IAM roles provide temporary permissions to EC2 instances to interact with AWS services without embedding credentials in the application.
Step 1: Create an IAM Role
Go to the IAM Console: Navigate to IAM Roles.
Create Role:
Click the Create role button.
Select AWS service as the trusted entity type.
Choose EC2 under Use cases for other AWS services.
Click Next.
Select Permissions:
Select the appropriate policy for the permissions your EC2 instance needs.
- Example: To allow read-only access to S3, attach the
AmazonS3ReadOnlyAccesspolicy.
- Example: To allow read-only access to S3, attach the
Click Next.
Configure Role:
Enter a descriptive name for the role (e.g.,
EC2S3ReadOnlyRole).Add optional tags for identification (if needed).
Review the settings and click Create role.
Step 2: Attach IAM Role to EC2 Instance
Go to the EC2 Console: Navigate to EC2 Instances.
Select the Instance:
- Choose the instance to attach the role.
Modify IAM Role:
Click Actions > Security > Modify IAM Role.
Select the IAM role created in Step 1.
Apply Changes:
- Click Update IAM role.
Step 3: Verify IAM Role Attachment
Check if an IAM role is attached to the instance:
curl http://169.254.169.254/latest/meta-data/iam/infois used to retrieve information about the IAM role that is attached to an EC2 instance. This is part of the Instance Metadata Service (IMDS), a special HTTP endpoint available to EC2 instances, which provides metadata and dynamic data about the instance.
If a role is attached, the response will include details like the role name.
If no role is attached, you'll get an error or no data.
Breaking Down the Command
curl: A command-line tool used to make HTTP requests.http://169.254.169.254: The IP address for the Instance Metadata Service. This is a reserved IP used internally within the EC2 instance./latest/meta-data/iam/info: The specific path to retrieve IAM role information.
Step 4: Test Permissions Using AWS CLI
You can use AWS CLI or use EC2 instance connect, Ensure AWS CLI is installed on the instance (usually pre-installed on Amazon Linux).
No Key Pair Required: In EC2 instance connect, You don't need to manage or use an SSH key pair for access.Run commands to test permissions based on the IAM role's policies.
Examples:
S3 Access: List S3 buckets (requires S3 permissions):
aws s3 lsEC2 Access: Describe running instances (requires EC2 permissions):
aws ec2 describe-instancesCloudWatch Logs: View log groups (requires CloudWatch permissions):
aws logs describe-log-groups
If the permissions are correctly configured, the command will execute successfully. Otherwise, you'll see an error like:
An error occurred (AccessDenied) when calling the <API> operation: User: arn:aws:sts::123456789012:assumed-role/<role-name>/<session-name> is not authorized to perform: <API>
→ Inspect Temporary Credentials
To view the temporary credentials provided by the IAM role:
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/<role-name>Replace
<role-name>with the IAM role name attached to the instance.The response includes:
AccessKeyId
SecretAccessKey
Token
Expiration time
Common Debugging Tips
No IAM Role Attached:
- Attach an appropriate IAM role to the instance using the Modify IAM Role action in the EC2 Console.
Policy Issues:
- Ensure the IAM role has the correct permissions for the resources you are trying to access.
Region Mismatch:
Verify that your CLI commands are targeting the correct AWS region:
aws configure set region <region-name>
"Thank you for reading! I hope this blog sparked new ideas and insights. If you have questions or thoughts, drop a comment below. Until next time, keep learning and growing!"
Reach out to me at linkedin.com/in/sruthipalle
Happy Coding😊