I am using lambda to create ec2 machine using boto3. I need to give the instance an IAM role. In boto3 we give the IAM role via InstanceProfiles but when we create a role that has access to Lambda no instance profiles come up.
So how do we achieve this?
You would need to:
Use create_instance_profile() to create a named profile
Use add_role_to_instance_profile() to associate an IAM Role with the Instance Profile
Provide the Instance Profile when launching the Amazon EC2 instance
Related
I am owner of one EC2 instance. I can ssh to virtual server by key.pem. My question is to print security-group content (inbound and outbound in one page) of this EC2 instance, do I have to attach IAM role to this instance (so that I can use aws ec2 command) ?
I just wondering, if I am the owner of this instance, I shall be able to do anything without extra granting....
IAM permissions has nothing to do with EC2 instances and the owner of the instance is the AWS account. Just imagine what will happen if one of your IAM user can run any commands by just launching an instance.
You can run "aws ec2" command from your local machine/laptop after installing AWS CLI. If you choose to do so, you have to configure the CLI with the access keys of an IAM user with proper permission. Same applies to EC2 instances, but you can leverage IAM role so that you don't have to use access keys and instead use temporary credentials provided by the IAM role (recommended).
http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#cli-quick-configuration
I would like to add an IAM Role to an existing EC2 instance in AWS. I tried using AWS CLI. However, I could not find a way to do that.
As of AWS CLI v1.11.46, which was released just yesterday (see the CHANGELOG file on GitHub), you can now attach an IAM role to an existing EC2 instance that was originally launched without an IAM role using the associate-iam-instance-profile command.
You can also replace the currently attached IAM role for a running instance using replace-iam-instance-profile-association.
For more details, see the following article on AWS Security Blog:
Attach an AWS IAM Role to an Existing Amazon EC2 Instance by Using the AWS CLI.
UPDATE
As of Feb 22, 2017, you can attach/replace an IAM role to an existing EC2 instance from the EC2 console as well. See this blog post for more details.
if you are getting "The association is not the active association" error when trying to attach a role to a existing EC2 instance then you should:
1. detach the existing role from the existing EC2 instance.
2. attach a new role to the existing EC2 instance.
once you do that, you will be able to attach a role to an existing EC2 instance.
The Roles must be assigned when an instance is first launched.
It is not possible to assign the Role after the launched.
I would recommend launching a new instance via the Launch More Like This console command. Please note this will create a new boot disk based on the same AMI, so any data you've saved will not be copied across. If you wish to save the data, you will need to create an AMI from the instance and launch the new instance from that AMI.
Update Feb 2017: It is now possible to add an IAM Role to an existing instance. This can be done via the AWS Command-Line Interface (CLI). Use the replace-iam-instance-profile-association command.
Well that's the harsh truth as of now. You can't associate an IAM role to an existing instance. I came to know that when I was trying System Server Manager service which required your EC2 instance to coomunicate with ssm api.
I think we have to wait some more time.
This feature was added Feb 9 2017. Note: the thing you are looking for is called an "Instance Profile". The policy describes the rights. That policy then gets added to a role and/or instance profile. I don't see any notes about specifically how to do it so I'll add as an answer.
Source document here
Specific instructions are below to conform with StackOverflow guidelines regarding link rot.
1) Create role
aws iam create-role --role-name YourNewRole --assume-role-policy-document file://YourNewRole-Trust-Policy.json
2) Attach policy to role
aws iam attach-role-policy --role-name YourNewRole --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
3) Create instance profile (this is what a role is called when attached to an instance)
aws iam create-instance-profile --instance-profile-name YourNewRole-Instance-Profile
4) Add role to instance profile
aws iam add-role-to-instance-profile --role-name YourNewRole --instance-profile-name YourNewRole-Instance-Profile
5) Attach instance profile to ec2 instance
aws ec2 associate-iam-instance-profile --instance-id YourInstanceId --iam-instance-profile Name=YourNewRole-Instance-Profile
We use CloudFormation to deploy our platform. Is here a way to allow the application instance access to the DynamoDB tables without exposing API credentials?
I read about creating an IAM role that has the right permission and use instance profile. How do I achieve this? can someone please provide more details and explain what instance profile is?
