I'm trying to export my table from DynamoDB to S3. Following the documentation here I created the two roles needed for the pipeline, DataPipelineDefaultRole and DataPipelineDefaultResourceRole. After trying to execute the pipeline, I discovered that my DataPipelineDefaultRole was not created with an instance profile.
I've been looking through forums and Amazon says that people receive errors like this when they create their IAM Roles through the CLI. Their recommendation is to create the roles through the console and then the instance profile will be attached to the roll automatically. I'm creating the role through the console but for the DataPipelineDefaultRole, there is no instance profile attached?
Is there a way to manually attach an instance profile? Or am I missing something that is causing this to not auto-generate?
This might help:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html
It highlights info about instance profiles and namely how to create if you already have existing roles etc. I think this might be what you're looking for.
i.e .
aws iam create-instance-profile --instance-profile-name DataPipelineDefaultRole
then
aws iam add-role-to-instance-profile --role-name DataPipelineDefaultRole --instance-profile-name DataPipelineDefaultRole
I have test the solution by Liam and it's working fine.
aws iam create-instance-profile --instance-profile-name DataPipelineDefaultRole
aws iam add-role-to-instance-profile add-role-to-instance-profile --role-name DataPipelineDefaultRole --instance-profile-name DataPipelineDefaultRole
and there typo on the command provided should not repeat aws I am again.
reference: https://docs.aws.amazon.com/cli/latest/reference/iam/add-role-to-instance-profile.html
Related
I have the following demo role created for AWS:
with the following trust relationship:
Now, I am trying to modify the role of an EC2 instance to be DemoRoleForEC2, but the role is not appearing in the dropdown list:
According to this answer here: IAM Role not showing in aws console in Modify IAM role page , it should be working fine as the Trust Relationships are ok, but it is not.
Other things I tried was stopping and restarting the EC2 Instance, and trying to create the role from the "Modify Role for IAM" page, but none worked. Any idea what the issue might be?
Just to update this answer, apparently, what is happening is that when creating a role, its instance profile is not being automatically created (I haven't figured out the reason yet). What I did was running these two commands on CLI:
aws iam create-instance-profile --instance-profile-name MyRoleInstanceProfile
aws iam add-role-to-instance-profile --role-name MyRole --instance-profile-name MyRoleInstanceProfile
And then the role will appear in the list in the "Modify Role for IAM" page.
One thing to check is the browser you are using to do this task and any browser extensions you may have installed.
I hit this issue where I was creating an EC2 role via the AWS console but it was not creating the instance profile.
I found the issue to be because I was using chrome and with the ClearURLs extension. I disabled this extension and when I then tried to create the role via the console, then the instance profile was also being created.
In my case I was creating an instance profile and adding a role with the CLI. Then, the instance profile was not showing up on EMR but it was appearing on EC2. After several attempts I tried naming the instance profile and the role with the same name (and no special characters), and then it worked.
I followed the instructions here to set up and remove a python lambda function (and associated AWS resources).
When I try to clean up the function, role-policy and role, the instructions failed because the CLI does not manage to find the attached role policies. In particular, if I run:
aws iam list-role-policies --role-name myrolename
... I get an output of:
{
"PolicyNames": []
}
But when I look up the same role in the AWS console, I can see the policy is there.
So what is going on here? Is this an AWS bug (CLI version aws-cli/2.1.33 Python/3.9.2 Darwin/20.4.0 source/x86_64), or am I muddled up here somehow?
As i can see from the image, its a managed policy and unfortunately list-role-policies only Lists the names of the inline policies that are embedded in the specified IAM role.
Doc says
An IAM role can also have managed policies attached to it. To list the managed policies that are attached to a role, use ListAttachedRolePolicies
use this for example
aws iam list-attached-role-policies --role-name SecurityAuditRole
As reading https://docs.aws.amazon.com/codedeploy/latest/userguide/getting-started-create-iam-instance-profile.html, there seem to be many steps to grant permissions to an EC2 instance profile: create a role, put policy to the role, create an instance profile and add the role to the instance profile.
Is it possible to create an instance profile by one line with very generally-used role, such as AWS S3 Full Access for example?
I think you still need 2 lines: 1 line to create the instance profile (aws iam create-instance-profile) and 1 line to attach the existing role (aws iam add-role-to-instance-profile) https://docs.aws.amazon.com/cli/latest/reference/iam/index.html#cli-aws-iam
As they are command lines, I suppose you can join them with &&. Following the AWS documentation example:
aws iam create-instance-profile --instance-profile-name CodeDeployDemo-EC2-Instance-Profile && aws iam add-role-to-instance-profile --instance-profile-name CodeDeployDemo-EC2-Instance-Profile --role-name CodeDeployDemo-EC2-Instance-Profile
Note: if your instance profile is already created you can associate it to as many EC2 instances you want. You don't need to recreate a new instance profile each time.
