Using IAM roles for Amazon EC2 instances - Amazon SDKs and Tools
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Using IAM roles for Amazon EC2 instances

This example covers setting up an Amazon Identity and Access Management role with Amazon S3 access to use in your application deployed to an Amazon EC2 instance.

In order to run your Amazon SDK application on an Amazon Elastic Compute Cloud instance, create an IAM role, and then give your Amazon EC2 instance access to that role. For more information, see IAM Roles for Amazon EC2 in the Amazon EC2 User Guide .

Create an IAM role

The Amazon SDK application that you develop likely accesses at least one Amazon Web Service to perform actions. Create an IAM role that grants the required permissions necessary for your application to run.

This procedure creates a role that grants read-only access to Amazon S3 as an example. Many of the Amazon SDK guides have "getting started" tutorials that read from Amazon S3.

  1. Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/.

  2. In the navigation pane, select Roles, then select Create role.

  3. For Select trusted entity, under Trusted entity type, choose Amazon Web Service.

  4. Under Use case, choose Amazon EC2, then select Next.

  5. For Add permissions, select the checkbox for Amazon S3 Read Only Access from the policy list, then select Next.

  6. Enter a name for the role, then select Create role. Remember this name because you'll need it when you create your Amazon EC2 instance.

Launch an Amazon EC2 instance and specify your IAM role

You can create and launch an Amazon EC2 instance using your IAM role by doing the following:

  • Follow Quickly launch an instance in the Amazon EC2 User Guide. However, prior to the final submission step, also do the following:

    • Under Advanced details, for IAM Instance profile, choose the role that you created in the previous step.

With this IAM and Amazon EC2 setup, you can deploy your application to the Amazon EC2 instance and your application will have read access to the Amazon S3 service.

Connect to the EC2 instance

Connect to the Amazon EC2 instance so that you can transfer your application to it and then run the application. You'll need the file that contains the private portion of the key pair you used under Key pair (login) when you created your instance; that is, the PEM file.

You can do this by following the guidance for your instance type: Connect to your Linux instance or Connect to your Windows instance. When you connect, do so in such a way that you can transfer files from your development machine to your instance.

Note

On Linux or macOS terminal, you can use the secure copy command to copy your application. To use scp with a key pair, you can use the following command: scp -i path/to/key file/to/copy ec2-user@ec2-xx-xx-xxx-xxx.compute.amazonaws.com:~ .

For more information for Windows, see Transfer files to Windows instances.

If you're using an Amazon Toolkit, you can often also connect to the instance by using the Toolkit. For more information, see the specific user guide for the Toolkit you use.

Run your application on the EC2 instance

  1. Copy your application files from your local drive to your Amazon EC2 instance.

  2. Start the application and verify that it runs with the same results as on your development machine.

  3. (Optional) Verify that the application uses the credentials provided by the IAM role.

    1. Sign in to the Amazon Web Services Management Console and open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

    2. Select the instance.

    3. Choose Actions, Security, and then choose Modify IAM role.

    4. For IAM role, detach the IAM role by choosing No IAM Role.

    5. Choose Update IAM role.

    6. Run the application again and confirm that it returns an authorization error.