As per AWS IAM documentation, Instance Profile is:
An instance profile is a container for an IAM role that you can use to pass role information to an EC2 instance when the instance starts.
So, this is a feature provided by AWS so that IAM credentials don't have to be stored in EC2 instances to execute AWS APIs. Also, this feature aids in granting only the permission specified in the desired IAM role to the EC2 instance. Also, you can use the same Instance profile on multiple instances. This way, you don't have to update credentials on each EC2 instance whenever you change the credentials. So, while launching the EC2 instance, you can specify the instance profile. The instance profile is attached to an IAM role. The EC2 instance will get the IAM role and all the IAM credentials. You just need to set the AWS region before using the APIs.
How to do it:
1) Create an IAM role using: create-role
2) Create Instance Profile using: create-instance-profile. The output of this step will contain the Arn for the Instance Profile. This needs to be used in step 4.
3) Add role to Instance Profile using: add-role-to-instance-profile
4) Launch instance using run-instances. Specify the --iam-instance-profile option as below:
--iam-instance-profile Arn=instanceArn
The instanceArn is got from step 2.
The same can be achieved using AWS Console. The Screenshot below shows, how you can specify the role during launch of an EC2 instance:
For more details please see Using Instance Profiles and section 'Permissions Required for Using Roles with Amazon EC2' at page 190 of AWS IAM User Guide.
I would like to add a role to an existing (running?) instance. Is this possible programmatically?
It is not possible (not even in AWS dashboard). You can add an IAM role only when launching an instance
https://aws.amazon.com/iam/faqs/
Q: Can I change the IAM role on a running EC2 instance? No, at this
time you cannot change the IAM role on a running EC2 instance. You can
change the permissions on the IAM role associated with a running
instance, and the updated permissions will take effect almost
immediately.
Now you can attach a role to Running instance from Console and from CLI as well
aws ec2 associate-iam-instance-profile --instance-id *InstanceId* --iam-instance-profile Name=*NewInstanceProfileName*
Official Announcment here
You can now attach or replace an AWS Identity and Access Management
(IAM) role to your existing Amazon EC2 instance. IAM roles enable your
applications running on EC2 to use temporary security credentials that
AWS creates, distributes, and rotates automatically. Using temporary
credentials reduces the risk of long-term key compromise.
For more information. Click here
In order to run AWS monitoring scripts (http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/mon-scripts-perl.html) on one of my ec2 existing instance, I need a IAM role associated to the instance.
I found a lot of documentation to launch an instance with a role... But nothing to link a role to an existing instance.
Is it possible?
If not, what can I do? Launch a new instance with a role and transfert the volumes to it?
If not, what can I do? Launch a new instance with a role and transfert
the volumes to it?
This is one option but it might take you a long time if you have a lot instances.
The other option is to simply use IAM by creating a new user then add the Amazon CloudWatch PutMetricData operation permission to that user. Then, create AWS credentials for that user and finally use them as per the docs that you specified:
Optional: If you aren't using an IAM role, update the
awscreds.template file that you downloaded earlier. The content of
this file should use the following format:
AWSAccessKeyId=YourAccessKeyID
AWSSecretKey=YourSecretAccessKey
Also set the environment variable AWS_CREDENTIAL_FILE to point that awscreds.template in the environment of the user that is running the mon-scripts-perl
There is a new method available associate-iam-instance-profile to Associates an IAM instance profile with a running or stopped instance.
Example:
aws ec2 associate-iam-instance-profile --instance-id YourInstanceId --iam-instance-profile Name=YourNewRole-Instance-Profile
Doco
AWS doesn't allow you to modify the instance role after launching the instance.
You can either:
1) Launch a new instance with the role needed by taking the AMI of the already running instance and reassigning the EIP.
or
2) Create a headless user, generate access key and secret key for the user with specific permssion, and use those keys.
Earlier there was no solution. You had to create and AMI and launch the server again with the appropriate role.
On Feb 9, AWS launched these new CLI options which can help you solve your problem.
See this link: https://aws.amazon.com/blogs/security/new-attach-an-aws-iam-role-to-an-existing-amazon-ec2-instance-by-using-the-aws-cli/