Using IAM roles for Amazon EC2 instances - Amazon SDKs and Tools
Create an IAM roleLaunch an Amazon EC2 instance and specify your IAM roleConnect to the EC2 instanceRun the sample application on the EC2 instance
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Using IAM roles for Amazon EC2 instances

This example covers setting up an Amazon Identity and Access Management role with Amazon S3 access to use in your application deployed to an Amazon EC2 instance.

For an Amazon Elastic Compute Cloud instance, create an IAM role, and then give your Amazon EC2 instance access to that role. For more information, see IAM Roles for Amazon EC2 in the Amazon EC2 User Guide for Linux Instances or IAM Roles for Amazon EC2 in the Amazon EC2 User Guide for Windows Instances.

Create an IAM role

Create an IAM role that grants read-only access to Amazon S3.

  1. Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/.

  2. In the navigation pane, select Roles, then select Create role.

  3. For Select trusted entity, under Trusted entity type, choose Amazon Web Service.

  4. Under Use case, choose Amazon EC2, then select Next.

  5. For Add permissions, select the checkbox for Amazon S3 Read Only Access from the policy list, then select Next.

  6. Enter a name for the role, then select Create role. Remember this name because you'll need it when you launch your Amazon EC2 instance.

Launch an Amazon EC2 instance and specify your IAM role

You can launch an Amazon EC2 instance with an IAM role using the Amazon EC2 console.

Follow the directions to launch an instance in the Amazon EC2 User Guide for Linux Instances or the Amazon EC2 User Guide for Windows Instances.

When you reach the Review Instance Launch page, select Edit instance details. In IAM role, choose the IAM role that you created previously. Complete the procedure as directed.

Note

You need to create or use an existing security group and key pair to connect to the instance.

With this IAM and Amazon EC2 setup, you can deploy your application to the Amazon EC2 instance and it will have read access to the Amazon S3 service.

Connect to the EC2 instance

Connect to the EC2 instance so that you can transfer the sample application to it and then run the application. You'll need the file that contains the private portion of the key pair you used to launch the instance; that is, the PEM file.

You can do this by following the connect procedure in the Amazon EC2 User Guide for Linux Instances or the Amazon EC2 User Guide for Windows Instances. When you connect, do so in such a way that you can transfer files from your development machine to your instance.

If you're using an Amazon Toolkit, you can often also connect to the instance by using the Toolkit. For more information, see the specific user guide for the Toolkit you use.

Run the sample application on the EC2 instance

  1. Copy the application files from your local drive to your instance.

    For information about how to transfer files to your instance see the Amazon EC2 User Guide for Linux Instances or the Amazon EC2 User Guide for Windows Instances.

  2. Start the application and verify that it runs with the same results as on your development machine.

  3. (Optional) Verify that the application uses the credentials provided by the IAM role.

    1. Sign in to the Amazon Web Services Management Console and open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

    2. Select the instance and detach the IAM role through Actions, Instance Settings, Attach/Replace IAM Role.

    3. Run the application again and confirm that it returns an authorization error.