05 Aug 2023 - rich
Here is some basic information regarding AWS Instance Profiles. I am just putting it together all in one place…for me.
Amazon EC2 uses an instance profile as a container for an IAM role. When you create an IAM role using the IAM console, the console creates an instance profile automatically and gives it the same name as the role to which it corresponds. If you use the Amazon EC2 console to launch an instance with an IAM role or to attach an IAM role to an instance, you choose the role based on a list of instance profile names.
If you use the AWS CLI, API, or an AWS SDK to create a role, you create the role and instance profile as separate actions, with potentially different names. If you then use the AWS CLI, API, or an AWS SDK to launch an instance with an IAM role or to attach an IAM role to an instance, specify the instance profile name.
An instance profile can contain only one IAM role. This limit cannot be increased. For more information, see Instance Profiles in the IAM User Guide.
Use an instance profile to pass an IAM role to an EC2 instance. For more information, see in the Amazon EC2 User Guide for Linux Instances.
If you use the AWS Management Console to create a role for Amazon EC2, the console automatically creates an instance profile and gives it the same name as the role. When you then use the Amazon EC2 console to launch an instance with an IAM role, you can select a role to associate with the instance. In the console, the list that’s displayed is actually a list of instance profile names. The console does not create an instance profile for a role that is not associated with Amazon EC2.
You can use the AWS Management Console to delete IAM roles and instance profiles for Amazon EC2 if the role and the instance profile have the same name. To learn more about deleting instance profiles, see Deleting roles or instance profiles.
If you manage your roles from the AWS CLI or the AWS API, you create roles and instance profiles as separate actions. Because roles and instance profiles can have different names, you must know the names of your instance profiles as well as the names of roles they contain. That way you can choose the correct instance profile when you launch an EC2 instance.
You can attach tags to your IAM resources, including instance profiles, to identify, organize, and control access to them. You can tag instance profiles only when you use the AWS CLI or AWS API.
An instance profile can contain only one IAM role, although a role can be included in multiple instance profiles. This limit of one role per instance profile cannot be increased. You can remove the existing role and then add a different role to an instance profile. You must then wait for the change to appear across all of AWS because of eventual consistency. To force the change, you must disassociate the instance profile and then associate the instance profile, or you can stop your instance and then restart it.
You can use the following AWS CLI commands to work with instance profiles in an AWS account.
You can also attach a role to an already running EC2 instance by using the following commands. For more information, see
You can call the following AWS API operations to work with instance profiles in an AWS account.
You can also attach a role to an already running EC2 instance by calling the following operations. For more information, see IAM Roles for Amazon EC2.
Attach an instance profile with a role to a stopped or running EC2 instance: AssociateIamInstanceProfile Get information about an instance profile attached to an EC2 instance: DescribeIamInstanceProfileAssociations Detach an instance profile with a role from a stopped or running EC2 instance: DisassociateIamInstanceProfile