Explaining Instance Profiles in AWS

The aim of this page📝 is to explain AWS Identity and Access Management (IAM) based on the particular example of instance profiles. I need to learn this as I am looking at the facilitation of access between customer’s Databricks cluster and S3 buckets we are managing.

Pavol Kutaj
3 min readNov 15, 2023
  • Instance profiles are a feature of IAM that allows you to pass an IAM role to an EC2 instance.
Getting to instance profile ARN via AWS Console > EC2
  • When you create an IAM role from the AWS console, an instance profile is automatically created with the same name.
  • If you’re using the CLI or SDK, you need to create the instance profile separately and attach it to the IAM role.
  • An instance profile can contain only one IAM role.
  • This limit of one role per instance profile cannot be increased.
  • A role can be included in multiple instance profiles.
  • The role associated with an instance profile is assumed by the EC2 instance at launch time.
  • This allows the EC2 instance to perform actions on AWS services that the role has permissions for.
  • An instance profile is primarily used to grant permissions to an EC2 instance to access other AWS services.
  • It’s not designed to allow other services to access the EC2 instance by assuming that role.
  • If you want to grant a user or service the ability to manage EC2 instances, you would typically do this by assigning the appropriate IAM policies to that user or service.
  • These policies can define what actions the user or service can perform on the EC2 instances.
  • An instance profile is associated with an EC2 instance and allows that instance to interact with AWS services.
  • It doesn’t provide a way for other services to access the EC2 instance by assuming that role.
  • An instance profile does have a specific Amazon Resource Name (ARN) syntax.
  • The ARN for an instance profile typically follows this format: arn:aws:iam::{account-id}:instance-profile/{instance-profile-name}.
  • This ARN uniquely identifies the instance profile across all of AWS.
  • The roles associated with the instance profile may not be visible from the EC2 console
  • Because roles and instance profiles can have different names, you must know the names of your instance profiles as well as the names of the roles they contain.
  • An EC2 instance cannot use an IAM role directly. The IAM role must be associated with the instance through an instance profile.
  • When you launch an EC2 instance, you can specify an instance profile. AWS then passes the role (and its permissions) within that instance profile to the EC2 instance.
  • The instance can then use the role’s permissions to make requests to other AWS services.
  • Instance profiles provide a secure way to distribute IAM role credentials to EC2 instances.
  • When you launch an EC2 instance and associate an IAM role/instance profile, AWS generates temporary security credentials for that role.
  • These temporary credentials are automatically rotated and refreshed, reducing the risk of compromised credentials.
  • When you create an IAM role using the AWS Management Console, the console automatically creates an instance profile and gives it the same name as the role.
  • This makes it easier to manage and associate roles with EC2 instances.
  • An instance profile can contain only one IAM role, although a role can be included in multiple instance profiles.
  • This allows you to have flexibility in how you assign roles to instances.
  • If you manage your roles from the AWS CLI or the AWS API, you create roles and instance profiles as separate actions.
  • This allows for more granular control over your IAM roles and instance profiles.
  • Instance profiles are a key component of AWS’s security infrastructure, providing a secure and manageable way to assign IAM roles to EC2 instances.



Pavol Kutaj

Today I Learnt | Infrastructure Support Engineer at snowplow.io with a passion for cloud infrastructure/terraform/python/docs. More at https://pavol.kutaj.com