Explaining Instance Profiles in AWS
The aim of this page📝 is to explain AWS Identity and Access Management (IAM) based on the particular example of instance profiles. I need to learn this as I am looking at the facilitation of access between customer’s Databricks cluster and S3 buckets we are managing.
3 min readNov 15, 2023
- Instance profiles are a feature of IAM that allows you to pass an IAM role to an EC2 instance.
- When you create an IAM role from the AWS console, an instance profile is automatically created with the same name.
- If you’re using the CLI or SDK, you need to create the instance profile separately and attach it to the IAM role.
- An instance profile can contain only one IAM role.
- This limit of one role per instance profile cannot be increased.
- A role can be included in multiple instance profiles.
- The role associated with an instance profile is assumed by the EC2 instance at launch time.
- This allows the EC2 instance to perform actions on AWS services that the role has permissions for.
- An instance profile is primarily used to grant permissions to an EC2 instance to access other AWS services.
- It’s not designed to allow other services to access the EC2 instance by assuming that role.
- If you want to grant a user or service the ability to manage EC2 instances, you would typically do this by assigning the appropriate IAM policies to that user or service.
- These policies can define what actions the user or service can perform on the EC2 instances.
- An instance profile is associated with an EC2 instance and allows that instance to interact with AWS services.
- It doesn’t provide a way for other services to access the EC2 instance by assuming that role.
- An instance profile does have a specific Amazon Resource Name (ARN) syntax.
- The ARN for an instance profile typically follows this format:
arn:aws:iam::{account-id}:instance-profile/{instance-profile-name}. - This ARN uniquely identifies the instance profile across all of AWS.
- The roles associated with the instance profile may not be visible from the EC2 console
- Because roles and instance profiles can have different names, you must know the names of your instance profiles as well as the names of the roles they contain.
- An EC2 instance cannot use an IAM role directly. The IAM role must be associated with the instance through an instance profile.
- When you launch an EC2 instance, you can specify an instance profile. AWS then passes the role (and its permissions) within that instance profile to the EC2 instance.
- The instance can then use the role’s permissions to make requests to other AWS services.
- Instance profiles provide a secure way to distribute IAM role credentials to EC2 instances.
- When you launch an EC2 instance and associate an IAM role/instance profile, AWS generates temporary security credentials for that role.
- These temporary credentials are automatically rotated and refreshed, reducing the risk of compromised credentials.
- When you create an IAM role using the AWS Management Console, the console automatically creates an instance profile and gives it the same name as the role.
- This makes it easier to manage and associate roles with EC2 instances.
- An instance profile can contain only one IAM role, although a role can be included in multiple instance profiles.
- This allows you to have flexibility in how you assign roles to instances.
- If you manage your roles from the AWS CLI or the AWS API, you create roles and instance profiles as separate actions.
- This allows for more granular control over your IAM roles and instance profiles.
- Instance profiles are a key component of AWS’s security infrastructure, providing a secure and manageable way to assign IAM roles to EC2 instances.
