0
0
AwsHow-ToBeginner · 4 min read

How to Use IAM Roles for EC2 Instances in AWS

To use IAM roles for EC2, create a role with the needed permissions and attach it to your EC2 instance. This lets the instance securely access AWS services without storing keys.
📐

Syntax

Using IAM roles for EC2 involves these steps:

  • Create an IAM role: Define permissions in a policy.
  • Attach the role to EC2: Assign the role when launching or to a running instance.
  • Access AWS services: Use AWS SDK or CLI on the instance; credentials are provided automatically.
bash
aws iam create-role --role-name MyEC2Role --assume-role-policy-document file://trust-policy.json

aws iam attach-role-policy --role-name MyEC2Role --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess

aws ec2 run-instances --image-id ami-12345678 --count 1 --instance-type t2.micro --iam-instance-profile Name=MyEC2Role
💻

Example

This example shows how to create an IAM role with S3 read-only access and attach it to a new EC2 instance. The instance can then list S3 buckets without manual credentials.

bash
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {"Service": "ec2.amazonaws.com"},
      "Action": "sts:AssumeRole"
    }
  ]
}

# Create role with trust policy
aws iam create-role --role-name EC2S3ReadOnlyRole --assume-role-policy-document file://trust-policy.json

# Attach S3 read-only policy
aws iam attach-role-policy --role-name EC2S3ReadOnlyRole --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess

# Launch EC2 with the role
aws ec2 run-instances --image-id ami-0abcdef1234567890 --count 1 --instance-type t2.micro --iam-instance-profile Name=EC2S3ReadOnlyRole

# On the EC2 instance, run:
aws s3 ls
Output
2024-01-01 00:00:00 example-bucket-1 2024-01-01 00:00:00 example-bucket-2
⚠️

Common Pitfalls

Common mistakes when using IAM roles for EC2 include:

  • Not attaching the role to the instance after creation.
  • Using incorrect trust policies that prevent EC2 from assuming the role.
  • Assigning overly broad permissions instead of least privilege.
  • Trying to use static AWS keys on the instance instead of the role.
json
# Wrong trust policy example (missing ec2.amazonaws.com service)
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {"Service": "lambda.amazonaws.com"},
      "Action": "sts:AssumeRole"
    }
  ]
}

# Correct trust policy example
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {"Service": "ec2.amazonaws.com"},
      "Action": "sts:AssumeRole"
    }
  ]
}
📊

Quick Reference

  • Create IAM role: Define trust policy for EC2 service.
  • Attach policies: Add permissions like S3, DynamoDB, etc.
  • Assign role: Attach to EC2 instance at launch or later.
  • Use SDK/CLI: Access AWS services without keys.

Key Takeaways

Create an IAM role with a trust policy allowing EC2 to assume it.
Attach the role to your EC2 instance to grant permissions securely.
Use AWS SDK or CLI on the instance to access services without manual keys.
Avoid static credentials; rely on the role's temporary credentials.
Check trust policies and permissions carefully to prevent access issues.

Related by keyword

How to Create Security Group for EC2 Instances in AWSEC2What is EC2 in AWS: Overview and UsageEC2How to Monitor EC2 Instances with AWS CloudWatchCloudWatchHow to Use Reserved Instances for Savings in AWSCost ManagementHow to Use Spot Instances for Savings in AWSCost Management

Up next

AWS Shared Responsibility Model: What It Is and How It WorksWhat is AWS Used For: Key Uses and ExamplesALB vs NLB vs CLB: Key Differences and When to Use EachEBS vs Instance Store in AWS: Key Differences and Usage Guide

More in IAM

How to Attach a Policy to an AWS Role: Simple StepsHow to Attach a Policy to a User in AWS IAMHow to Create Custom IAM Policy in AWS: Simple GuideHow to Create IAM Group in AWS: Step-by-Step Guide