Assign IAM role to EC2 instance with AWS CLI
IAM roles are very useful for EC2 instances for accessing other AWS resources (such as S3, SQS, etc).
You don’t have to hardcode IAM credentials in the application code. Instead, you just assign the IAM role to the EC2 instance with required permissions and your applications installed in the EC2 instance will make use of the role to access the AWS resources that you want them to be accessed.
In this tutorial, we will assign SQS full access role to an existing EC2 instance with AWS CLI.
……………………………………………………………………………
Here are the high level steps -
1. Create an IAM Role.
2. Attach Policy with the Role.
3. Create an Instance Profile.
4. Add the Role to the Instance Profile.
5. Associate the Instance Profile with the EC2 instance
— — — — — — — — — — — — — — — — — — — — — — — — — —
Step 1: Create an IAM Role
Copy the below policy and save it in a JSON file named Trust-Policy.json.
{
“Version”: “2012–10–17”,
“Statement”: [
{ “Effect”: “Allow”,
“Principal”: { “Service”: “ec2.amazonaws.com” },
“Action”: “sts:AssumeRole” }
]
}
Execute the below command to create the role with the trust policy.
$aws iam create-role --role-name sqsAccessRole --assume-role-policy-document file://Trust-Policy.json
— — — — — — — — — — — — — — — — — — — — — — — — — —
Step 2: Attach a Policy with the Role
Specify the policy ARN that you want to be attached with the role.
Here I have given the SQS full access policy. Change it as per your requirement.
$aws iam attach-role-policy --role-name sqsAccessRole --policy-arn arn:aws:iam::aws:policy/AmazonSQSFullAccess
Verify the policy assignment —
$aws iam list-attached-role-policies --role-name sqsAccessRole
— — — — — — — — — — — — — — — — — — — — — — — — — —
Step 3: Create an Instance Profile
$aws iam create-instance-profile --instance-profile-name sqsAccessInstanceProfile
— — — — — — — — — — — — — — — — — — — — — — — — — —
Step 4: Add the Role to the Instance Profile
$aws iam add-role-to-instance-profile --role-name sqsAccessRole --instance-profile-name sqsAccessInstanceProfile
— — — — — — — — — — — — — — — — — — — — — — — — — —
Step 5: Associate the Instance Profile with the EC2 instance
Modify the EC2 Instance ID and execute the command.
$aws ec2 associate-iam-instance-profile --instance-id i-0f999e6d4637 --iam-instance-profile Name=sqsAccessInstanceProfile
Run the below command to verify the association status.
$aws ec2 describe-iam-instance-profile-associations
— — — — — — — — — — — — — — — — — — — — — — — — —
We have successfully assigned the SQS access role to the EC2 instance.
Let’s log inside the EC2 and try to list all the SQS queues.
Enjoy! :)
Further Reading
More content at PlainEnglish.io. Sign up for our free weekly newsletter. Follow us on Twitter, LinkedIn, YouTube, and Discord.
Interested in scaling your software startup? Check out Circuit.