I tried to detach one of my IAM role from my instance (still running) and got a response of successful detachment.
Afterwards I tried to attach a new IAM role to the exactly same instance, however, this message occured: The association <AssociationId> is not the active association.
After using aws ec2 describe-iam-instance-profile-associations to check the IAM instance profile associations, I found that the state is disassociating. And I rechecked the associations the other day, it's still stuck at disassociating.
Then I tried aws ec2 associate-iam-instance-profile to associate my instance with a new role, but all I got is another instance association stuck at associating.
I also tried replace-iam-instance-profile-association and the same showed up: The association <AssociationId> is not the active association.
And rebooting instance did not work either.
Any solutions?
Thanks.
I've fixed this issue by launching a new instance base on the EBS snapshot of the problematic instance, which is the last thing I wanna do.
Anyway, this could be considered as a workaround. :(
It really sucks that you have to pay to create AWS technical support cases.
Found an easy solution for this!
Hope this helps some people finding this.
After getting stuck in the "disassociating" or "associating" state, use the aws CLI to find the associations that causes the problem (They will be stuck at the state ""disassociating" or "associating""):
aws ec2 describe-iam-instance-profile-associations
After finding them use:
aws ec2 disassociate-iam-instance-profile --association-id iip-assoc-xxxxxx
to remove them. Not quite intuitive but you can actually remove the ones in the state "disassociating" after that you can add a new role/instance-profile.
Error : Unable to detach, there are no existing instance profile associations.
While you are trying to add Role to EC2 instance
Debug and Verify:
run > aws iam list-instance-profiles
command output :
{
"InstanceProfiles": []
}
run > aws iam list-instance-profiles-for-role --role-name Your-Role-Name
command output :
{
"InstanceProfiles": []
}
Solution :
run > aws iam create-instance-profile --instance-profile-name profile-name-sameas-role-name
run > aws iam add-role-to-instance-profile --instance-profile-name profile-name-sameas-role-name --role-name role-name
Done !!
Go Back to EC2 dashboard and try to Add the IAM Role again. This time it should work.
Related
I have the following demo role created for AWS:
with the following trust relationship:
Now, I am trying to modify the role of an EC2 instance to be DemoRoleForEC2, but the role is not appearing in the dropdown list:
According to this answer here: IAM Role not showing in aws console in Modify IAM role page , it should be working fine as the Trust Relationships are ok, but it is not.
Other things I tried was stopping and restarting the EC2 Instance, and trying to create the role from the "Modify Role for IAM" page, but none worked. Any idea what the issue might be?
Just to update this answer, apparently, what is happening is that when creating a role, its instance profile is not being automatically created (I haven't figured out the reason yet). What I did was running these two commands on CLI:
aws iam create-instance-profile --instance-profile-name MyRoleInstanceProfile
aws iam add-role-to-instance-profile --role-name MyRole --instance-profile-name MyRoleInstanceProfile
And then the role will appear in the list in the "Modify Role for IAM" page.
One thing to check is the browser you are using to do this task and any browser extensions you may have installed.
I hit this issue where I was creating an EC2 role via the AWS console but it was not creating the instance profile.
I found the issue to be because I was using chrome and with the ClearURLs extension. I disabled this extension and when I then tried to create the role via the console, then the instance profile was also being created.
In my case I was creating an instance profile and adding a role with the CLI. Then, the instance profile was not showing up on EMR but it was appearing on EC2. After several attempts I tried naming the instance profile and the role with the same name (and no special characters), and then it worked.
This is a strange one... If I click on the instance id, and then navigate to security, it tells me the instance has role X. Then I back out to view all instances, mark the checkbox for the instance in question, go to Actions -> Security -> Modify IAM Role, and it shows me a different role, role Y. I then try to set it to No IAM Role (or any various role), and I get this error:
"Multiple roles associated to instance
The selected instance has more than one IAM role associated. This usually occurs when the instance is in the process of replacing an existing instance profile association. "
I have no idea what to do because I didn't think an EC2 instance was supposed to be able to have two roles... nothing can assume two roles at once, anyway. So this feels like a bug... can anyone help me solve this?
