skip to Main Content

In my AWS account I have an IAM role with a single policy attached: AdministratorAccess

The IAM role’s trust relationship looks like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::<account-id-1>:root",
                    "arn:aws:iam::<account-id-2>:root",
                    "arn:aws:iam::<account-id-3>:root",
                    "arn:aws:iam::<account-id-4>:root"
                ],
                "Service": "ec2.amazonaws.com"
            },
            "Action": "sts:AssumeRole",
            "Condition": {}
        }
    ]
}

When I attempt create a new EC2 instance, I want to attach the IAM role to it but the IAM role does not appear in the the list of the roles that I choose from.

What am I doing wrong?

Tried to have my trust policy without the AWS principal but this didn’t work wither.

Couldn’t find an answer or a prev question about it.

2

Answers


  1. The Trust Policy should grant permission to the EC2 Service to assume the role, such as:

        {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": { "Service": "ec2.amazonaws.com"},
              "Action": "sts:AssumeRole"
            }
          ]
        }
    

    If confused, you can create an IAM Role in the IAM management console to see the default Trust Policy that it creates. Make sure you select EC2 as the Service when creating the role.

    Login or Signup to reply.
  2. What you actually need is Instance profile

    If you use the AWS Management Console to create a role for Amazon EC2, the console automatically creates an instance profile and gives it the same name as the role. When you then use the Amazon EC2 console to launch an instance with an IAM role, you can select a role to associate with the instance. In the console, the list that’s displayed is actually a list of instance profile names.

    I’m guessing you created the role via CLI, so you need to create instance profile to attach to EC2. (Example use same name for role and profile)

    aws iam create-instance-profile --instance-profile-name MyRole
    

    Then add the role to instance profile

    aws iam add-role-to-instance-profile --role-name MyRole --instance-profile-name MyRole
    

    Then try selecting it at EC2 creation.

    AWS Docs – Instance profile for EC2

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search