CloudWiki

Amazon Web Service (AWS)

Instance Profile

Permissions
An instance profile is used to attach an IAM role to an EC2 instance which allows any application running on the instance to access resources defined in the IAM role policies.
aws_iam_instance_profile
Instance Profile
attributes:
  • name - (Optional, Forces new resource) Name of the instance profile. If omitted, Terraform will assign a random, unique name. Conflicts with name_prefix. Can be a string of characters consisting of upper and lowercase alphanumeric characters and these special characters: _, +, =, ,, ., @, -. Spaces are not allowed.
  • name_prefix - (Optional, Forces new resource) Creates a unique name beginning with the specified prefix. Conflicts with name.
  • path - (Optional, default "/") Path to the instance profile. For more information about paths, see IAM Identifiers in the IAM User Guide. Can be a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. Can include any ASCII character from the ! (\u0021) through the DEL character (\u007F), including most punctuation characters, digits, and upper and lowercase letters.
  • role - (Optional) Name of the role to add to the profile.
  • tags - (Optional) Map of resource tags for the IAM Instance Profile. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

Associating resources with a
Instance Profile
Resources do not "belong" to a
Instance Profile
Rather, one or more Security Groups are associated to a resource.
Create
Instance Profile
via Terraform:
The following HCL creates an instance profile
Syntax:

resource "aws_iam_instance_profile" "test_profile" {
 name = "test_profile"
 role = aws_iam_role.role.name
}

resource "aws_iam_role" "role" {
 name = "test_role"
 path = "/"

 assume_role_policy = <<EOF
{
   "Version": "2012-10-17",
   "Statement": [
       {
           "Action": "sts:AssumeRole",
           "Principal": {
              "Service": "ec2.amazonaws.com"
           },
           "Effect": "Allow",
           "Sid": ""
       }
   ]
}
EOF
}

Create
Instance Profile
via CLI:
Parametres:

create-instance-profile
--instance-profile-name <value>
[--path <value>]
[--tags <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
[--debug]
[--endpoint-url <value>]
[--no-verify-ssl]
[--no-paginate]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--no-sign-request]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]
[--cli-binary-format <value>]
[--no-cli-pager]
[--cli-auto-prompt]
[--no-cli-auto-prompt]

Example:

aws iam create-instance-profile --instance-profile-name Webserver

Best Practices for
Instance Profile

Categorized by Availability, Security & Compliance and Cost

No items found.
Explore all the rules our platform covers
All Resources