2 of the Amazon CLI, see the [Version 2 User Guide](https://docs.amazonaws.cn/cli/latest/userguide/).

# Using Amazon EC2 instance metadata as credentials in the Amazon CLI
<a name="cli-configure-metadata"></a>

When you run the Amazon CLI from within an Amazon Elastic Compute Cloud (Amazon EC2) instance, you can simplify providing credentials to your commands. Each Amazon EC2 instance contains metadata that the Amazon CLI can directly query for temporary credentials. When an IAM role is attached to the instance, the Amazon CLI automatically and securely retrieves the credentials from the instance metadata. 

To disable this service, use the [AWS\_EC2\_METADATA\_DISABLED](cli-configure-envvars.md#envvars-list-AWS_EC2_METADATA_DISABLED) environment variable.

**Topics**
+ [Prerequisites](#cli-configure-metadata-prereqs)
+ [Configuring a profile for Amazon EC2 metadata](#cli-configure-metadata-configure)

## Prerequisites
<a name="cli-configure-metadata-prereqs"></a>

To use Amazon EC2 credentials with the Amazon CLI, you need to complete the following:
+ Install and configure the Amazon CLI. For more information, see [Installing, updating, and uninstalling the Amazon CLI](cli-chap-install.md) and [Authentication and access credentials for the Amazon CLI](cli-chap-authentication.md).
+ You understand configuration files and named profiles. For more information, see [Configuration and credential file settings in the Amazon CLI](cli-configure-files.md). 
+ You've created an Amazon Identity and Access Management (IAM) role that has access to the resources needed, and attached that role to the Amazon EC2 instance when you launch it. For more information, see [IAM policies for Amazon EC2](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/iam-policies-for-amazon-ec2.html) in the *Amazon EC2 User Guide* and [Granting Applications That Run on Amazon EC2 Instances Access to Amazon Resources](https://docs.amazonaws.cn/IAM/latest/UserGuide/role-usecase-ec2app.html) in the *IAM User Guide*.

## Configuring a profile for Amazon EC2 metadata
<a name="cli-configure-metadata-configure"></a>

To specify that you want to use the credentials available in the hosting Amazon EC2 instance profile, use the following syntax in the named profile in your configuration file. See the following steps for more instructions. 

```
[profile {{profilename}}]
role_arn = {{arn:aws-cn:iam::123456789012:role/rolename}}
credential_source = Ec2InstanceMetadata
region = {{region}}
```

1. Create a profile in your configuration file.

   ```
   [profile {{profilename}}]
   ```

1. Add your IAM arn role that has access to the resources needed.

   ```
   role_arn = {{arn:aws-cn:iam::123456789012:role/rolename}}
   ```

1. Specify `Ec2InstanceMetadata` as your credential source.

   ```
   credential_source = Ec2InstanceMetadata
   ```

1. Set your Region.

   ```
   region = {{region}}
   ```

**Example**

The following example assumes the {{`marketingadminrole`}} role and uses the `{{us-west-2}}` Region in an Amazon EC2 instance profile named `{{marketingadmin}}`.

```
[profile {{marketingadmin}}]
role_arn = {{arn:aws-cn:iam::123456789012:role/marketingadminrole}}
credential_source = Ec2InstanceMetadata
region = {{us-west-2}}
```