I had the same issue and it seems that when replacing the instance profile it somehow stays in a state that's not completely associated.
Using the CLI we can see the status of the profile association:
aws ec2 describe-iam-instance-profile-associations
In my case the problematic profile was showing as "associating", while all the others show "associated".
Get the AssociationID for the problematic association and disassociate it with the command
aws ec2 disassociate-iam-instance-profile --association-id iip-assoc-xxxxxx
After that you should see the previous profile you had originally and everything should be consistent.
Hope it helps solving the problem.
I wanted to expound on Nelson Brito's answer since I found a way to return your instance to a normal state. I ran into this situation yesterday when helping a user, and I observed my instance with two profile associations -- one in a state of associating and one in a state of disassociating. The command to find this was:
aws ec2 describe-iam-instance-profile-associations --filters Name=instance-id,Values=i-xxxxxx
To fix the issue, I first removed the associating profile using the command:
aws ec2 disassociate-iam-instance-profile --association-id iip-assoc-xxxxxx
Next, I went to the console and detached the instance from all profiles (there is probably a CLI invocation, but I didn't figure it out). When done, you should have a clean instance:
aws ec2 describe-iam-instance-profile-associations --filters Name=instance-id,Values=i-xxxxxx
{
"IamInstanceProfileAssociations": []
}
Here's where we get to the root cause. When I re-assigned the role that was previously stuck in associating, well, it remained stuck in associating. The root cause of my problem was that the user had created the role without setting a trust relationship with EC2. The fix was two parts:
Update the instance trust relationship to add "Service": "ec2.amazonaws.com" as an allowed principal
Use the CLI to disassociate the role and add it again
tl;dr - If you ever run into this, ensure that the role you're trying to assign to your ec2 instance can be assumed by your ec2 instance.
We had the issue Multiple roles associated to instance after bringing an existing EC2 into CloudFormation. Nelson Brito's answer helped to resolve the issue.
To avoid the issue altogether when bringing an existing EC2 into CloudFormation, I now recommend
first disassociate the IAM role (for example via the AWS Console)
import the EC2 only, i.e. without InstanceProfile and Role in the import template
add InstanceProfile and Role to the template and update the stack.
I would like to add an IAM Role to an existing EC2 instance in AWS. I tried using AWS CLI. However, I could not find a way to do that.
As of AWS CLI v1.11.46, which was released just yesterday (see the CHANGELOG file on GitHub), you can now attach an IAM role to an existing EC2 instance that was originally launched without an IAM role using the associate-iam-instance-profile command.
You can also replace the currently attached IAM role for a running instance using replace-iam-instance-profile-association.
For more details, see the following article on AWS Security Blog:
Attach an AWS IAM Role to an Existing Amazon EC2 Instance by Using the AWS CLI.
UPDATE
As of Feb 22, 2017, you can attach/replace an IAM role to an existing EC2 instance from the EC2 console as well. See this blog post for more details.
if you are getting "The association is not the active association" error when trying to attach a role to a existing EC2 instance then you should:
1. detach the existing role from the existing EC2 instance.
2. attach a new role to the existing EC2 instance.
once you do that, you will be able to attach a role to an existing EC2 instance.
The Roles must be assigned when an instance is first launched.
It is not possible to assign the Role after the launched.
I would recommend launching a new instance via the Launch More Like This console command. Please note this will create a new boot disk based on the same AMI, so any data you've saved will not be copied across. If you wish to save the data, you will need to create an AMI from the instance and launch the new instance from that AMI.
Update Feb 2017: It is now possible to add an IAM Role to an existing instance. This can be done via the AWS Command-Line Interface (CLI). Use the replace-iam-instance-profile-association command.
Well that's the harsh truth as of now. You can't associate an IAM role to an existing instance. I came to know that when I was trying System Server Manager service which required your EC2 instance to coomunicate with ssm api.
I think we have to wait some more time.
