How to add an IAM role to an existing instance in AWS?

Question

I would like to add an IAM Role to an existing EC2 instance in AWS. I tried using AWS CLI . However, I could not find a way to do that.

Answer 1

As of AWS CLI v1.11.46 , which was released just yesterday (see the CHANGELOG file on GitHub), you can now attach an IAM role to an existing EC2 instance that was originally launched without an IAM role using the associate-iam-instance-profile command.

You can also replace the currently attached IAM role for a running instance using replace-iam-instance-profile-association .

For more details, see the following article on AWS Security Blog :

Attach an AWS IAM Role to an Existing Amazon EC2 Instance by Using the AWS CLI .

UPDATE

As of Feb 22, 2017, you can attach/replace an IAM role to an existing EC2 instance from the EC2 console as well. See this blog post for more details.

Answer 2

if you are getting "The association is not the active association" error when trying to attach a role to a existing EC2 instance then you should:

1. detach the existing role from the existing EC2 instance.
2. attach a new role to the existing EC2 instance.

once you do that, you will be able to attach a role to an existing EC2 instance.

Answer 3

The Roles must be assigned when an instance is first launched.

It is not possible to assign the Role after the launched.

I would recommend launching a new instance via the Launch More Like This console command. Please note this will create a new boot disk based on the same AMI, so any data you've saved will not be copied across. If you wish to save the data, you will need to create an AMI from the instance and launch the new instance from that AMI.

Update Feb 2017: It is now possible to add an IAM Role to an existing instance. This can be done via the AWS Command-Line Interface (CLI) . Use the replace-iam-instance-profile-association command.

Answer 4

Well that's the harsh truth as of now. You can't associate an IAM role to an existing instance. I came to know that when I was trying System Server Manager service which required your EC2 instance to coomunicate with ssm api.

I think we have to wait some more time.

Answer 5

This feature was added Feb 9 2017. Note: the thing you are looking for is called an "Instance Profile". The policy describes the rights. That policy then gets added to a role and/or instance profile. I don't see any notes about specifically how to do it so I'll add as an answer.

Source document here

Specific instructions are below to conform with StackOverflow guidelines regarding link rot.

1) Create role

aws iam create-role --role-name YourNewRole --assume-role-policy-document file://YourNewRole-Trust-Policy.json

2) Attach policy to role

aws iam attach-role-policy --role-name YourNewRole --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess

3) Create instance profile (this is what a role is called when attached to an instance)

aws iam create-instance-profile --instance-profile-name YourNewRole-Instance-Profile

4) Add role to instance profile

 aws iam add-role-to-instance-profile --role-name YourNewRole --instance-profile-name YourNewRole-Instance-Profile

5) Attach instance profile to ec2 instance

aws ec2 associate-iam-instance-profile --instance-id YourInstanceId --iam-instance-profile Name=YourNewRole-Instance-Profile