I would like to add an IAM Role to an existing EC2 instance in AWS. I tried using AWS CLI. However, I could not find a way to do that.
As of AWS CLI v1.11.46, which was released just yesterday (see the CHANGELOG file on GitHub), you can now attach an IAM role to an existing EC2 instance that was originally launched without an IAM role using the associate-iam-instance-profile command.
You can also replace the currently attached IAM role for a running instance using replace-iam-instance-profile-association.
For more details, see the following article on AWS Security Blog:
Attach an AWS IAM Role to an Existing Amazon EC2 Instance by Using the AWS CLI.
UPDATE
As of Feb 22, 2017, you can attach/replace an IAM role to an existing EC2 instance from the EC2 console as well. See this blog post for more details.
if you are getting "The association is not the active association" error when trying to attach a role to a existing EC2 instance then you should:
1. detach the existing role from the existing EC2 instance.
2. attach a new role to the existing EC2 instance.
once you do that, you will be able to attach a role to an existing EC2 instance.
The Roles must be assigned when an instance is first launched.
It is not possible to assign the Role after the launched.
I would recommend launching a new instance via the Launch More Like This console command. Please note this will create a new boot disk based on the same AMI, so any data you've saved will not be copied across. If you wish to save the data, you will need to create an AMI from the instance and launch the new instance from that AMI.
Update Feb 2017: It is now possible to add an IAM Role to an existing instance. This can be done via the AWS Command-Line Interface (CLI). Use the replace-iam-instance-profile-association command.
Well that's the harsh truth as of now. You can't associate an IAM role to an existing instance. I came to know that when I was trying System Server Manager service which required your EC2 instance to coomunicate with ssm api.
I think we have to wait some more time.
This feature was added Feb 9 2017. Note: the thing you are looking for is called an "Instance Profile". The policy describes the rights. That policy then gets added to a role and/or instance profile. I don't see any notes about specifically how to do it so I'll add as an answer.
Source document here
Specific instructions are below to conform with StackOverflow guidelines regarding link rot.
1) Create role
aws iam create-role --role-name YourNewRole --assume-role-policy-document file://YourNewRole-Trust-Policy.json
2) Attach policy to role
aws iam attach-role-policy --role-name YourNewRole --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
3) Create instance profile (this is what a role is called when attached to an instance)
aws iam create-instance-profile --instance-profile-name YourNewRole-Instance-Profile
4) Add role to instance profile
aws iam add-role-to-instance-profile --role-name YourNewRole --instance-profile-name YourNewRole-Instance-Profile
5) Attach instance profile to ec2 instance
aws ec2 associate-iam-instance-profile --instance-id YourInstanceId --iam-instance-profile Name=YourNewRole-Instance-Profile
We use CloudFormation to deploy our platform. Is here a way to allow the application instance access to the DynamoDB tables without exposing API credentials?
I read about creating an IAM role that has the right permission and use instance profile. How do I achieve this? can someone please provide more details and explain what instance profile is?
As per AWS IAM documentation, Instance Profile is:
An instance profile is a container for an IAM role that you can use to pass role information to an EC2 instance when the instance starts.
So, this is a feature provided by AWS so that IAM credentials don't have to be stored in EC2 instances to execute AWS APIs. Also, this feature aids in granting only the permission specified in the desired IAM role to the EC2 instance. Also, you can use the same Instance profile on multiple instances. This way, you don't have to update credentials on each EC2 instance whenever you change the credentials. So, while launching the EC2 instance, you can specify the instance profile. The instance profile is attached to an IAM role. The EC2 instance will get the IAM role and all the IAM credentials. You just need to set the AWS region before using the APIs.
How to do it:
1) Create an IAM role using: create-role
2) Create Instance Profile using: create-instance-profile. The output of this step will contain the Arn for the Instance Profile. This needs to be used in step 4.
3) Add role to Instance Profile using: add-role-to-instance-profile
4) Launch instance using run-instances. Specify the --iam-instance-profile option as below:
--iam-instance-profile Arn=instanceArn
The instanceArn is got from step 2.
The same can be achieved using AWS Console. The Screenshot below shows, how you can specify the role during launch of an EC2 instance:
For more details please see Using Instance Profiles and section 'Permissions Required for Using Roles with Amazon EC2' at page 190 of AWS IAM User Guide.