This feature was added Feb 9 2017. Note: the thing you are looking for is called an "Instance Profile". The policy describes the rights. That policy then gets added to a role and/or instance profile. I don't see any notes about specifically how to do it so I'll add as an answer.
Source document here
Specific instructions are below to conform with StackOverflow guidelines regarding link rot.
1) Create role
aws iam create-role --role-name YourNewRole --assume-role-policy-document file://YourNewRole-Trust-Policy.json
2) Attach policy to role
aws iam attach-role-policy --role-name YourNewRole --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
3) Create instance profile (this is what a role is called when attached to an instance)
aws iam create-instance-profile --instance-profile-name YourNewRole-Instance-Profile
4) Add role to instance profile
aws iam add-role-to-instance-profile --role-name YourNewRole --instance-profile-name YourNewRole-Instance-Profile
5) Attach instance profile to ec2 instance
aws ec2 associate-iam-instance-profile --instance-id YourInstanceId --iam-instance-profile Name=YourNewRole-Instance-Profile
I have created a few environments before so I know how the Amazon EBS works however lately I have been having the following issue while creating an environment:
The instance profile aws-elasticbeanstalk-ec2-role associated with the environment has no role. Please attach a role to the instance profile.
I follow the steps to create a new environment. When it gets to the Permissions page, I create a new role as there are no existing ones. Then I follow the rest of the steps and eventually it starts to launch. After a couple minutes, I get the error above. Any help towards this will be helpful.
To solve this issue, I created a new role from the IAM Manager console. I selected Amazon EC2 as my Service Role Type. I attached the AWSElasticBeanstalkFullAccess policy. Then when creating a new environment, I chose the new role I created.
Though I am bit late in answering this issue, posting here if someone faces this error now.
In case your user has all the required permission to create role and BS has already created the "The instance profile aws-elasticbeanstalk-ec2-role".
The reason of this error is due to roles only and when we try to launch EC2 from aws BS, it creates a role naming "aws-elasticbeanstalk-ec2-role" with required permissions.
But, if there is already a role with Trusted entities "AWS service: ec2" so BS will check permission in that already existing older role.
So go to Roles > Search ec2 related roles and select the role which is active.
And just add AWSElasticBeanstalkFullAccess permission to that ec2 role, and this issue will be resolved.
In order to run AWS monitoring scripts (http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/mon-scripts-perl.html) on one of my ec2 existing instance, I need a IAM role associated to the instance.
I found a lot of documentation to launch an instance with a role... But nothing to link a role to an existing instance.
Is it possible?
If not, what can I do? Launch a new instance with a role and transfert the volumes to it?
If not, what can I do? Launch a new instance with a role and transfert
the volumes to it?
This is one option but it might take you a long time if you have a lot instances.
The other option is to simply use IAM by creating a new user then add the Amazon CloudWatch PutMetricData operation permission to that user. Then, create AWS credentials for that user and finally use them as per the docs that you specified:
Optional: If you aren't using an IAM role, update the
awscreds.template file that you downloaded earlier. The content of
this file should use the following format:
AWSAccessKeyId=YourAccessKeyID
AWSSecretKey=YourSecretAccessKey
Also set the environment variable AWS_CREDENTIAL_FILE to point that awscreds.template in the environment of the user that is running the mon-scripts-perl
There is a new method available associate-iam-instance-profile to Associates an IAM instance profile with a running or stopped instance.
Example:
aws ec2 associate-iam-instance-profile --instance-id YourInstanceId --iam-instance-profile Name=YourNewRole-Instance-Profile
Doco
AWS doesn't allow you to modify the instance role after launching the instance.
You can either:
1) Launch a new instance with the role needed by taking the AMI of the already running instance and reassigning the EIP.
or
2) Create a headless user, generate access key and secret key for the user with specific permssion, and use those keys.
Earlier there was no solution. You had to create and AMI and launch the server again with the appropriate role.
On Feb 9, AWS launched these new CLI options which can help you solve your problem.
See this link: https://aws.amazon.com/blogs/security/new-attach-an-aws-iam-role-to-an-existing-amazon-ec2-instance-by-using-the-aws-cli/